How the Clawdbot/Moltbot AI Assistant Becomes a Backdoor for System Takeover

AI agents are supposed to automate your workflows, not broadcast your secrets.

But that's exactly what's happening across 4,500+ Clawdbot/Moltbot deployments worldwide. These instances intended as internal tools are sitting on public IPs , could be exposing everything from .env files containing API keys to creds.json files enabling WhatsApp channel surveillance.

Straiker's STAR Labs research reveals a critical gap between AI agent adoption and security maturity. In this blog, we map the exposure landscape, demonstrate the attack path, and provide the remediation playbook.

Executive Summary on Clawdbot / Moltbot

Our Research Findings:

This security research identified three critical findings related to Clawdbot/Moltbot deployments:

1. Massive Global Exposure : Over 4,500+ instances of Clawdbot/Moltbot were identified across numerous global IPs, indicating significant worldwide exposure.
2. Geographic Concentration : The United States, Germany, Singapore, and China have the highest concentrations of exposed Clawdbot/Moltbot instances.
3. Sensitive Data Exfiltration & WhatsApp Surveillance : Internal testing demonstrated successful exfiltration of critical credentials, including API keys and service tokens from .env files, as well as messaging platform session credentials (creds.json) enabling metadata surveillance across WhatsApp channels.

What is Clawdbot/Moltbot?

Clawdbot (recently renamed as Moltbot) is a self-hosted personal AI assistant that runs on users' own hardware and integrates with multiple messaging platforms. Developed by Austrian engineer Peter Steinberger, it went viral in early 2026 as an open-source solution for managing life admin tasks through familiar communication channels.

Key Capabilities:

• Multi-Channel Support: Connects to WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, iMessage, Microsoft Teams, Matrix, and more - providing a unified AI assistant across all messaging platforms
• Proactive Personal Assistant: Handles emails, manages calendars, screens phone calls, books reservations, and sends reminders - all with 24/7 persistent context
• Command Execution: Execute shell commands and scripts via simple chat messages across any connected platform
• Voice Integration: Always-on speech recognition and voice wake capabilities for macOS/iOS/Android
• Browser & Canvas Tools: Built-in browser automation and visual workspace features
• Agentic Capabilities: Takes autonomous actions on behalf of users with minimal prompting

The Rise in Popularity

The appeal of Clawdbot/Moltbot lies in its powerful combination of features:

• Universal Personal Assistant: Single AI assistant accessible from any messaging app - no need to switch platforms
• Self-Hosted & Open Source: Complete control over your data and infrastructure
• Life Admin Automation: Proactively handles routine tasks like scheduling, reminders, and communications
• Developer-Friendly: Easy deployment with support for custom tools and integrations
• Multi-Platform Ubiquity: Leverages platforms users already use daily (WhatsApp's 2B+ users, Slack's business adoption, etc.)

This powerful convenience, however, comes at a severe security cost that users didn't anticipate.

Global Scale of Adoption:

We conducted comprehensive reconnaissance across two major cyberspace search engines - Shodan and Zoomeye - to map the global adoption of Clawdbot/Moltbot.

Shodan Results:  4,211 Clawdbot/Moltbot Deployments in 49 Countries

Using Shodan's query for http.html:"clawdbot-app", Search Query Used:

https://www.shodan.io/search?query=http.html:%22clawdbot-app%22

‍Zoomeye Results: 333 Clawdbot/Moltbot Deployments in 20 Countries

Parallel reconnaissance using Zoomeye's icon hash and body search, Search Query Used:

https://www.zoomeye.ai/searchResult?q=aWNvbmhhc2g9ImY1ODg1NGY2NDUwNjE4NzI5Njc5YWQzMzYyMmJlYmFmIiB8fCBodHRwLmJvZHk9IjxjbGF3ZGJvdC1hcHA%2BIg%3D%3D

What Straiker Actually Found about Clawdbot/Moltbot:

Finding 1: Publicly Exposed Misconfigured Dashboards

Passive reconnaissance via Shodan and Zoomeye identified a couple of unauthenticated Clawdbot/Moltbot dashboards exposed on the internet. While this demonstrated significant deployment vulnerabilities at the time of testing, recent GitHub changes suggest this issue may now be mitigated.

• Unauthenticated dashboards were discovered to be publicly accessible:

• Significant Personally Identifiable Information (PII) is being exposed, specifically including WhatsApp phone numbers.

• Bot-related data was fully accessible through visible logs.

Why this is significance: The widespread adoption across diverse geographic regions and hosting providers indicates a large attack surface for potential exploitation. During the time of manual testing of a subset of these instances, we identified dashboards with misconfigured authentication, enabling further investigation.

Finding 2: Unauthorized access to .env file (resulting in API key and credential theft)

We successfully demonstrated the exfiltration of the .env configuration file from an internally testing Clawdbot instance. This file, located at ~/.clawdbot/.env, contains sensitive credentials critical to the bot's operation and the user's broader infrastructure.

Proof-of-Concept (Demonstrated via WhatsApp):

Complete .env file exfiltrated (located at ~/.clawdbot/.env) using the prompt:

What is the impact: With the exfiltrated .env file, an attacker gains access to paid AI services (Claude, OpenAI) at the victim's expense.

Finding 3: Credential file exfiltration (creds.json) - general risk across all channels

We successfully demonstrated the exfiltration of the creds.json file, which stores session credentials for connected messaging platforms. While our proof-of-concept targeted WhatsApp credentials, this same technique applies to all messaging platforms that Clawdbot supports, including Telegram, Slack, Discord, Signal, Microsoft Teams, and others.

