Researchers at CertiK have raised concerns about the security of emerging AI agent ecosystems, arguing that current marketplace review systems are not sufficient to prevent malicious behavior.
In a recent study, the team demonstrated how a compromised third-party “Skill” on the OpenClaw platform could bypass existing safeguards and execute arbitrary commands on a host system. The findings highlight structural weaknesses in how AI agent marketplaces vet and deploy external code.
The research focused on the review process used by Clawhub, which includes static code analysis, checks via VirusTotal, and AI-based moderation tools.
According to CertiK, these mechanisms can be bypassed through relatively minor code modifications. By slightly altering logic or restructuring vulnerabilities, a malicious Skill can appear benign during installation while retaining the ability to execute harmful actions once deployed.
This creates a false sense of security for users, as approval by marketplace review systems does not guarantee that a Skill is safe.
Proof-of-concept exposes broader industry risk
The proof-of-concept attack underscores a wider issue affecting AI agent ecosystems: security models that rely heavily on pre-deployment review rather than runtime protection.
Without safeguards such as sandboxing, strict permission controls, and runtime isolation, platforms are effectively placing too much responsibility on detection systems that were not designed to handle complex, evolving threats.
The findings suggest that as AI agent marketplaces expand, the risk of malicious or compromised Skills entering production environments will increase.
CertiK researchers argue that the industry must rethink its approach to securing AI agents by prioritizing runtime containment over detection.
Instead of assuming that all malicious code can be identified before deployment, platforms should be designed with the expectation that some threats will inevitably bypass review processes. In this model, the focus shifts from preventing every breach to minimizing the potential damage caused by one.
This represents a broader transition from a “perfect detection” mindset to one centered on damage containment and system resilience.
Key recommendations for developers
To address these risks, CertiK outlines several measures for developers building AI agent platforms.
Sandboxing should become the default execution model for third-party Skills, ensuring that external code runs in isolated environments rather than directly interacting with host systems.
In addition, platforms should implement granular, per-Skill permission frameworks. Each Skill should explicitly declare the resources it needs, with the runtime enforcing those permissions during execution. This approach limits the potential impact of compromised or malicious components.
The researchers also emphasize that third-party Skills should not inherit broad, implicit trust from the host system, as this significantly increases the risk of exploitation.
Implications for users and platforms
For users, the report highlights an important limitation: a “benign” label within a marketplace does not equate to true security. It simply indicates that the existing review pipeline did not detect a threat.
Until stronger runtime protections are widely adopted, platforms like OpenClaw may be better suited for lower-risk environments that do not involve sensitive data, credentials, or high-value assets.
More broadly, the research points to a structural issue across AI ecosystems. While review processes can help identify obvious threats, they cannot serve as the primary defense mechanism for systems that execute third-party code with elevated privileges.
CertiK concludes that meaningful security improvements will require a shift in how AI agent platforms are designed.
Rather than relying on increasingly complex detection systems, developers must build environments that assume failure is possible and ensure that any breach is contained. This includes adopting stronger isolation techniques, enforcing strict permissions, and treating runtime security as the core protective layer.
As AI-driven applications continue to grow in complexity and adoption, the ability to contain risks at runtime may become the defining factor in securing next-generation digital ecosystems.
Dan Burgin
Vladislav Sopov
