Intruder, a leader in exposure management, today released new security research detailing vulnerabilities in Moltbot, formerly known as Clawdbot, an open-source, self-hosted AI assistant. The research, “Clawdbot: When Easy AI Becomes a Security Nightmare,” finds that Moltbot’s emphasis on rapid, simplified deployment has created a significant and unintended attack surface.
Intruder’s analysis shows that Moltbot is often deployed without baseline security protections, leaving instances exposed across multiple cloud providers. The platform does not enforce secure-by-default configuration settings such as firewall controls, credential validation, or sandboxing for third-party plugins. Moltbot is commonly used to automate tasks across email, social media, and cloud services, often with access to sensitive credentials. Attackers are actively exploiting these misconfigurations.
Intruder warns that the absence of fundamental AI safety guardrails has led to widespread insecure deployments and active exploitation. Organizations that have run Moltbot with default settings should assume compromise and respond immediately.
Key findings include:
- Exposed credentials: Publicly accessible API keys, authentication tokens, and configuration files caused by misconfigured cloud instances.
- Prompt injection attacks: Moltbot instances integrated with social platforms leak private data when attackers craft malicious prompts due to missing guardrails.
- Malicious plugins: Threat actors are distributing backdoored plugins that enable credential harvesting and botnet recruitment.
- Unintended AI behavior: Instances performing unauthorized actions, including data exfiltration and automated posting.
Intruder recommends that organizations running Moltbot take immediate action:
- Disconnect third-party integrations.
- Rotate potentially exposed credentials.
- Restrict access using firewall rules and IP allowlists.
- Remove and audit third-party plugins.
- Review logs for unauthorized activity.
FAQ
What is Moltbot?
Moltbot is an open-source, self-hosted AI assistant designed for easy deployment through plugins and integrations.
Is this an active threat?
Yes. Intruder observed real-world exploitation, including credential theft, prompt injection, and unauthorized automated actions.
What should organizations do now?
Assume compromise, revoke integrations, rotate credentials, restrict access, and audit logs immediately.