Researchers warn exposed Clawdbot servers can be taken over silently

In short: A viral AI automation tool called Clawdbot can be quietly taken over if its control server is exposed to the public internet.

What happened

Clawdbot, also called Clawd Bot, Moltbot, or linked to OpenClaw, is an open-source tool that can act like an “agent,” meaning it can take actions on your behalf, such as sending messages or running commands. Security researcher Jamieson O'Reilly reported that Clawdbot has authentication bypass bugs, which means an attacker may be able to reach admin pages without a password.

O'Reilly found hundreds of Clawdbot control servers that were publicly reachable using internet search tools like Shodan. Many were identifiable by a web page label like “Clawdbot Control.” The problem often came from misconfiguration, for example when people put the tool behind a reverse proxy (a traffic director in front of a server) but did not lock it down.

When these servers are exposed, attackers may be able to access sensitive secrets stored inside, including API keys (like special passwords for other services), bot tokens, OAuth secrets (login permission codes), signing keys, and full conversation histories. Reports described more than 1,800 exposed instances, and one scan suggested about 22% of exposed systems in business environments showed signs of unauthorized use.

Why it matters

Tools like Clawdbot can have powerful access by design, including reading and writing files, running shell commands (typing commands directly into the computer), and controlling a browser. That is useful for automation, but it also means a poorly protected server can act like leaving your house keys in the front door. Researchers also warned about “zero-click” style risks, where an attacker could send a malicious message or link that tricks the AI into handing over secrets without the user doing anything.

Source: Arstechnica