Viral AI helper Clawdbot has serious security holes in its gateway that could expose private messages and login information to the public. Cybersecurity experts say that hundreds of instances set up by users are still unverified and can be accessed online. On Tuesday, the blockchain security company SlowMist found a “gateway exposure” in Clawdbot.
They said that hundreds of API keys and private chat logs are in danger. There are several publicly available instances that aren’t authenticated. The program’s weaknesses make it possible to steal credentials and run programs remotely.
Security researcher Jamieson O’Reilly first discussed the problem on Sunday. He said that “hundreds of people have set up their Clawdbot control servers exposed to the public” in the past few days. O’Reilly got results in seconds by searching for “Clawdbot Control” with tools like Shodan.
These hits gave him access to API keys, bot tokens, OAuth secrets, signing keys, entire chat histories, the ability to send messages, and the ability to run commands.
The Local AI Agent’s Viral Rise
According to Mashable, Clawdbot, an open-source AI assistant developed by developer Peter Steinberger, runs on users’ smartphones and has become popular over the weekend.
Its gateway connects big language models to messaging platforms through a web admin interface called “Clawdbot Control.” However, problems arise when it is put behind unconfigured reverse proxies, which let you bypass authentication.
The tool’s full access to the system, including the ability to read files, run commands, execute scripts, and manipulate browsers, makes things much more dangerous. The FAQ for Clawdbot calls this “spicy,” noting that there is no such thing as a totally safe arrangement and warns of hazards, including rapid injection and social engineering.
Demo of Extracting a Private Key
Matvey Kukuy, the CEO of Archestra AI, demonstrated how dangerous this is by using email prompt injection to obtain a private key from a compromised Clawdbot instance in about 5 minutes.
O’Reilly told agent users, “If you have agent infrastructure, check your configuration today.” Look at what is really open to the internet. Know what you’re giving up and what you’re trusting with that deployment. He also said, “The butler is very smart.” Just remind him to lock the door.
Advice from Security Experts
SlowMist strongly recommends that you only allow specific IP addresses to connect to open ports to reduce the risk. O’Reilly’s results show that audits need to be done right away, especially since Clawdbot is quickly becoming popular in crypto-adjacent circles where API keys and private data are very valuable.
This instance shows that self-hosted systems that promise local control have more problems as AI agents become more common. To avoid accidentally leaking data, users must make sure their settings are secure.
