More than one in four AI agent skills contain at least one security vulnerability. That finding comes from Cisco's security research team, which audited 31,000 skills across AI agent platforms and published a detailed breakdown using the open-source personal assistant OpenClaw as a case study.
The results should give anyone running AI agents on their machine a serious pause.
What OpenClaw Does (and Why It's Risky)
OpenClaw is a self-hosted AI assistant that can execute shell commands, read and write files, manage your calendar and email, send messages through WhatsApp and iMessage, and run scripts on your machine. It uses a community-driven "skills" registry that lets anyone publish add-on capabilities, similar to browser extensions or app stores.
That skills registry is where the problems start. Skills are essentially untrusted code packages that users install and grant broad system access to. Unlike app stores with review processes, the OpenClaw skills registry has no mandatory security vetting.
A Fake Skill Climbed to #1
To demonstrate the risk, Cisco's researchers created a deliberately malicious skill called "What Would Elon Do?" and submitted it to the registry. Despite containing multiple attack payloads, it climbed to the top-ranked position. The skill included silent data exfiltration using curl commands that sent user data to external servers, direct prompt injection that bypassed safety guidelines, command injection through embedded bash commands, and tool poisoning with malicious payloads hidden in the skill's code.
None of this was caught before users could install it.
The Bigger Problem: Agents Trust Too Much
The OpenClaw case highlights a structural issue across the AI agent space, not just one project. When you give an AI agent the ability to run commands on your computer, you're trusting every component in its chain. That includes third-party skills, the messaging integrations that could deliver prompt injection attacks, and the credential storage that in OpenClaw's case has leaked plaintext API keys.
Cisco's core observation is blunt: "Security for OpenClaw is an option, but it is not built in." The same critique applies to most personal AI agent frameworks shipping today. The rush to give agents more capabilities has outpaced basic security engineering.
Cisco released an open-source Skill Scanner tool that combines static analysis, behavioral analysis, LLM-assisted semantic scanning, and VirusTotal integration to flag dangerous skills before installation. It is a useful stopgap, but it puts the burden on users to scan every skill manually.
For anyone experimenting with AI agents that have system-level access, the takeaway is straightforward: treat every third-party skill like you would treat an unknown executable. Run agents in sandboxed environments when possible, avoid granting file system or shell access you do not actually need, and never store credentials in plaintext where an agent can reach them.