Clawdbot: When "Easy AI" Becomes a Security Nightmare

We're currently tracking a developing security situation involving Clawdbot (recently rebranded as Moltbot) - an open-source, self-hosted AI assistant. Over the past week, we've observed widespread misconfigurations leading to credential exposure, prompt injection vulnerabilities, and compromised instances across multiple cloud providers.

Active Threat Landscape

We're seeing multiple attack vectors being actively exploited in the wild:

• Exposed credentials: Users are misconfiguring cloud instances, leading to publicly accessible API keys, authentication tokens, and in some cases, entire configuration files containing sensitive credentials.
• Prompt injection attacks: Clawdbot instances connected to X are leaking private information when external users craft specific prompts in replies. The platform ships without guardrails by default - a deliberate design decision by the authors - which creates a massive attack surface when users integrate social media accounts. We've confirmed multiple instances where attackers extracted API keys, email content, and internal system information through social engineering of the AI itself.‍
• Malicious "skills" distribution: Threat actors are distributing backdoored plugins through community channels. These appear as legitimate functionality extensions but contain code for content scraping, credential harvesting, and botnet recruitment.‍
• Insufficient AI guardrails: The platform lacks adequate safety controls. We're observing instances performing unintended actions including unauthorized posting, data exfiltration, and execution of commands beyond user intent.

Root Cause Analysis

The core issue is architectural: Clawdbot prioritizes ease of deployment over secure-by-default configuration. Non-technical users can spin up instances and integrate sensitive services without encountering any security friction or validation. There are no enforced firewall requirements, no credential validation, no sandboxing of untrusted plugins, and no AI safety guardrails to prevent prompt injection or unauthorized actions.

Immediate Remediation Steps

If you're running Clawdbot

1. Disconnect immediately: Revoke all connected service integrations, particularly email, social media, and any services with access to sensitive data
2. Audit exposed credentials: Check your web server configuration for publicly accessible files. Rotate any API keys, tokens, or passwords that may have been exposed
3. Implement network controls: Configure firewall rules to restrict access to your instance. At minimum, whitelist only trusted IP addresses
4. Review plugins: Remove any third-party "skills" and audit their behavior in logs before reinstalling from verified sources
5. Monitor for compromise: Check connected account activity logs for unauthorized actions

This isn't theoretical - we're seeing active exploitation. If you've had an instance running with default configurations, assume compromise and act accordingly.