/pcq/media/agency_attachments/2025/02/06/2025-02-06t100846387z-pcquest-new-logo-png.png){kind=logo}
/pcq/media/member_avatars/2024-08-28t070132803z-img_7046.jpg )
Follow Us/pcq/media/media_files/2026/02/09/openclaw-adds-virustotal-scanning-to-curb-rising-risks-in-ai-agent-skills-2026-02-09-15-06-39.jpg)
AI agents are operating outside of the constrained environments and limited automation tasks that they used to be limited to and have greater access to file systems, connected services, credentials, and APIs with less human supervision. The security framework around the expansion of agent capabilities is becoming an extremely important security vulnerability as agents become more authoritative in real life.
OpenClaw’s introduction of VirusTotal scanning on all skills submitted to the ClawHub marketplace, including Code Insight analysis, is a reflection of the recognition that agent skills are a supply chain risk as well as an extension to existing capabilities.
Why Agent Skills Are an Offensive Waiting to Happen
Agent AIs are basically completely different beasts compared to traditional software. They don't follow set paths for execution, instead interpreting natural language, grabbing the tools they need on the fly, and then chaining actions to suit the situation. That makes their behavior way harder to pin down and way harder to secure than you'd think.
Skills just add to that risk. A single skill might let you access local storage, or env variables, or even just swipe a user's login credentials. And if there's some sneaky logic built into the skill, or some dodgy dependencies, then you can pretty easily exfiltrate sensitive data, or escalate permissions, or even spread additional malware.
Security researchers have already found cases where skills seemed totally harmless on the surface but were behaving in weird ways, not what you'd expect from the description. It's the same story we see with packages in npm or PyPI, except with agents, the potential fallout is even worse because of how big the scope is likely to be.
Here's how our VirusTotal pipeline works
With OpenClaw's new workflow, any skills you upload to our server get bundled up with some metadata & hashed with SHA-256. That hash is then checked against our existing VirusTotal database. If we don't have a verdict for that hash, we scan the whole package.
VirusTotal’s Code Insight looks at what the code is doing rather than just looking for specific signatures and checks for things like dodgy system calls, suspicious network activity, compromised dependencies, or embedded binaries. Based on the results:
Benign skills get a thumbs up without any issues.
Skills that look a bit dodgy will still be visible but come with a warning label.
Skills that straight out look like malware get blocked from download.
And just to be clear, active skills get scanned over & over again because it's possible for threats to pop up long after they were first published. Scan results will show up right on the skill's page for full transparency.
What this actually does and what it doesn't do
The integration does help reduce your exposure to known malware & the most obvious attack vector patterns. But it still doesn't cover the logic-level threats like prompt injection, instruction hijacking, or just the problems that come from how agents figure things out rather than how the code itself is written.
OpenClaw is framing the scanning as a risk-reduction layer not some magic bullet. And from a security point of view, that's actually a really important distinction. It shows they're adopting a defense-in-depth approach, rather than assuming the marketplace looks after itself from the get-go.
A broader security reset
The VirusTotal rollout is part of a larger security push. OpenClaw says it will soon publish a formal threat model, a public security roadmap, and details from a full codebase audit. Jamieson O’Reilly, founder of Dvuln and a CREST Advisory Council member, has joined as lead security advisor.
For developers, scanning is automatic, with an appeal process for false positives. For users, it adds one more decision signal, but not a guarantee. AI agents with real-world permissions need real-world security controls. OpenClaw’s move suggests the agent ecosystem is finally starting to catch up with its own risk profile.
More For You
Gemini could soon let users carry chat history across AI platforms
Are Hackers Targeting Windows First While Macs Fly Under the Radar in India?
Your AI assistant has full access to your life and that should worry you
WhatsApp introduces a lockdown-style mode to reduce cyber risks
Prices Going Crazy, But These Business Laptops Still Lowkey Slap