How to Know If a New Software or AI Tool is Safe
Security & AI Tools

The Ultimate Checklist: How to Know If a New Software or AI Tool is Safe

A no-fluff guide to protecting your device, data, and peace of mind before you click Install.

📅 Updated June 2026 ⏱ 12 min read ✅ Beginner-friendly

New software tools launch every day. AI tools even more so. And most of them look polished, professional, and totally trustworthy — right up until they’re not. I’ve seen people lose data, get their accounts hijacked, or unknowingly feed their business files into AI training pipelines, all because they skipped a few basic checks.

This guide gives you a concrete, repeatable process for vetting any software or AI tool before you touch it. No technical background required. The checks take five to fifteen minutes, and they’ve saved me from installing some genuinely sketchy stuff.

5.5B
Malware attacks recorded globally in 2023 (AV-TEST)
71%
of malware arrives via email or download links (Verizon DBIR)
$9.5T
Projected global cybercrime cost by end of 2024 (Cybersecurity Ventures)
FIND Tool CHECK Developer SCAN For Malware VERIFY Updates INSTALL Safely ✓

Your 4-step safety journey before installing any new software or AI tool.


How to Know If a Software is Safe

Person checking software safety on laptop

Taking 10 minutes to vet a tool beats spending hours cleaning up a compromised machine.

The first question isn’t “does it look legit?” Scam software looks legitimate on purpose. The real check is about verifiable signals — things you can confirm independently, not things the software tells you about itself.

1. Check the Developer’s Track Record

Start with who built it. Search the company name alongside words like “scam,” “data breach,” or “reviews.” If it’s a one-person project, check if that person has a verifiable public presence — GitHub commits, LinkedIn, published documentation. Completely anonymous developers on tools that want access to your files are a hard pass.

For AI tools specifically, check whether the developer discloses how your data is used. Some tools explicitly state they train their models on user inputs. Others don’t disclose this at all. That silence is itself a signal worth noting.

2. Read the Privacy Policy — Yes, Really

You don’t need to read the whole thing. Search for these specific words: “train,” “third party,” “sell,” “retain,” and “delete.” AI tools that use your data for model training will usually bury this in a clause like “we may use your inputs to improve our services.” That phrase means your content could end up in their training pipeline. If that’s a problem for what you’re doing with the tool, you now know.

⚠️ What to watch for in AI privacy policies

  • “We may use your inputs to improve our models” = your data trains the AI.
  • “Data retained for 30 days” with no opt-out = you can’t delete it early.
  • No mention of data deletion at all = red flag worth following up on.
  • No privacy policy published at all = walk away.

3. Look for HTTPS and a Real Website

Any legitimate software company has a proper website with HTTPS encryption (look for the padlock icon in your browser). The download should come from the official domain — not a third-party mirror or file-sharing site. If the “official” download redirects you through three other domains, that’s a problem. Check the URL bar carefully after each redirect.

4. Look Up Independent Reviews

G2, Trustpilot, Product Hunt, and Reddit are your friends here. Don’t trust reviews on the software’s own website — those are curated. Look for critical reviews, support complaints, and any mentions of unexpected behaviour. A tool with zero independent reviews of any kind either launched yesterday or has something to hide.

Signal Safe ✅ Risky ❌
Developer identity Named company with history, public contacts Anonymous, no public presence
Privacy policy Clear, specific, includes opt-outs for data training Missing, vague, or buries training clauses
Website domain Stable HTTPS site, download from official domain Redirects, mirror sites, HTTP only
Independent reviews Verified reviews on G2, Trustpilot, Reddit Only homepage testimonials, no third-party coverage
Permission requests Requests only what the tool needs Asks for camera, contacts, microphone for a text tool
Refund / support policy Documented support channels and refund terms No support page, no way to contact anyone

✅ When You Do the Check

  • You catch bad actors before they have access to your files
  • You know exactly how your data will be used
  • Fewer nasty surprises with billing or data retention
  • Builds a habit that protects you with every tool you try

❌ When You Skip It

  • Your files may end up in someone’s training dataset
  • Malware can persist even after uninstalling the tool
  • Account credentials can be harvested in the background
  • Data deletion becomes impossible once it’s gone

Unsure About a Tool You’re Using Right Now?

