
Hey there, have you heard about the recent security issues with Clawdbot’s MCP implementation? It’s quite alarming. The VentureBeat article highlighted some major flaws in its architecture, including the lack of mandatory authentication, prompt injection vulnerabilities, and shell access by design. And guess what? Security researchers have not only validated these attack surfaces but also discovered new ones in just a matter of days.
(By the way, did you know that Clawdbot was rebranded to Moltbot on January 27 due to a trademark request from Anthropic regarding the name “Claude”?)
Unfortunately, commodity infostealers are already taking advantage of these vulnerabilities. RedLine, Lumma, and Vidar have added Clawdbot to their target lists, leading to numerous attack attempts on various instances. For instance, Array VC reported a staggering 7,922 attack attempts on their Clawdbot instance.
Following these reports, a closer look at Clawdbot’s security posture revealed some concerning issues:
On January 26, SlowMist warned that hundreds of Clawdbot gateways were exposed to the internet, potentially exposing sensitive data like API keys, OAuth tokens, and private chat histories without requiring any credentials. Matvey Kukuy from Archestra AI even managed to extract an SSH private key via email in just five minutes using prompt injection.
The situation has been termed as “Cognitive Context Theft” by Hudson Rock, as the malware not only steals passwords but also psychological profiles, work activities, trust relationships, and private thoughts — everything needed for effective social engineering.
How defaults shattered the trust model
Clawdbot, an open-source AI agent, gained rapid popularity for its ability to streamline tasks across various platforms. However, many users set up instances without fully understanding the security implications. The default settings left ports open to the public internet, making it vulnerable to unauthorized access.
Jamieson O’Reilly from Dvuln quickly identified numerous exposed Clawdbot instances using Shodan, some of which allowed full command execution without any authentication. He even demonstrated a supply chain attack on ClawdHub’s skills library, reaching multiple developers in different countries within hours.
Despite the swift response from Clawdbot’s creator, Peter Steinberger, to patch the authentication bypass, fundamental architectural issues remain unresolved. The system’s design flaws, including plaintext memory file storage, supply chain vulnerabilities, and prompt injection pathways, pose significant challenges.
These AI agents have extensive permissions across various platforms, making them lucrative targets for attackers. A single prompt injection could have far-reaching consequences before detection.
With the rapid integration of AI agents into enterprise applications, the attack surface is expanding faster than security teams can keep up.
Supply chain attack exposes vulnerabilities
O’Reilly’s supply chain attack on ClawdHub highlighted the lack of moderation and verification in the ecosystem. The ease of distributing potentially malicious code to unsuspecting developers underscores the need for stringent controls.
Clawdbot’s practice of treating all downloaded code as trusted without validation opens up avenues for exploitation. Attackers are exploiting this blind trust to infiltrate systems.
Plaintext storage poses a significant risk
Clawdbot’s storage of sensitive data in plaintext files raises serious concerns about data security. Without proper encryption or containerization, this approach exposes critical information to potential breaches.
Traditional security measures are ill-equipped to handle the unique challenges posed by local-first AI agents, creating a new data exposure class that demands specialized protection.
Identity and execution are key concerns
Itamar Golan, a pioneer in AI security, emphasizes the importance of addressing identity and execution risks posed by AI agents. The continuous decision-making capabilities of these agents across multiple platforms require a paradigm shift in security strategy.
Security leaders must recognize that AI agents are not just productivity tools but integral components of production infrastructure. Without proper oversight, these agents can inadvertently expose organizations to significant risks.
Urgent actions for security leaders
Golan advocates for a proactive approach to securing AI agents, focusing on inventory management, provenance validation, least privilege enforcement, and runtime visibility. These measures are essential to mitigate the evolving threats posed by AI agents.
As enterprises increasingly adopt AI agents, security teams must adapt quickly to address the expanding attack surface and emerging threats. Failure to do so could result in severe consequences for organizations.
Stay ahead of the curve
The rapid evolution of AI agent exploitation underscores the urgency for security leaders to reevaluate their security posture. By implementing robust security measures and staying vigilant, organizations can mitigate the risks associated with AI agents and safeguard their data.
Stay informed and stay secure.
