The Ultimate Checklist: How to Know If a New Software or AI Tool is Safe
A no-fluff guide to protecting your device, data, and peace of mind before you click Install.
In This Guide
New software tools launch every day. AI tools even more so. And most of them look polished, professional, and totally trustworthy — right up until they’re not. I’ve seen people lose data, get their accounts hijacked, or unknowingly feed their business files into AI training pipelines, all because they skipped a few basic checks.
This guide gives you a concrete, repeatable process for vetting any software or AI tool before you touch it. No technical background required. The checks take five to fifteen minutes, and they’ve saved me from installing some genuinely sketchy stuff.
Your 4-step safety journey before installing any new software or AI tool.
How to Know If a Software is Safe
Taking 10 minutes to vet a tool beats spending hours cleaning up a compromised machine.
The first question isn’t “does it look legit?” Scam software looks legitimate on purpose. The real check is about verifiable signals — things you can confirm independently, not things the software tells you about itself.
1. Check the Developer’s Track Record
Start with who built it. Search the company name alongside words like “scam,” “data breach,” or “reviews.” If it’s a one-person project, check if that person has a verifiable public presence — GitHub commits, LinkedIn, published documentation. Completely anonymous developers on tools that want access to your files are a hard pass.
For AI tools specifically, check whether the developer discloses how your data is used. Some tools explicitly state they train their models on user inputs. Others don’t disclose this at all. That silence is itself a signal worth noting.
2. Read the Privacy Policy — Yes, Really
You don’t need to read the whole thing. Search for these specific words: “train,” “third party,” “sell,” “retain,” and “delete.” AI tools that use your data for model training will usually bury this in a clause like “we may use your inputs to improve our services.” That phrase means your content could end up in their training pipeline. If that’s a problem for what you’re doing with the tool, you now know.
⚠️ What to watch for in AI privacy policies
- “We may use your inputs to improve our models” = your data trains the AI.
- “Data retained for 30 days” with no opt-out = you can’t delete it early.
- No mention of data deletion at all = red flag worth following up on.
- No privacy policy published at all = walk away.
3. Look for HTTPS and a Real Website
Any legitimate software company has a proper website with HTTPS encryption (look for the padlock icon in your browser). The download should come from the official domain — not a third-party mirror or file-sharing site. If the “official” download redirects you through three other domains, that’s a problem. Check the URL bar carefully after each redirect.
4. Look Up Independent Reviews
G2, Trustpilot, Product Hunt, and Reddit are your friends here. Don’t trust reviews on the software’s own website — those are curated. Look for critical reviews, support complaints, and any mentions of unexpected behaviour. A tool with zero independent reviews of any kind either launched yesterday or has something to hide.
| Signal | Safe ✅ | Risky ❌ |
|---|---|---|
| Developer identity | Named company with history, public contacts | Anonymous, no public presence |
| Privacy policy | Clear, specific, includes opt-outs for data training | Missing, vague, or buries training clauses |
| Website domain | Stable HTTPS site, download from official domain | Redirects, mirror sites, HTTP only |
| Independent reviews | Verified reviews on G2, Trustpilot, Reddit | Only homepage testimonials, no third-party coverage |
| Permission requests | Requests only what the tool needs | Asks for camera, contacts, microphone for a text tool |
| Refund / support policy | Documented support channels and refund terms | No support page, no way to contact anyone |
✅ When You Do the Check
- You catch bad actors before they have access to your files
- You know exactly how your data will be used
- Fewer nasty surprises with billing or data retention
- Builds a habit that protects you with every tool you try
❌ When You Skip It
- Your files may end up in someone’s training dataset
- Malware can persist even after uninstalling the tool
- Account credentials can be harvested in the background
- Data deletion becomes impossible once it’s gone
Unsure About a Tool You’re Using Right Now?
We review and vet AI tools so you don’t have to guess. Check out our safety deep-dives below.
How to Know If a Software Has a Virus
Running a file through VirusTotal before installing takes under two minutes and costs nothing.
Most malware doesn’t announce itself. It installs quietly alongside a legitimate-looking app — often called a “bundled installer” — and starts doing its thing in the background. The good news is that checking for this is genuinely easy if you know the right tools.
Step 1: Run the Installer Through VirusTotal First
Before you double-click that .exe or .dmg file, go to virustotal.com and upload it. VirusTotal runs the file through 70+ antivirus engines simultaneously and shows you the results in about 30 seconds. If more than 2 or 3 engines flag it, take that seriously. If 15 engines flag it, delete the file immediately.
You can also paste the download URL directly into VirusTotal without even downloading the file first — that’s the safest approach for anything you’re unsure about.
Download but don’t run the installer yet
Save the file to your Downloads folder. Do not double-click it. Keep your browser open.
Go to virustotal.com and upload the file
Click “Choose File,” select your installer, and hit upload. Files up to 650MB are supported for free.
Read the results — don’t just look at the number
A “0/71” result means clean. “2/71” may be a false positive from overly aggressive engines. “12/71” means stop, do more research before proceeding.