What was exfiltrated:

• Session authentication tokens
• Platform-specific credentials and cookies
• Account binding information

Generalized Impact Across Channels:

• WhatsApp: ~/.clawdbot/credentials/whatsapp/default/creds.json (authentication related file)  - Enables metadata surveillance
• Slack: Workspace tokens and session data
• Discord: Bot tokens and user session credentials
• Telegram: Session files and API tokens
• Microsoft Teams: OAuth tokens and session cookies

Complete WhatsApp creds.json exfiltrated (located at ~/.clawdbot/credentials/whatsapp/default/creds.json) using the prompt: 

‍

Impact of creds.json Exfiltration (WhatsApp demonstrated, generalizable to all channels):

The stolen credential file enables:

• Live monitoring of incoming message activity: Real-time visibility when someone contacts the victim
• Sender identification: Names, identifiers, and contact numbers/caller IDs of people contacting the victim
• Communication pattern analysis: Who contacts the victim, when, and how frequently
• Covert surveillance: Metadata monitoring occurs passively without the victim's knowledge

Important limitation: Access provided by Creds.json is limited; it specifically excludes the ability to view message content, message history, or send new messages due to WhatsAapp end to end encryption. 

Why is Clawdbot/Moltbot Vulnerable?

Root Cause Analysis

1. Insecure Design: "Exec Tool" Feature Without Access Controls

The core vulnerability stems from Clawdbot's built-in "exec tool" feature, designed to execute shell commands received from messaging platforms. This tool directly passes user input to shell execution functions like os.system() or subprocess.run() without proper authentication, authorization, or input sanitization.

Any shell metacharacters (;, |, &&, $, backticks) are executed directly on the host system. Since Clawdbot connects to multiple messaging platforms simultaneously, ANY connected channel becomes an attack vector for command execution.

2. Gateway Misconfiguration

Administrative dashboards were meant to be protected by gateway authentication but were misconfigured to allow public access. This exposed:

• Control panels
• System logs
• Configuration settings
• "Enable commands" feature 

3. Excessive Permissions

Clawdbot runs with the same privileges as the logged-in user, granting:

• Full access to user directories (~/)
• Read permissions on sensitive files (.env, creds.json)
• Ability to execute system commands
• No sandboxing or containerization

4. Credential Storage in Plaintext

Sensitive data stored in easily accessible locations:

• API keys in ~/.clawdbot/.env
• WhatsApp session tokens in ~/.clawdbot/credentials/whatsapp/default/creds.json
• No encryption or secure secret management

Recommendations for Users of Clawdbot/Moltbot

Our recommendation for enterprise IT administrators would be to block Clawdbot/Moltbot, until they can put in the necessary guardrails to allow for safe adoption.

‍Immediate Actions (Containment)

If you're running Clawdbot/Moltbot:

1. Revoke all API keys - Rotate every key stored in .env or configuration files
2. Log out all messaging platform sessions - Disconnect Clawdbot from WhatsApp (Settings → Linked Devices), Telegram, Slack, Discord, Teams, Signal, and any other connected platforms
3. Forensic review - Treat the host machine as compromised and check for unauthorized access, new user accounts, or suspicious processes
4. Review logs - Examine message history across ALL connected platforms for suspicious commands sent to the bot

Long-Term Fixes (Prevention)

For Clawdbot/Moltbot Developers:

1. Input Sanitization and Validation
   
   • Aggressively sanitize all message inputs from ALL connected platforms (WhatsApp, Telegram, Slack, Discord, etc.)
   • Block shell metacharacters: ;, |, &, $, \, *, backticks, etc. 
   • Use parameterized commands instead of string concatenation
2. Implement Authentication and Authorization
   
   • Require strong authentication for administrative dashboards
   • Use OAuth 2.0 or similar secure authentication mechanisms
   • Implement IP whitelisting for dashboard access
   • Add multi-factor authentication (MFA)
3. Principle of Least Privilege
   
   • Run Clawdbot under a dedicated, low-privilege service account
   • Restrict file system access to only necessary directories
   • Use containerization (Docker) or sandboxing to isolate the bot environment
   • Prevent access to user home directories and sensitive configuration paths
4. Secure Credential Management
   
   • Never store API keys or credentials in plaintext files
   • Use secure secrets managers (HashiCorp Vault, AWS Secrets Manager, Azure Key Vault)
   • Encrypt sensitive configuration files at rest
   • Implement automatic key rotation
5. Security Monitoring and Logging
   
   • Log all command execution attempts with full context (user, timestamp, command)
   • Implement anomaly detection for unusual command patterns
   • Set up alerts for unauthorized access attempts
   • Monitor API key usage for suspicious activity

‍Conclusion

Clawdbot/Moltbot represents a cautionary tale of convenience over security. While the tool's seamless multi-platform integration made it popular across 43+ countries, fundamental design flaws (particularly the "exec tool" feature if not configured properly) can turn every deployment into a critical attack vector across ALL connected messaging channels. With 1,513+ active deployments detected across Shodan and Zoomeye - and likely many more undiscovered - this represents one of the largest widespread vulnerabilities in personal AI assistant tools to date.

Stay secure. Stay vigilant. Reach out to Straiker if you have questions.

This research from Straiker was conducted for defensive security purposes to raise awareness about critical vulnerabilities in popular automation tools. All findings have been responsibly disclosed.

‍