We review and vet AI tools so you don’t have to guess. Check out our safety deep-dives below.


How to Know If a Software Has a Virus

Antivirus scan running on computer

Running a file through VirusTotal before installing takes under two minutes and costs nothing.

Most malware doesn’t announce itself. It installs quietly alongside a legitimate-looking app — often called a “bundled installer” — and starts doing its thing in the background. The good news is that checking for this is genuinely easy if you know the right tools.

Step 1: Run the Installer Through VirusTotal First

Before you double-click that .exe or .dmg file, go to virustotal.com and upload it. VirusTotal runs the file through 70+ antivirus engines simultaneously and shows you the results in about 30 seconds. If more than 2 or 3 engines flag it, take that seriously. If 15 engines flag it, delete the file immediately.

You can also paste the download URL directly into VirusTotal without even downloading the file first — that’s the safest approach for anything you’re unsure about.

1

Download but don’t run the installer yet

Save the file to your Downloads folder. Do not double-click it. Keep your browser open.

2

Go to virustotal.com and upload the file

Click “Choose File,” select your installer, and hit upload. Files up to 650MB are supported for free.

3

Read the results — don’t just look at the number

A “0/71” result means clean. “2/71” may be a false positive from overly aggressive engines. “12/71” means stop, do more research before proceeding.

4

Check the “Behavior” and “Details” tabs too

Even a clean scan can show unusual network connections or registry modifications in these tabs. Those are worth understanding before you install.

Step 2: Use Windows Sandbox or macOS Gatekeeper

Windows 10/11 Pro includes Windows Sandbox — a disposable virtual machine that resets completely every time you close it. Install the suspicious software there first and watch what it does. Does it try to access the internet the moment it opens? Does it attempt to write files outside its own directory? These are signs of bad behavior.

Mac users get Gatekeeper built in. It won’t let you run apps from unidentified developers without explicitly bypassing it. That friction exists for a reason. If you’re being pushed to bypass Gatekeeper for an app you found on a random website, treat that as a serious warning sign.

Where Malware Actually Comes From

Phishing emails / links
83%
Bundled freeware
64%
Cracked / pirated software
77%
Malicious browser extensions
52%
Official-looking fake installers
48%
Legitimate compromised tools
19%

Source: Verizon Data Breach Investigations Report & AV-TEST Institute 2023/2024 data. Percentages reflect share of reported infection vectors.

Red Flags During Installation

  • The installer tries to disable your antivirus before proceeding.
  • It requests administrator / root permissions for a simple productivity app.
  • Pre-checked boxes offering to install “partner software” you didn’t ask for.
  • The app immediately asks for your email and password on first launch, for no obvious reason.
  • Your antivirus pops a warning that you have to dismiss to continue.

🚨 Special Warning for AI Tools

A growing number of fake “AI tools” are circulating on social media and in ad campaigns. They look like legitimate ChatGPT alternatives or video generators. Several documented cases in 2024 showed these tools installing info-stealers that harvested browser passwords and crypto wallet data. If an AI tool is being promoted heavily on TikTok or Instagram with no verifiable company behind it, run the VirusTotal check before anything else.

Want to Know If a Specific AI Tool is Safe?

We publish detailed safety breakdowns for the AI tools people are actually using. No guesswork.


How to Know If a Software Update is Legitimate

Software update notification on screen

Fake update popups have gotten disturbingly good at impersonating real ones. Here’s how to tell them apart.

Fake software update pop-ups are one of the oldest tricks in the book, but they’ve had a serious renaissance lately — especially around AI tools. Open-source AI projects with active communities are particularly targeted because users expect frequent updates. A well-timed fake “model update” notification can feel completely routine.

