Securing Clawdbot (Moltbot): Complete Hardening Guide After 900+ Exposed Instances
Peter Steinberger's viral AI assistant hit 60,000 GitHub stars in 3 days—then security researchers found 900+ instances leaking API keys on Shodan. Here's the official moltbot.json hardening guide.
How do I secure Clawdbot / Moltbot?
Run moltbot security audit --deep to identify vulnerabilities. Then configure moltbot.json with: gateway.bind: "loopback" to prevent network exposure, gateway.trustedProxies to prevent auth bypass, dmPolicy: "pairing" to require contact approval, and sandbox mode for untrusted content. Set chmod 600 on all config files to protect from infostealers.
TL;DR
- •60,000+ GitHub stars in 3 days—Clawdbot became one of the fastest-growing open source projects ever, then Anthropic forced a rebrand to Moltbot
- •900+ exposed instances found on Shodan by SlowMist, leaking API keys, Telegram tokens, and conversation histories
- •Infostealers updated—RedLine, Lumma, and Vidar now specifically target
~/.clawdbot/directories - •5-minute prompt injection—researcher Matvey Kukuy extracted crypto private keys and forwarded emails via a single malicious message
- •Official fix:
moltbot security audit --fixauto-applies security guardrails
01.The Clawdbot Story: From Viral Launch to Security Crisis
On January 26, 2026, Austrian developer Peter Steinberger (founder of PSPDFKit, which he sold to Insight Partners) launched Clawdbot—an open source, self-hosted AI assistant with persistent memory and 50+ integrations across WhatsApp, Telegram, Slack, Signal, Discord, and iMessage.
The response was explosive. Clawdbot hit 9,000 GitHub stars in its first 24 hours. By day three, it crossed 60,000+ stars—making it one of the fastest-growing open source projects in GitHub history.
Then Everything Went Wrong
On January 27, just one day after launch, Anthropic issued a trademark request forcing a rebrand. Steinberger chose "Moltbot"—because "molt is what lobsters do to grow."
But during the 10-second window while Steinberger renamed the GitHub organisation, crypto scammers hijacked the old accounts. They seized both the GitHub org and X/Twitter handle, launching fake $CLAWD tokens on Solana that reached a $16 million market cap before crashing 90%.
Meanwhile, security researchers were discovering something worse: hundreds of Clawdbot instances were running completely exposed on the public internet.
02.What Security Researchers Found
Blockchain security firm SlowMist announced that a Clawdbot "gateway exposure" had put hundreds of API keys and private chat logs at risk. Researcher Jamieson O'Reilly documented instances running without any authentication on the public internet.
Known CVEs
CVE-2025-59466async_hooks DoS vulnerability—can crash the gateway process
CVE-2026-21636Permission model bypass—allows unauthorized access to protected resources
The Authentication Bypass Problem
The most critical vulnerability stems from how Clawdbot handles authentication behind reverse proxies. By default, Clawdbot trusts all connections from localhost. This is fine for local-only use—but most deployments run behind nginx or Caddy on the same server.
The Problem
When a reverse proxy doesn't correctly pass X-Forwarded-For headers, all traffic appears to come from 127.0.0.1. The gateway treats these as local connections and bypasses all authentication—giving anyone on the internet full access.
03.Infostealer Malware Now Targets Clawdbot
Cybercrime groups have updated their infostealer malware to specifically hunt for Clawdbot installations. Here's exactly what they're targeting:
Target Files and Directories
~/.clawdbot/moltbot.jsonMaster configuration—contains gateway auth tokens (grants RCE if stolen)
~/clawd/memory/memory.mdPersistent conversation state—work activities, trusted contacts, mentioned credentials
~/.clawdbot/auth-profiles.jsonAPI tokens for Jira, Confluence, Atlassian, and other integrated services
~/clawd/SOUL.mdAgent behaviour configuration—can be poisoned to create persistent backdoors
~/.clawdbot/credentials/*.jsonWhatsApp creds, Telegram tokens, pairing allowlists
Malware Adaptations
Uses modular "FileGrabber" to sweep %UserProfile%\.clawdbot\*.json
Employs heuristics targeting files named "secret" or "config" in home directories
Dynamically updates target lists via social media to hunt for ~/clawd/ directories
Regex patterns used by infostealers:
(auth.token|sk-ant-|jira_token)04.The 5-Minute Prompt Injection Attack
Real Attack Demonstrated
Matvey Kukuy, CEO of Archestra AI, demonstrated how a prompt injection attack could compromise a Moltbot instance in just 5 minutes:
- 1Sent a malicious email containing hidden prompt injection instructions
- 2Moltbot read the email and believed the instructions were legitimate
- 3The AI forwarded the user's last 5 emails to an attacker-controlled address
- 4In a separate demo, Kukuy extracted a crypto private key using the same technique
The attack exploited Clawdbot's full system access—its ability to read files, execute commands, and control browsers. As Hacker News commenters noted: "It's terrifying. No directory sandboxing."