Check the “Behavior” and “Details” tabs too
Even a clean scan can show unusual network connections or registry modifications in these tabs. Those are worth understanding before you install.
Step 2: Use Windows Sandbox or macOS Gatekeeper
Windows 10/11 Pro includes Windows Sandbox — a disposable virtual machine that resets completely every time you close it. Install the suspicious software there first and watch what it does. Does it try to access the internet the moment it opens? Does it attempt to write files outside its own directory? These are signs of bad behavior.
Mac users get Gatekeeper built in. It won’t let you run apps from unidentified developers without explicitly bypassing it. That friction exists for a reason. If you’re being pushed to bypass Gatekeeper for an app you found on a random website, treat that as a serious warning sign.
Where Malware Actually Comes From
Source: Verizon Data Breach Investigations Report & AV-TEST Institute 2023/2024 data. Percentages reflect share of reported infection vectors.
Red Flags During Installation
- The installer tries to disable your antivirus before proceeding.
- It requests administrator / root permissions for a simple productivity app.
- Pre-checked boxes offering to install “partner software” you didn’t ask for.
- The app immediately asks for your email and password on first launch, for no obvious reason.
- Your antivirus pops a warning that you have to dismiss to continue.
🚨 Special Warning for AI Tools
A growing number of fake “AI tools” are circulating on social media and in ad campaigns. They look like legitimate ChatGPT alternatives or video generators. Several documented cases in 2024 showed these tools installing info-stealers that harvested browser passwords and crypto wallet data. If an AI tool is being promoted heavily on TikTok or Instagram with no verifiable company behind it, run the VirusTotal check before anything else.
Want to Know If a Specific AI Tool is Safe?
We publish detailed safety breakdowns for the AI tools people are actually using. No guesswork.
How to Know If a Software Update is Legitimate
Fake update popups have gotten disturbingly good at impersonating real ones. Here’s how to tell them apart.
Fake software update pop-ups are one of the oldest tricks in the book, but they’ve had a serious renaissance lately — especially around AI tools. Open-source AI projects with active communities are particularly targeted because users expect frequent updates. A well-timed fake “model update” notification can feel completely routine.
Real Updates vs. Fake Updates: Key Differences
| Characteristic | Legitimate Update ✅ | Fake Update ❌ |
|---|---|---|
| Where it appears | Inside the app itself, or via system update manager | Browser pop-up, overlay on a website, email link |
| URL / source | Downloads from the official domain (e.g. company.com/releases) | Redirects to cdn-update-server[.]xyz or similar |
| Version number | Matches the changelog on the official website or GitHub | No matching entry in any public changelog |
| Urgency language | “A new version is available.” | “CRITICAL: Update now to avoid data loss!” |
| What it asks for | Just downloads and runs the update | Asks for your password, payment info, or to disable antivirus |
| Code signing | Installer has valid digital signature from the developer | Unsigned, or signed by an unrelated/unknown entity |
The Open-Source AI Tool Problem
If you use tools like Ollama, LM Studio, or self-hosted AI systems, you’re probably used to updates coming through GitHub or the project’s own website. Bad actors have started creating lookalike pages that appear at the top of search results for terms like “download Ollama update 2025.” The page looks identical to the real one. The difference is usually in the domain — an extra hyphen, a different TLD, or a subdomain that wasn’t there before.
The safest habit: bookmark the official download page the first time you install, and always go directly to that bookmark for updates. Never search for an update in Google and click the first result.
How to Verify a Code Signature
On Windows, right-click any installer file, choose Properties, and look for a “Digital Signatures” tab. You should see the developer’s name as the signer, with a valid (not expired) certificate. If the tab is missing, or the signer is “Unknown” or a random LLC you’ve never heard of, don’t run it.
On macOS, open Terminal and run: codesign -dv --verbose=4 /path/to/app.dmg. Look for “Authority=Developer ID Application:” followed by the developer’s name. A mismatch or missing authority is a red flag.
💡 Quick Verification Flow
Got an update notification? Before clicking anything: (1) Go directly to the software’s official website or changelog. (2) Confirm the version number matches what’s being offered. (3) Download from the official source, not the pop-up. This three-step habit stops the vast majority of fake update attacks cold.
Side-by-side signals of a real vs. fake software update notification.
How to Know If a Software is Cloud Based
Whether your data stays on your machine or travels to a remote server changes your security posture significantly.
This one matters more than most people realize. When software processes data on your machine, that data never leaves. When it’s cloud-based, your files and inputs travel to a server somewhere, get processed, and the result comes back to you. That’s not inherently bad — but it means your data now lives somewhere outside your control, even briefly.
For AI tools, the question of local vs. cloud processing is especially important. A cloud-based AI writing assistant sends every sentence you type to a remote server. A locally-run model like LM Studio processes everything on your own GPU and nothing leaves your device.
