When AI Agents Go Wrong: ClawdBot’s Security Failures, Active Campaigns, and Defense Playbook

The explosion of local-first AI agents represents a paradigm shift in personal computing and a goldmine for threat actors. ClawdBot (recently rebranded as Moltbot), the open-source AI assistant that went viral in late January 2026, exemplifies both the promise and peril of agentic AI. Within 72 hours of widespread adoption, security researchers identified exposed admin panels, critical RCE vulnerabilities, and active infostealer campaigns specifically targeting ClawdBot’s configuration directories.

This technical deep-dive examines ClawdBot’s attack surface, dissects the underlying vulnerabilities in the Model Context Protocol (MCP), and provides actionable SentinelOne STAR rules for detection and response.

ClawdBot Breakdown

ClawdBot is an open-source AI assistant developed by entrepreneur Peter Steinberger that operates locally on the user’s device. Unlike cloud-based assistants, ClawdBot has full system access, can read files, execute commands, manage credentials, and interact with external services via messaging platforms like Telegram, Slack, and Discord. It can even be connected to Microsoft Entra ID via OAuth within an enterprise application. 

The  AI assistant went viral over the weekend of January 24-25, 2026, with thousands of users deploying it within days. Following trademark concerns, the project was rebranded to Moltbot, with the agent’s name changing from “Clawd” to “Molty.”

ClawdBot was released with exposed credentials and insecure defaults, allowing threat actors to identify the deployment, access the environment, and hijack it for malicious activity. After ClawdBot was hijacked, the attackers leveraged the exposed control interface to access whatever the bot had stored and could reach, primarily retrieving API keys and private chat logs and, where enabled, driving the agent to execute actions against connected services.

Below is a high-level overview of the Clawdbot agent architecture.

Key Files and Their Contents

These data are primarily stored in JSON/JSON5 for machine-readable configs and Markdown for human-readable logic and memory. The exposure of these paths represents a “keys to the kingdom” scenario, covering everything from third-party account access to the bot’s fundamental behavior.

Network Port Summary

The primary ports that you can have in ClawdBot. 

The Anatomy of the Fail

ClawdBot’s security posture didn’t fail in one way. It failed in a few distinct, compounding ways. Each failure alone would be concerning, and together, they created a perfect storm that threat actors exploited within hours of widespread adoption.

The Central System

Port 18789 is the default port for the Clawdbot Gateway service. It is the most critical component of the system because it multiplexes two different protocols on a single port:

• WebSocket Server: This is the persistent, two-way pipe used by the AI agent to “think” and “act”. It handles real-time communication between the agent runtime and the various interfaces (CLI, web chat).
• HTTP Server: This serves the Control UI (Dashboard) and handles health checks.

Security Risks 

The documentation confirms the risks associated with this port if misconfigured:

• Unauthenticated Loopback: By default, WebSocket clients connecting from localhost (loopback) are unauthenticated. This means any local process on your computer can connect to port 18789 and call config.apply, effectively driving the bot.
• Network Exposure: If you change the binding from “loopback” to “0.0.0.0” (all interfaces) without enabling strict authentication, you expose this control channel to the entire network. The documentation explicitly warns: “Never expose the Gateway unauthenticated on 0.0.0.0“.
• Remote Code Execution (RCE): Because the agent supports executing shell commands (exec), gaining access to this WebSocket port allows an attacker to run arbitrary commands on your machine.

Intended Usage

Under a secure configuration, this port is used for:

• The Dashboard: You can access the visual Control UI by navigating to http://127.0.0.1:18789/ in your browser.
• Health Checks: The system uses this port to verify status, often probing ws://127.0.0.1:18789 or checking HTTP endpoints to ensure the service is active,.
• CLI Communication: The Clawdbot terminal commands (e.g., clawdbot status) communicate with the background daemon via this port.

The ClawdBot Threat Landscape

Who’s Attacking ClawdBot and Why

The ClawdBot/Moltbot ecosystem has become a focal point for multiple threat actor categories, each with distinct motivations and TTPs. Understanding this threat landscape is essential for prioritizing defenses.

Why ClawdBot is a High-Value Target? 

Unlike browser password stores (encrypted with DPAPI on Windows, Keychain on macOS), ClawdBot’s plaintext storage means:

• No decryption needed – Credentials are immediately usable
• Single file compromise – One JSON file contains multiple service tokens
• Cross-platform consistency – Same paths on Windows/macOS/Linux
• Memory poisoning potential – Attackers can modify behavior, not just steal data

Threat Actor Taxonomy

In the current threat landscape, not all attackers are created equal. To build an effective defense-in-depth strategy, we categorize threats based on their motivation, sophistication, and persistence. This taxonomy allows us to prioritize alerts, allocate security resources, and understand the “blast radius” of a potential compromise.

Tier 1: Opportunistic Criminals

• The Vibe: High volume, low effort. These are the “smash and grab” kids of the internet.
• Who they are: Script kiddies and bottom-tier affiliates using automated tools like RedLine or Lumma.
• The Goal: Fast cash. They want your API keys, your crypto wallet, or your saved browser passwords.
• Dwell Time: Minutes to hours. If they don’t find anything to sell in five minutes, they’re onto the next victim.

Tier 2: Organized Cybercrime

• The Vibe: Professional, patient, and scaled. This is a business, not a hobby.
• Who they are: Initial Access Brokers (IABs) and Ransomware affiliates. They are the middlemen who sell a “foothold” in your network to the highest bidder.
• The Goal: Sustained revenue and “ecosystem” building. They want to encrypt your servers and demand millions in ransom.
• Dwell Time: Days to weeks. They take the time to map your cloud environment and find where the backups are hidden.