05.Don't Expose Your Ports to the Internet
Critical Warning
Never expose Moltbot's gateway port directly to the internet. This is the #1 reason 900+ instances appeared on Shodan. If attackers can reach your gateway, they can bypass authentication, access your conversations, steal API keys, and execute commands on your system.
What SlowMist Found on Shodan
Security researchers at SlowMist discovered 900+ Clawdbot gateways accessible on the public internet via Shodan, a search engine for internet-connected devices. These exposed instances revealed:
Anthropic API keys, OpenAI tokens, and other credentials visible in plaintext
Chat histories with personal and business information exposed
Attackers could execute commands on the host system via the AI agent
Bot credentials allowing attackers to impersonate users
Common Mistakes That Expose Your Instance
1. Setting bind: "0.0.0.0"
This binds to all network interfaces, making your gateway accessible from any IP address.
// DANGEROUS - Never do this
"gateway": { "bind": "0.0.0.0" }2. Using Tailscale Funnel / Serve Without Auth
Tailscale Funnel creates a public HTTPS endpoint. Without proper auth, anyone can access it.
# DANGEROUS - Exposes to internet
tailscale funnel 187893. Port Forwarding on Your Router
Forwarding port 18789 (or any Moltbot port) through your router makes it scannable by Shodan.
# DANGEROUS - Check your router settings
# Remove any port forwards for Moltbot4. Running in Docker Without Network Isolation
Docker's default bridge network may expose ports to the host. Use host networking carefully.
# DANGEROUS - Exposes all ports
docker run --network host moltbotThe Correct Approach
Always bind to loopback (localhost only) and access via SSH tunneling or VPN if you need remote access:
// CORRECT - Only accessible locally
{
"gateway": {
"mode": "local",
"bind": "loopback", // or "127.0.0.1"
"port": 18789
}
}
# For remote access, use SSH tunneling:
ssh -L 18789:localhost:18789 user@your-serverHow to Check if Your Instance is Exposed
- 1.Search Shodan for your public IP:
shodan host YOUR_IP - 2.Run
netstat -tulpn | grep 18789to check what's listening - 3.Try accessing from outside your network:
curl http://YOUR_PUBLIC_IP:18789 - 4.Run
moltbot security audit --deepfor automatic detection
06.Understanding Moltbot Sandboxing
One of the most discussed concerns on Hacker News was Clawdbot's lack of directory sandboxing. Unlike containerised solutions, Moltbot agents by default have access to your entire filesystem. Here's how to properly configure sandbox isolation.
Why Sandboxing Matters
Without Sandbox
- • Agent can read
~/.ssh/id_rsa - • Agent can modify
~/.bashrc - • Agent can access
~/.aws/credentials - • Agent can read browser profiles
- • Prompt injection = full system compromise
With Sandbox
- • Agent confined to
~/.clawdbot/sandboxes - • Cannot escape to parent directories
- • Separate sandbox per agent instance
- • Network isolation optional
- • Prompt injection damage contained
Sandbox Configuration Options
sandbox.mode"none"— No sandboxing (default, dangerous)"tools"— Only tool calls are sandboxed"all"— Full sandboxing (recommended)
sandbox.scope"global"— Shared sandbox for all agents"agent"— Separate sandbox per agent (recommended)"session"— Fresh sandbox each session
sandbox.workspaceAccess"none"— No access to workspace (safest)"ro"— Read-only workspace access"rw"— Full read/write access (only for trusted agents)
Complete Sandbox Configuration
{
"agents": {
"defaults": {
"sandbox": {
"mode": "all",
"scope": "agent",
"workspaceAccess": "none",
"networkAccess": false,
"allowedPaths": [],
"deniedPaths": [
"~/.ssh",
"~/.aws",
"~/.gnupg",
"~/.config/gcloud"
]
}
},
"trusted-coding-agent": {
"sandbox": {
"mode": "tools",
"workspaceAccess": "rw",
"allowedPaths": [
"~/projects"
]
}
},
"untrusted-email-agent": {
"sandbox": {
"mode": "all",
"scope": "session",
"workspaceAccess": "none",
"networkAccess": false
}
}
}
}Important: Sandboxing alone doesn't protect against all prompt injection attacks. An agent with email access can still forward your emails even in a sandbox. Combine sandboxing with dmPolicy restrictions and careful tool permissions.