How to Tell if a Tool Processes Data Locally or in the Cloud
☁️ Cloud-Based Processing
- Requires an internet connection to function
- Usually has a web interface (browser-based app)
- Creates an account on sign-up and stores your history
- Works identically on any device you log into
- Often has a “usage” dashboard showing API calls
- Privacy policy discusses “server storage” and “data centers”
- Loses functionality or freezes when your connection drops
💻 Local Processing
- Works offline, no internet needed after setup
- Runs as a desktop app, not in your browser
- Your files never appear in any cloud dashboard
- Performance depends on your own hardware
- Privacy policy may not exist — data never leaves device
- No account required in many cases
- Continues to work when internet is down
The Network Monitor Test
Not sure? Run the tool and watch your network traffic. On Windows, open Task Manager, go to the App History tab, and check network usage. On Mac, use Activity Monitor’s Network tab. If a tool spikes outbound data the moment you open a file or type something, it’s sending that data somewhere. That’s not always bad — but you should know it’s happening.
Tools like Little Snitch (Mac) or GlassWire (Windows) let you see exactly which domains an app is connecting to. For sensitive work, this is genuinely useful. You might discover that your “local” PDF tool is phoning home to analytics servers every five minutes.
What This Means for Your Computer’s Performance
Cloud-based tools offload the heavy computation to remote servers. That’s great for low-spec machines — you can run powerful AI models without needing a GPU. The tradeoff is latency (there’s a round-trip to the server) and data privacy.
Local tools use your own CPU, GPU, and RAM. They’re faster for many tasks once set up, but running a large local AI model on a machine with 8GB of RAM and no dedicated GPU will likely bring your computer to its knees. Knowing which type you’re dealing with helps you set realistic expectations.
| Factor | Cloud-Based ☁️ | Local / On-Device 💻 |
|---|---|---|
| Data privacy | Data leaves your device | Data stays on your machine |
| Hardware requirements | Low — server does the work | High for AI models (GPU helpful) |
| Offline use | No — requires internet | Yes — works without connection |
| Speed for large files | Depends on upload speed | Fast (no upload needed) |
| Training on your data | Possible — check privacy policy | Impossible by design |
| Updates | Automatic, seamless | Manual, requires re-download |
| Multi-device access | Yes, log in from anywhere | Tied to your local machine |
Hybrid Tools: The Tricky Middle Ground
Many modern AI tools are hybrid — they process some things locally (like the UI and light tasks) and send heavier computation to the cloud. This is common with tools like GitHub Copilot, Grammarly, and various AI image editors. If you’re working with confidential documents, check specifically whether the heavy processing (the AI inference step) happens locally or remotely. The answer is usually in the pricing page or the FAQ, not the main marketing copy.
Comparing Cloud vs. Local AI Tools?
We cover both types across our tool reviews so you know exactly what you’re signing up for.
The Master Safety Checklist
Use this before installing anything new. Screenshot it, bookmark it, print it out — whatever works. Eleven checks, fifteen minutes, no technical expertise needed.
Complete all 11 checks before installing. Failing three or more is a strong signal to hold off.
-
Developer is identifiable and has a verifiable public presence
Named company or individual, not anonymous. -
Official website uses HTTPS and download comes from the official domain
No redirect chains or third-party mirrors. -
Privacy policy is published and readable
Search it for “train,” “third party,” “sell,” and “retain.” -
Independent reviews exist on G2, Trustpilot, or Reddit
Not just homepage testimonials. -
File scanned on VirusTotal with fewer than 3 engine flags
Upload the installer before running it. -
Installer has a valid code signature from the named developer
Check Properties → Digital Signatures on Windows. -
Permission requests match what the tool actually does
A text tool doesn’t need your camera. -
No pre-checked “install partner software” boxes in the installer
Classic bundleware tactic. -
You know whether the tool is cloud-based or local
Especially important for AI tools processing sensitive files. -
Any update notification was confirmed in the official changelog
Never click a browser pop-up update without verifying first. -
A data deletion or account removal process exists
If you can’t delete your account, your data is there forever.
| Checks Passed | Assessment | Recommendation |
|---|---|---|
| 11 / 11 | Clean ✅ | Safe to install. Keep monitoring for changes. |
| 9–10 / 11 | Mostly fine ⚠️ | Note which checks failed. Proceed with awareness. |
| 7–8 / 11 | Proceed with caution | Only install if you understand the specific risks involved. |
| 5–6 / 11 | High risk ❌ | Do significantly more research before proceeding. |
| Under 5 | Do not install ❌ | The tool fails too many basic trust signals. Walk away. |
Quick Recap
- Safety check: Verify the developer, read the privacy policy for data-training clauses, confirm HTTPS and real reviews.
- Virus check: Upload the installer to VirusTotal before running it. Use Windows Sandbox or macOS Gatekeeper for extra caution.
- Update check: Never trust browser pop-ups. Always verify the version number against the official changelog and download from the bookmarked official source.
- Cloud check: Test offline, watch network traffic, and read whether AI inference happens on your device or a remote server.
Stay Ahead of Risky AI Tools
We test and review new AI tools every week — security checks included. Bookmark our blog to stay informed before you install anything new.