- A recent analysis of the open-source AI agent platform OpenClaw demonstrates the limits of detection-based security models.
- When a Skill is flagged as suspicious, the installation process may display warnings that require users to explicitly confirm the risk before proceeding.
Artificial intelligence agents are rapidly evolving from simple assistants into powerful software systems capable of executing tasks, interacting with services, and even controlling parts of a user’s environment. Platforms designed to host these agents are becoming more sophisticated, but with that growth comes a new category of security challenges. One emerging example highlights why relying on scanning and review alone cannot guarantee safety in an ecosystem where third-party code runs with significant privileges.
A recent analysis of the open-source AI agent platform OpenClaw demonstrates the limits of detection-based security models. The study focuses on the platform’s “Skills” system, which functions much like applications on a mobile operating system. While OpenClaw itself provides the runtime environment, Skills extend the agent’s capabilities by enabling tasks such as web searches, system automation, blockchain interaction, or data retrieval. In practice, these Skills may gain access to files, network connections, and system tools depending on how the platform is configured.
That level of capability introduces a familiar risk. Even if the core platform is trustworthy, third-party extensions cannot automatically be assumed safe. As a result, the ecosystem has turned to a common defensive approach: scanning and moderation.
The Marketplace Model and Its Security Tradeoff
As OpenClaw gained traction, the ecosystem developed a marketplace layer known as Clawhub. Developers can publish Skills, and users can install them to enhance their agents. This model resembles app stores used by mobile operating systems, but it also introduces the same security dilemma. Distributing third-party code that runs inside a privileged environment requires oversight.
Clawhub currently uses a layered moderation system that combines several methods. Submissions are scanned through VirusTotal, evaluated by internal moderation systems, and increasingly analyzed through automated static code checks. Based on the results, Skills may be categorized as benign, suspicious, or malicious.
When a Skill is flagged as suspicious, the installation process may display warnings that require users to explicitly confirm the risk before proceeding. If both scanning systems detect malicious behavior, the Skill may be blocked entirely from public installation.
At first glance, this structure seems robust. However, the underlying assumption is that scanning and warnings can reliably detect malicious or unsafe code before it reaches users. In practice, that assumption proves fragile.
Detection Is Not the Same as Isolation
Security experts have long recognized that scanning tools alone cannot form a true security boundary. Antivirus engines, intrusion detection systems, and web application firewalls all rely on recognizable patterns. When attackers modify syntax or slightly change the structure of their code, these systems often fail to detect the threat.
AI agent platforms face an even more complicated challenge. Skills are not just code files. They combine program logic, configuration manifests, natural language instructions, tool integrations, and runtime behavior. This complexity creates a massive space where harmful logic can hide while still appearing legitimate.
Clawhub’s static moderation engine demonstrates this limitation. The system scans for certain patterns associated with risky behavior, such as calls to process-spawning APIs, dynamic code evaluation, secret access through environment variables, or suspicious network requests. These heuristics are useful for catching obvious malicious samples.
But they are not difficult to bypass. Minor rewrites can preserve the same functionality while avoiding pattern-based detection. A piece of code that reads environment variables and sends them over the network, for example, can be rewritten in slightly different syntax that performs the same action without triggering a rule. The underlying logic remains dangerous, but the scanner no longer recognizes it.
This illustrates a core principle of security: detection systems help identify threats, but they cannot be relied upon as the primary defense.
AI Moderation Adds Intelligence but Not Certainty
Clawhub also uses AI-based moderation to analyze Skills more holistically. Unlike static scanning, this layer attempts to evaluate descriptions, instructions, and code together. It can identify inconsistencies between what a Skill claims to do and what its code appears to perform.
In many cases, this approach is effective at catching suspicious intent. A Skill that claims to perform harmless tasks but requests extensive system privileges may raise red flags. AI review can also identify signs of misdirection or hidden functionality.
However, even advanced models have limits. They are typically better at identifying obvious malicious intent than at detecting subtle vulnerabilities embedded inside otherwise plausible code. A Skill might appear perfectly legitimate while containing a small logic flaw that attackers could exploit.
This is particularly true in environments where the model lacks a precise security specification. Without a clear set of rules defining safe versus unsafe behavior, AI review often becomes a coherence check rather than a deep vulnerability audit.
A Proof of Concept Demonstrates the Gap
To explore these weaknesses, researchers developed a proof-of-concept Skill called “test-web-searcher.” The goal was not to build something obviously malicious but rather to create a plausible extension that contained a hidden vulnerability.
The Skill performed a typical web search function using an external API. However, a small implementation detail allowed remote data to influence which module the program imported at runtime. By crafting a response that pointed to a malicious script rather than a local file, the system could execute arbitrary code.
This vulnerability was subtle. The code included what appeared to be a standard normalization step using JavaScript’s URL constructor, which often gives developers the impression that inputs are safely constrained. In reality, the function does not restrict absolute URLs, meaning attacker-controlled values could bypass the intended boundary.
When the Skill was tested in the Clawhub environment, it passed through the review pipeline with minimal resistance. Because VirusTotal results were still pending at the time of installation, the system treated the Skill as effectively benign. Once installed, triggering the function allowed arbitrary commands to run on the host machine.
In the demonstration environment, this resulted in launching the system calculator as proof of command execution. While harmless in the test setup, the same vulnerability could be used to compromise sensitive systems in a real deployment.
Why Review-Based Security Struggles
The experiment highlights a structural issue rather than a single bug. Review pipelines are designed to detect patterns and signals that suggest malicious intent. But attackers can design code that looks ordinary while embedding exploitable logic.
Static scanners miss cleverly rewritten patterns. AI moderation may fail to identify subtle vulnerabilities. And when runtime protections are optional or inconsistently configured, dangerous Skills can still reach the host system.
The result is a security model that places too much weight on detection. Detection helps reduce noise and catch unsophisticated threats, but it cannot guarantee safety in a complex ecosystem.
The Case for Stronger Runtime Isolation
Security experts generally agree that the most reliable defense is containment. Instead of assuming that every extension will be perfectly reviewed, platforms should assume that some malicious or vulnerable code will slip through.
For AI agent platforms, this means strengthening the runtime environment itself. Sandboxing should become the default configuration rather than an optional feature. Third-party Skills should run in isolated environments that prevent direct access to host resources unless explicitly permitted.
In addition, platforms should adopt fine-grained permission systems similar to those used by mobile operating systems. Each Skill would declare the resources it needs, such as network access, file operations, or system commands, and the runtime would enforce those permissions during execution.
This approach shifts the security model away from perfect detection and toward damage containment.
A New Security Mindset for AI Agents
As AI agents grow more powerful, their ecosystems will increasingly resemble operating systems. With that evolution comes the need for stronger security architecture.
Scanning tools, AI moderation, and warning prompts all play useful roles. They help identify suspicious activity and reduce obvious abuse. But they cannot serve as the primary line of defense when third-party code runs inside privileged environments.
The future of secure AI platforms will depend on designing systems that assume mistakes and adversaries exist. Instead of trying to catch every dangerous extension before it installs, the goal should be ensuring that when something slips through, it cannot compromise the entire system. In other words, the real shift is not better detection but stronger containment.