07.Official Moltbot Hardening Guide
These configuration settings are from the official Moltbot documentation. Follow each step to secure your installation.
1Run the Security Audit
Start by identifying vulnerabilities in your current configuration:
# Basic audit
moltbot security audit
# Comprehensive audit
moltbot security audit --deep
# Auto-fix common issues
moltbot security audit --fixThe audit checks for: exposed gateway authentication, browser control exposure, elevated allowlists, and filesystem permission issues.
2Configure Gateway Binding
Never expose your gateway to the network. In ~/.clawdbot/moltbot.json:
{
"gateway": {
"mode": "local",
"bind": "loopback",
"port": 18789,
"auth": {
"mode": "token",
"token": "your-long-random-token-here"
}
}
}3Configure Trusted Proxies (Critical!)
This prevents the authentication bypass vulnerability. If you use a reverse proxy:
{
"gateway": {
"trustedProxies": ["127.0.0.1"],
"controlUi": {
"allowInsecureAuth": false,
"dangerouslyDisableDeviceAuth": false
}
}
}When proxy headers arrive from untrusted IPs, the gateway rejects connections. Ensure your proxy overwrites X-Forwarded-For rather than appending.
4Set DM Pairing Mode
Never use "open" mode. Require approval for new contacts:
{
"channels": {
"whatsapp": {
"dmPolicy": "pairing",
"groups": {
"*": { "requireMention": true }
}
},
"telegram": {
"dmPolicy": "allowlist"
}
}
}"pairing" — Unknown senders receive expiring codes; max 3 pending requests
"allowlist" — Block unknowns entirely
"open" — Dangerous! Allows prompt injection from anyone
5Enable Sandbox Mode
For agents handling untrusted content, enable sandboxing:
{
"agents": {
"defaults": {
"sandbox": {
"mode": "all",
"scope": "agent",
"workspaceAccess": "none"
}
}
}
}"none" — Agent workspace inaccessible; tools run against ~/.clawdbot/sandboxes
"ro" — Mount workspace read-only
"rw" — Mount read/write (only for trusted agents)
6Set File Permissions
Protect your config files from infostealers with proper permissions:
chmod 700 ~/.clawdbot
chmod 600 ~/.clawdbot/moltbot.json
chmod 600 ~/.clawdbot/credentials/*.json
chmod 600 ~/.clawdbot/agents/*/agent/auth-profiles.json
chmod 600 ~/.clawdbot/agents/*/sessions/sessions.json7Use Environment Variables
Keep secrets out of config files:
# Disable mDNS discovery (prevents network exposure)
export CLAWDBOT_DISABLE_BONJOUR=1
# Override port
export CLAWDBOT_GATEWAY_PORT=18789
# Use password auth instead of token
export CLAWDBOT_GATEWAY_PASSWORD="your-secure-password"Copy/Paste Secure Baseline
Here's a complete secure configuration to start with:
{
"gateway": {
"mode": "local",
"bind": "loopback",
"port": 18789,
"auth": {
"mode": "token",
"token": "your-long-random-token-here"
},
"trustedProxies": ["127.0.0.1"],
"controlUi": {
"allowInsecureAuth": false,
"dangerouslyDisableDeviceAuth": false
}
},
"channels": {
"whatsapp": {
"dmPolicy": "pairing",
"groups": { "*": { "requireMention": true } }
},
"telegram": {
"dmPolicy": "pairing"
}
},
"agents": {
"defaults": {
"sandbox": {
"mode": "all",
"scope": "agent",
"workspaceAccess": "none"
}
}
},
"logging": {
"redactSensitive": "tools",
"redactPatterns": ["api[_-]?key", "password", "token"]
},
"browser": {
"evaluateEnabled": false
}
}08.Incident Response Checklist
If you suspect your Moltbot instance has been compromised:
Contain
Stop the gateway, set bind: "loopback", disable Tailscale Serve/Funnel
Rotate Credentials
Update gateway.auth.token and all API keys in auth-profiles.json
Audit Logs
Check /tmp/moltbot/moltbot-YYYY-MM-DD.log and session transcripts for suspicious activity
Re-run Audit
Execute moltbot security audit --deep to verify fixes
09.Frequently Asked Questions
Is Clawdbot safe to use?