Real Updates vs. Fake Updates: Key Differences

Characteristic Legitimate Update ✅ Fake Update ❌
Where it appears Inside the app itself, or via system update manager Browser pop-up, overlay on a website, email link
URL / source Downloads from the official domain (e.g. company.com/releases) Redirects to cdn-update-server[.]xyz or similar
Version number Matches the changelog on the official website or GitHub No matching entry in any public changelog
Urgency language “A new version is available.” “CRITICAL: Update now to avoid data loss!”
What it asks for Just downloads and runs the update Asks for your password, payment info, or to disable antivirus
Code signing Installer has valid digital signature from the developer Unsigned, or signed by an unrelated/unknown entity

The Open-Source AI Tool Problem

If you use tools like Ollama, LM Studio, or self-hosted AI systems, you’re probably used to updates coming through GitHub or the project’s own website. Bad actors have started creating lookalike pages that appear at the top of search results for terms like “download Ollama update 2025.” The page looks identical to the real one. The difference is usually in the domain — an extra hyphen, a different TLD, or a subdomain that wasn’t there before.

The safest habit: bookmark the official download page the first time you install, and always go directly to that bookmark for updates. Never search for an update in Google and click the first result.

How to Verify a Code Signature

On Windows, right-click any installer file, choose Properties, and look for a “Digital Signatures” tab. You should see the developer’s name as the signer, with a valid (not expired) certificate. If the tab is missing, or the signer is “Unknown” or a random LLC you’ve never heard of, don’t run it.

On macOS, open Terminal and run: codesign -dv --verbose=4 /path/to/app.dmg. Look for “Authority=Developer ID Application:” followed by the developer’s name. A mismatch or missing authority is a red flag.

💡 Quick Verification Flow

Got an update notification? Before clicking anything: (1) Go directly to the software’s official website or changelog. (2) Confirm the version number matches what’s being offered. (3) Download from the official source, not the pop-up. This three-step habit stops the vast majority of fake update attacks cold.

✅ REAL UPDATE • Appears inside the app • Downloads from official domain • Version listed in public changelog • Valid code signature from developer • No urgency / scare language • Never asks to disable antivirus ❌ FAKE UPDATE • Browser pop-up or email link • Redirects to suspicious domain • No matching changelog entry • Unsigned or mismatched certificate • “URGENT!” / fear-based language • Asks for password or payment

Side-by-side signals of a real vs. fake software update notification.


How to Know If a Software is Cloud Based

Cloud computing concept with data flowing to servers

Whether your data stays on your machine or travels to a remote server changes your security posture significantly.

This one matters more than most people realize. When software processes data on your machine, that data never leaves. When it’s cloud-based, your files and inputs travel to a server somewhere, get processed, and the result comes back to you. That’s not inherently bad — but it means your data now lives somewhere outside your control, even briefly.

For AI tools, the question of local vs. cloud processing is especially important. A cloud-based AI writing assistant sends every sentence you type to a remote server. A locally-run model like LM Studio processes everything on your own GPU and nothing leaves your device.

How to Tell if a Tool Processes Data Locally or in the Cloud

☁️ Cloud-Based Processing

  • Requires an internet connection to function
  • Usually has a web interface (browser-based app)
  • Creates an account on sign-up and stores your history
  • Works identically on any device you log into
  • Often has a “usage” dashboard showing API calls
  • Privacy policy discusses “server storage” and “data centers”
  • Loses functionality or freezes when your connection drops

💻 Local Processing

  • Works offline, no internet needed after setup
  • Runs as a desktop app, not in your browser
  • Your files never appear in any cloud dashboard
  • Performance depends on your own hardware
  • Privacy policy may not exist — data never leaves device
  • No account required in many cases
  • Continues to work when internet is down

The Network Monitor Test

Not sure? Run the tool and watch your network traffic. On Windows, open Task Manager, go to the App History tab, and check network usage. On Mac, use Activity Monitor’s Network tab. If a tool spikes outbound data the moment you open a file or type something, it’s sending that data somewhere. That’s not always bad — but you should know it’s happening.

Tools like Little Snitch (Mac) or GlassWire (Windows) let you see exactly which domains an app is connecting to. For sensitive work, this is genuinely useful. You might discover that your “local” PDF tool is phoning home to analytics servers every five minutes.

