Clawdbot (now rebranded as Moltbot) exploded onto the scene over the past week. 60,000+ GitHub stars. Viral X threads. Discord communities buzzing. The promise is intoxicating: a personal AI assistant that lives in your messaging apps, remembers everything, and executes tasks autonomously.
Then the security reports started rolling in.
Within days, researchers found hundreds of exposed control panels on the public internet. API keys. Private chat histories. OAuth credentials. And in some cases, full command execution with root privileges.
This is the AI agent security problem in miniature, and it doesn’t matter if you’re a Fortune 500 enterprise or a solopreneur tinkering with the future of personal assistants: the risks are structural, not incidental.
What Clawdbot Actually Is (And Why That’s the Problem)
Clawdbot isn’t a chatbot. It’s an agent gateway that bridges large language models to your messaging platforms (Telegram, Slack, Discord, Signal, WhatsApp) and local system capabilities. It can read and write files, execute shell commands, authenticate to third-party services, and maintain long-term memory.
This architecture is powerful. It also collapses multiple security boundaries into a single system.
As SOCRadar’s analysis put it: once deployed, Clawdbot becomes part of your attack surface, not just another tool in your stack.
The project’s own documentation is refreshingly honest:
“Running an AI agent with shell access on your machine is… spicy. There is no ‘perfectly secure’ setup.”
That honesty is commendable. But it doesn’t reduce your exposure.
The Real-World Damage (So Far)
The findings from SlowMist, Jamison O’Reilly, and others paint an alarming picture:
Exposed credentials everywhere. Shodan scans reveal over 1,000 Clawdbot gateways accessible on the public internet. Many expose Anthropic API keys, Telegram bot tokens, OAuth secrets, and months of private conversation history.
Remote code execution. In multiple instances, researchers found systems with command execution enabled and no authentication. One AI software agency’s exposed server was running with root privileges and no privilege separation.
Prompt injection to private key extraction in five minutes. The CEO of Archestra AI demonstrated how a simple prompt injection attack (via an email the bot was asked to check) led to extraction of a private key from the compromised machine.
Crypto scammers exploited the chaos. During the trademark-driven rebrand from Clawdbot to Moltbot, scammers hijacked old accounts and launched fake $CLAWD tokens that hit a $16M market cap before collapsing to near zero, leaving late buyers rugged.
The “Confused Deputy” Problem for AI Agents
The UK’s National Cyber Security Centre (NCSC) has been clear about this threat model: prompt injection should be treated like a confused deputy problem, where a privileged system can be coerced into acting on an attacker’s behalf.
Clawdbot (by design) becomes that privileged system:
- It can see what you see (folders, docs, messages)
- It can act where you can act (tools with your account permissions)
- It can be exposed to content you shouldn’t trust (web pages, emails, attachments)
Security researcher Simon Willison calls this the “lethal trifecta”: private data + untrusted content + external communication. Combine all three and exploitation becomes inevitable.
Clawdbot’s entire product value moves you closer to that trifecta.
Why This Matters for Everyone (Not Just Enterprises)
You might think: “I’m just a solopreneur playing around. This doesn’t apply to me.”
It does. Here’s why:
Your API keys are money. If your Anthropic or OpenAI keys leak, someone else runs up your bill. Or worse, use your account for abuse that gets traced back to you.
Your message history is intelligence. Private conversations with clients, financial details, business strategy, personal information: all potentially exposed.
Your credentials are accessible. OAuth tokens for Slack, Google, or other integrations don’t just expose one system. They expose everything those accounts can reach.
Your system is a launchpad. A compromised machine with shell access becomes a pivot point for lateral movement, persistence, or further attacks.
The difference between an enterprise breach and a solopreneur breach is scale, not severity. Your digital life can be upended just as completely.
The Chiri Approach: Security as Architecture, Not Afterthought
At Chiri, we’ve been thinking about this problem since long before Clawdbot went viral. When we analyzed Claude Cowork’s attack surface, we applied the same lens we apply to every AI tool: if you can’t answer the “must-haves” with evidence, you’re carrying too much risk.