Clawdbot (now Moltbot) can be safe if properly configured. However, 900+ instances were found exposed on Shodan. The main risks are authentication bypass via misconfigured proxies, plaintext credentials targeted by infostealers, and prompt injection attacks. Run moltbot security audit --deep and follow this hardening guide.
Should I expose Clawdbot ports to the internet?
No, never expose Moltbot's gateway port directly to the internet. This is how 900+ instances ended up on Shodan. Always set gateway.bind: "loopback" to bind only to localhost. Never use bind: "0.0.0.0", port forwarding, or Tailscale Funnel without proper authentication. For remote access, use SSH tunneling: ssh -L 18789:localhost:18789 user@server.
How do I configure Moltbot sandboxing?
Configure sandboxing in moltbot.json under agents.defaults.sandbox. Set mode: "all" for full sandboxing, scope: "agent" for per-agent isolation, and workspaceAccess: "none" to prevent filesystem access. Add deniedPaths for sensitive directories like ~/.ssh, ~/.aws, and ~/.gnupg.
How do I check if my instance is on Shodan?
Search Shodan for your public IP: shodan host YOUR_IP. You can also run netstat -tulpn | grep 18789 to check what's listening, or try curl http://YOUR_PUBLIC_IP:18789 from outside your network. The moltbot security audit --deep command also detects network exposure automatically.
How do I run the Moltbot security audit?
Run moltbot security audit for a basic check, moltbot security audit --deep for comprehensive analysis, or moltbot security audit --fix to automatically apply guardrails. The audit checks for exposed gateway authentication, browser control exposure, elevated allowlists, and filesystem permission issues.
What is the trustedProxies setting?
The gateway.trustedProxies setting specifies which IP addresses can send proxy headers. If your reverse proxy isn't in this list, the gateway treats all connections as coming from localhost and bypasses authentication. Set it to your proxy's IP, e.g., trustedProxies: ["127.0.0.1"].
What files do infostealers target?
Infostealers target: ~/.clawdbot/moltbot.json (gateway tokens), ~/clawd/memory/memory.md (conversations), ~/.clawdbot/auth-profiles.json (API keys), and ~/clawd/SOUL.md (agent behaviour). RedLine uses FileGrabber to sweep %UserProfile%\.clawdbot\*.json.
Why was Clawdbot renamed to Moltbot?
Anthropic requested the name change citing trademark concerns on January 27, 2026—just one day after launch. Creator Peter Steinberger chose "Moltbot" because "molt is what lobsters do to grow." During the 10-second rename window, scammers hijacked the old GitHub org and Twitter account, launching fake $CLAWD tokens that reached $16M market cap.
How do I prevent prompt injection attacks?
Set dmPolicy: "pairing" or "allowlist" (never "open"), require mentions in groups with requireMention: true, enable sandbox mode, disable browser.evaluateEnabled, and use instruction-hardened models. Researcher Matvey Kukuy extracted crypto private keys via prompt injection in just 5 minutes.
Secure Your Moltbot Today
Clawdbot's viral success—60,000+ stars in 3 days—demonstrated massive demand for self-hosted AI assistants. But that growth outpaced security awareness. With 900+ instances already exposed and infostealers actively targeting Clawdbot directories, securing your installation is critical.
Run moltbot security audit --deep, apply the configuration in this guide, and stay updated on the official security documentation.
Sources & Credits
Key People
- SlowMist Security Team — Discovered 900+ exposed Clawdbot instances on Shodan