TrustSkills
BlogCompareGlossaryDetections

Definition

Excessive agency

OWASP's term (LLM06:2025) for the condition where an AI agent is granted more capabilities, permissions, or autonomy than its task requires. Excessive agency amplifies the blast radius of any mistake or attack — a skill that can delete files, send emails, and execute shell commands does far more damage when compromised than one with read-only access. OWASP's mitigation guidance focuses on minimizing extensions, reducing functionality, and enforcing user approval for high-impact actions.

How TrustSkills detects this

TrustSkills scans OpenClaw and ClawHub skills for excessive agency patterns before you install them. The scanner returns plain-English findings — no CVE IDs, no security jargon — with a risk level and a clear explanation of what was found.

Scan a skill freeHow we detect excessive agency

Related terms

Permission scope

The set of capabilities and data access a skill declares in its manifest and actually uses at runtim

Least privilege

A security principle requiring that every component in a system — including AI agent skills — operat

Trust boundary

A point in a system architecture where trust assumptions change — where data or control moves from a

Deep dive

Best practices

8 best practices before you install an AI agent skill

Installing an AI skill is not like installing a harmless theme. You are often extending a control plane that can read data, reach services, and trigger real actions on your behalf.