Our CISO, Mark Aklian’s AI security checklist forces the uncomfortable questions:
- Architecture transparency: Where does the model run? Which tools are active? What third-party dependencies exist?
- Data flow and retention: Are prompts and outputs logged? For how long? Used for training?
- Guardrails against abuse: Prompt injection defenses, retrieval allowlists, output filtering, abstention on low confidence
- Tool and agent safety: Sandboxing, controlled egress, scoped credentials, least-privilege function calling
- Governance and change management: Version control, approvals, rollback, audit trails
- AI incident response: Playbooks for injection, exfiltration, and model regressions, plus forensics retention
Clawdbot, by its own admission, can’t satisfy most of these requirements out of the box. And that’s the point: these aren’t features you “add later.” They’re architecture you build from day one, or you don’t have them at all.
Chiri Brain: The Control Plane That Changes the Game
This is exactly why we built Chiri Brain.
The Chiri Standard treats governance as a first-class system:
Transparent. Every interaction produces execution traces. You can answer “what did the AI access?” with evidence, not guesses.
Flexible. One interface, multiple models. Switch providers without rebuilding your infrastructure.
Controlled. Task Personas turn best practices into versioned, enforceable behaviors. Guardrails apply automatically, not when someone remembers.
Compliant. Every action logged, every access controlled, every query traceable. Immutable audit trails for when regulators (or incident responders) come knocking.
Yours. Deploy cloud or self-host. Bring your models. Your data stays your data.
This isn’t a “nice to have” layer on top of powerful AI. It’s the difference between a tool that works until it doesn’t and infrastructure you can actually trust.
If You Want to Experiment: Stay Current on Security
Clawdbot/Moltbot is genuinely innovative technology and we understand the appeal of experimenting with it. But the security landscape is evolving rapidly, and what’s “safe enough” today may not be tomorrow. If you choose to deploy it, staying current on security guidance isn’t optional.
Here are three reliable sources to follow:
1. Official Clawdbot Security Documentation docs.clawd.bot/gateway/security
This is the authoritative source from the project maintainers themselves. It covers the trust hierarchy model, device authentication, reverse proxy configuration pitfalls, tool sandboxing options, and the built-in clawdbot security audit command. The documentation is refreshingly candid about risks (they explicitly acknowledge there’s “no perfectly secure setup”) and provides concrete hardening steps. Start here before you deploy anything.
2. SOCRadar’s Technical Analysis socradar.io/blog/clawdbot-is-it-safe/
SOCRadar is a well-established cyber threat intelligence firm. Their analysis goes beyond surface-level concerns to examine Clawdbot’s architecture, explain why the gateway design creates concentrated risk, and document real-world exposure data from Shodan scans. They provide the kind of independent, security-researcher perspective that helps you understand risks the project maintainers might not emphasize. This is the analysis to read if you want to understand the structural security challenges of AI agent gateways.
3. Hudson Rock’s Infostealer Threat Intelligence infostealers.com/article/clawdbot-the-new-primary-target-for-infostealers-in-the-ai-era/
Hudson Rock specializes in tracking infostealer malware campaigns and compromised credentials. Their analysis shifts the lens from “how might Clawdbot be attacked?” to “how are attackers already adapting?” They document how major Malware-as-a-Service families (RedLine, Lumma, Vidar) are updating their target lists to sweep Clawdbot’s plaintext config files. They also introduce the concept of “Memory Poisoning,” where attackers with write access can permanently alter your AI’s behavior. This is essential reading for understanding the active threat landscape, not just theoretical vulnerabilities.
The Bottom Line
Clawdbot’s viral moment is also a warning. The AI agent era is arriving fast, and the tools are outpacing the controls.
The question isn’t “Is Clawdbot secure?” The question is: Can you prove you have the controls to make any autonomous agent safe enough for your workflows?
If you’re building with AI agents, whether at enterprise scale or as a solopreneur experimenting on nights and weekends, security, auditability, and traceability aren’t optional extras. They’re the foundation.
That’s why we built Chiri Brain: to give you the power of AI agents without the chaos.
Because capability without control is indistinguishable from exposure.
Ready to take AI security seriously? Learn more about Chiri Brain or reach out to talk with our team.