Remember 2008? The iPhone had just launched its App Store, and suddenly anyone could publish software to millions of devices. It was chaos. Flashlight apps that secretly harvested contacts. Fart soundboards with hidden crypto miners. “Free” games that charged $999 for in app purchases targeting kids. Apple’s response was brutal curation. Developers hated it. Users complained about wait times. But it worked. The App Store became the gold standard for trusted software distribution. I’ve been down a rabbit hole on this lately because my team is evaluating whether to let OpenClaw into our workflow, and the more I dig the more I keep seeing parallels. The growth is insane: 160,000+ GitHub stars, 700+ community skills, a 60,000 person Discord. This thing went from interesting experiment to mainstream tool faster than anything I’ve seen in AI. But here’s what’s been nagging at me: we’re speedrunning the same mistakes mobile apps made, except the stakes are exponentially higher. When a malicious iPhone app in 2009 stole your photos, that sucked. A malicious OpenClaw skill though? It has access to your files, your browser, your Slack, your WhatsApp, and can act autonomously while you sleep. That’s a different category of problem entirely. It’s like whack a mole but the mole has root access to your life. Security researchers at Gen published something (I think it was last month, might be misremembering) showing nearly 15% of community built skills contain malicious instructions. Not bugs. Actual malicious prompts designed to steal data. One example that stuck with me: a “Spotify music management” skill with hidden instructions to search for tax documents and extract social security numbers. And when these get flagged and removed from ClawHub, they just reappear under new names almost immediately. The OpenClaw FAQ literally calls this a “Faustian bargain.” Their own documentation admits there’s no “perfectly safe” setup. Which, okay, I actually respect the honesty? But it also kind of terrifies me. What made the App Store eventually work: centralized review before distribution, continuous monitoring, easy removal when bad actors slip through, reputation systems rewarding trustworthy developers. None of this infrastructure exists for AI agents right now. ClawHub is basically SourceForge circa 2003. I’ve seen a few attempts at solving this. Some academic work on agent sandboxing. Various scanning tools people have built, things like Agent Trust Hub and other projects trying to vet skills before installation. Proposals for community reputation systems. Nothing has really gained traction yet though, and I’m not convinced any of them can actually scale. The mobile app problem took years and a trillion dollar company enforcing rules to solve. Who plays that role here? Actually, wait. Maybe that’s the wrong framing entirely. The whole point of OpenClaw is that it’s decentralized and community driven. IBM researchers literally praised it for proving autonomous agents don’t need to be controlled by big enterprises. So maybe trying to recreate Apple’s walled garden is fundamentally incompatible with what makes this ecosystem valuable in the first place. I genuinely don’t know the answer. Part of me thinks curation is inevitable because 18,000+ exposed instances is just not sustainable. But another part thinks the open source community will reject any centralized gatekeeping. For those actually running OpenClaw in production: how are you handling skill vetting right now? Reviewing code manually? Using automated scanning? Or just yolo installing stuff and hoping for the best? submitted by /u/Few-Needleworker4391
Originally posted by u/Few-Needleworker4391 on r/ArtificialInteligence
You must log in or # to comment.