What This Means for Your Computer’s Performance

Cloud-based tools offload the heavy computation to remote servers. That’s great for low-spec machines — you can run powerful AI models without needing a GPU. The tradeoff is latency (there’s a round-trip to the server) and data privacy.

Local tools use your own CPU, GPU, and RAM. They’re faster for many tasks once set up, but running a large local AI model on a machine with 8GB of RAM and no dedicated GPU will likely bring your computer to its knees. Knowing which type you’re dealing with helps you set realistic expectations.

Factor Cloud-Based ☁️ Local / On-Device 💻
Data privacy Data leaves your device Data stays on your machine
Hardware requirements Low — server does the work High for AI models (GPU helpful)
Offline use No — requires internet Yes — works without connection
Speed for large files Depends on upload speed Fast (no upload needed)
Training on your data Possible — check privacy policy Impossible by design
Updates Automatic, seamless Manual, requires re-download
Multi-device access Yes, log in from anywhere Tied to your local machine

Hybrid Tools: The Tricky Middle Ground

Many modern AI tools are hybrid — they process some things locally (like the UI and light tasks) and send heavier computation to the cloud. This is common with tools like GitHub Copilot, Grammarly, and various AI image editors. If you’re working with confidential documents, check specifically whether the heavy processing (the AI inference step) happens locally or remotely. The answer is usually in the pricing page or the FAQ, not the main marketing copy.

Comparing Cloud vs. Local AI Tools?

We cover both types across our tool reviews so you know exactly what you’re signing up for.


The Master Safety Checklist

Use this before installing anything new. Screenshot it, bookmark it, print it out — whatever works. Eleven checks, fifteen minutes, no technical expertise needed.

Your 11-Point Software Safety Checklist Run every check before you install. Fail 3 or more → don’t install. Complete all 11 checks = Safe to install

Complete all 11 checks before installing. Failing three or more is a strong signal to hold off.

  • Developer is identifiable and has a verifiable public presence
    Named company or individual, not anonymous.
  • Official website uses HTTPS and download comes from the official domain
    No redirect chains or third-party mirrors.
  • Privacy policy is published and readable
    Search it for “train,” “third party,” “sell,” and “retain.”
  • Independent reviews exist on G2, Trustpilot, or Reddit
    Not just homepage testimonials.
  • File scanned on VirusTotal with fewer than 3 engine flags
    Upload the installer before running it.
  • Installer has a valid code signature from the named developer
    Check Properties → Digital Signatures on Windows.
  • Permission requests match what the tool actually does
    A text tool doesn’t need your camera.
  • No pre-checked “install partner software” boxes in the installer
    Classic bundleware tactic.
  • You know whether the tool is cloud-based or local
    Especially important for AI tools processing sensitive files.
  • Any update notification was confirmed in the official changelog
    Never click a browser pop-up update without verifying first.
  • A data deletion or account removal process exists
    If you can’t delete your account, your data is there forever.
Checks Passed Assessment Recommendation
11 / 11 Clean ✅ Safe to install. Keep monitoring for changes.
9–10 / 11 Mostly fine ⚠️ Note which checks failed. Proceed with awareness.
7–8 / 11 Proceed with caution Only install if you understand the specific risks involved.
5–6 / 11 High risk ❌ Do significantly more research before proceeding.
Under 5 Do not install ❌ The tool fails too many basic trust signals. Walk away.

Quick Recap

  • Safety check: Verify the developer, read the privacy policy for data-training clauses, confirm HTTPS and real reviews.
  • Virus check: Upload the installer to VirusTotal before running it. Use Windows Sandbox or macOS Gatekeeper for extra caution.
  • Update check: Never trust browser pop-ups. Always verify the version number against the official changelog and download from the bookmarked official source.
  • Cloud check: Test offline, watch network traffic, and read whether AI inference happens on your device or a remote server.

Stay Ahead of Risky AI Tools

We test and review new AI tools every week — security checks included. Bookmark our blog to stay informed before you install anything new.

Discover Tools Before Everyone Else!

We don’t spam! Read our privacy policy for more info.

Advertisement