Why VirusTotal Isn't Enough for AI Agent Security"

VirusTotal scans files. AI agents need runtime governance. Here's what's missing — and how to fix it."
tags: security, ai, opensource, devops
cover_image: https://tork.network/og-image.png
canonical_url: https://tork.network/blog/virustotal-not-enough
900+ malicious skills detected in ClawHub. 135,000+ exposed OpenClaw instances across 82 countries. Microsoft, CrowdStrike, Palo Alto Networks, and Kaspersky all issued formal security advisories.
The AI agent ecosystem has a security crisis.
The response so far
OpenClaw — the largest open-source AI agent framework with 160K+ stars — partnered with VirusTotal to scan skills in ClawHub, their community registry. It's a reasonable first step. VirusTotal is excellent at what it does: scanning files against 70+ antivirus engines to detect known malware signatures.
But here's the problem: AI agent security isn't a file scanning problem.
What VirusTotal does well
Credit where it's due. VirusTotal is world-class at:

Signature-based malware detection across 70+ engines
Static file analysis and hash lookups
Known threat identification with massive databases
Community-driven threat intelligence

For traditional malware, it's one of the best tools available. But AI agents aren't traditional software.
The 6 gaps VirusTotal can't fill

1. No Runtime Governance VirusTotal scans files before execution. Once an agent is running, there's no protection. A skill that passes static scanning can still exfiltrate data at runtime — and many do.
2. No PII Detection or Redaction Your user sends their SSN through an agent. VirusTotal has no concept of PII. The data flows through completely unprotected. Runtime PII detection catches this in ~1ms.
3. No Compliance Receipts When auditors ask "prove this agent handled data correctly," VirusTotal has nothing to show. You need cryptographic compliance receipts for every interaction — a provable audit trail.
4. No Prompt Injection Defense Prompt injection is the #1 attack vector for AI agents. An attacker can override an agent's safety instructions through crafted input. Static file scanning can't detect runtime prompt manipulation.
5. No Novel Attack Detection Signature databases only catch known threats. The AI agent ecosystem sees new attack patterns daily. Novel attacks slip through until signatures are updated — which can take weeks.
6. No Governance Attestation There's no way to prove an agent is governed. No badge, no certificate, no verifiable claim. Without attestation, users and enterprises have no trust signal. The Self-Trust Paradox Here's the deeper issue: AI agents cannot govern themselves for the same reason you can't audit your own books. The entity checking for threats can be compromised by those same threats. Prompt injection targets the checking mechanism itself. An agent checking its own context for injection can be fooled by that same injection. SSL certificates work because Certificate Authorities are independent. AI governance needs the same model — independent third parties that verify and attest. I wrote a full exploration of this: The Self-Trust Paradox: Why AI Agents Can't Govern Themselves What independent governance looks like We built Tork Network to fill these gaps:

Runtime PII detection at ~1ms — doesn't slow your agent
Cryptographic compliance receipts — provable audit trail for every interaction
Trust badges — verifiable governance attestation, like the SSL padlock
TORKING-X scoring — quantified governance quality (like credit scores for AI agents)
19 risk pattern detection via tork-scan — catches what signatures miss

It works across ALL agent frameworks, not just OpenClaw. We have integration guides for 6 platforms.
We scanned 500 ClawHub skills
We didn't just build the theory — we tested it. We ran tork-scan on 500 ClawHub skills:

200 (40%) scored SAFE
150 (30%) scored CAUTION
100 (20%) scored RISKY
50 (10%) scored DANGEROUS

The dangerous ones included reverse shells, credential harvesting, C2 domain connections, and typosquats with innocent names hiding malicious code.
Full results and leaderboard →
Try it yourself
bash# Scan any skill directory — free, no account needed
npx tork-scan ./my-skill
→ Get started free
→ Full writeup: We Scanned 500 ClawHub Skills
→ Integration guides for 6 frameworks
VirusTotal is great at what it does. It just wasn't built for this. AI agents need independent, runtime governance — and now they have it.