The way they usually work is they give you some string and you sign it to prove you own the address.
Could a malicious air drop make a transaction sending all your BTC to them, and then you sign it, and then they broadcast it to the network?
Or is signing a message different than signing a transaction?
Airdrop is currently more insecure,which is often caused by malware viruses through social media sites or other media,especially if you have to send bitcoin to get coins,I have long since left airdrop I think if you are interested,you should be careful because it often happens data theft.