Tier 3: Advanced Persistent Threats (APTs)

• The Vibe: Invisible, surgical, and backed by a government budget.
• Who they are: Nation-state actors and high-end corporate spies.
• The Goal: Strategic impact—IP theft, political intelligence, or long-term persistence. They aren’t here for $50 worth of Bitcoin; they’re here for your source code and your roadmap.
• Dwell Time: Weeks to months (or years). They live in the “noise” of your environment, often using memory poisoning or supply chain attacks to stay hidden even after a reboot.

Attack Timeline

The security risk profile of Clawdbot centers on a critical vulnerability where insecure local storage meets autonomous data processing.

Threat Actor Motivations Matrix

Threat Predictions (2026 and Beyond)

Based on current trends and threat actor behavior, security researchers predict:

Why AI Agents Are Different

Traditional applications operate within defined boundaries. AI agents like ClawdBot fundamentally break this model by design:

Full System Access

ClawdBot runs with user-level privileges and can execute arbitrary shell commands, read/write files anywhere the user can, and make network requests to any destination.

Plaintext Credential Storage

Unlike browser password managers (which use OS keychains) or SSH (which supports encrypted keys), ClawdBot stores sensitive data in plaintext Markdown and JSON files:

// ~/.clawdbot/clawdbot.json (EXAMPLE – REDACTED)

{

  “openai_api_key”: “sk-proj-xxxxxxxxxxxxxxxxxxxx”,

  “anthropic_api_key”: “sk-ant-xxxxxxxxxxxxxxxxxxxx”,

  “telegram_bot_token”: “7123456789:AAxxxxxxxxxxxxxxxxxxxxxxxxx”,

  “github_token”: “ghp_xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx”,

  “jira_token”: “ATATT3xxxxxxxxxxxxxxxxxxxxxxxxxxx”

}

Persistent Agent Memory

ClawdBot maintains long-term memory in Markdown files, creating a single point of compromise:

<!– ~/clawd/memory/memory.md –>

# User Facts

– User’s SSH key passphrase is: [REDACTED]

– AWS credentials stored at ~/.aws/credentials

– User works at [Company Name], department: Engineering

Network-Exposed Admin Ports

By default, ClawdBot’s gateway binds to 0.0.0.0:18789, exposing the full API to any network interface. Security researcher Luis Catacora identified the scale of exposure via Shodan:

Shodan Query Results (as of January 27, 2026):

shodan search “Clawdbot Control” port:18789

Note: When using other search engine you can find more assets. 

Active Threat Campaigns

Our Threat Intelligence confirmed that major Malware-as-a-Service families are actively deploying ClawdBot-specific modules:

The ClawdBot Landscape from the Shodan Sight

As of late January 2026, more than 2,000 exposed gateways are visible on Shodan. The signature is dead simple because people are running the “Clawdbot Control” web admin panel behind misconfigured reverse proxies.

You can search with various syntax and get different results. Also, there are honeypots between them. 

Know the Field

The big questions. Do you know if you have any ClawdBot on your endpoints? Well, that can surprise you because users, event not the technical one, tried it. Do you know the implications on the endpoints and your network? Well, there are so many questions 

That is the biggest Shadow AI and Shadow IT you can have on your network. Who can help is this moment? The EDR is one of them.

SentinelOne (S1) Deep Visibility 

Everything starts with a developer who triggers a command in their terminal to set up a new AI tool. He doesn’t realize he’s essentially inviting a “Remote Access Trojan with a personality” into his environment.

Shell Spawning

The process claude (an AI CLI tool) attempts to execute a configuration update. It doesn’t use a standard installer; it spawns a /bin/zsh sub-process to run a complex multi-line command.

• S1 Action: The Behavioral AI Engine on the macOS endpoint immediately flags the shell spawn. It assigns it a unique Storyline ID, a patented identifier that “connects the dots” between this specific parent process and everything it is about to do.

The image was captured from the Guardz platform.

The Violation with Heredoc Injection

The script uses a cat <<‘EOF’ (Heredoc) to write a new configuration file programmatically.

• The Forensic Signature: The shell creates a temporary-style file (…zshQ8WRDD).
• S1 Action: The agent’s kernel-level monitoring sees a non-standard process writing configuration data directly to a hidden system path. This triggers MITRE T1059.004 (Command and Scripting Interpreter: Unix Shell).

The image was captured from the Guardz platform.

The Conviction: Unauthorized MCP Expansion

The script’s payload is an MCP (Model Context Protocol) server configuration. This would grant the AI agent broad permissions to read and write to external repositories.

• S1 Action: The Behavioral AI layer calculates a “probability of normalcy”. Since AI agents modifying their own protocol servers is a high-risk, “machine-speed” behavior that deviates from Alon’s typical baseline, S1 upgrades the event from “Suspicious” to “Malicious”.

The Guardz threat hunting team found an internet-exposed laptop and determined the exposure was caused by ClawdBot’s own development gaps, which left parts of its deployment reachable without adequate safeguards. The potential blast radius was massive, and could have enabled unauthorized access and cascading compromise across sensitive data and connected environments.

HardeningClawdBot Hardening Checklist 

                                                                       

ClawdBot represents both the future of AI-assisted computing and a cautionary tale about security-by-default. The combination of full system access, plaintext credential storage, and network-exposed admin interfaces creates an attack surface that threat actors are actively exploiting.

Key Takeaways

• AI agents are high-value targets: A single compromise yields multiple service credentials
• MCP needs authentication: The protocol shipped without security, and we’re paying the price
• Infostealers adapt quickly: Major MaaS families already target ClawdBot directories
• Detection requires a layered approach: Behavioral AI + custom STAR rules + threat intel

The Bigger Picture

ClawdBot is the tip of the iceberg. As AI agents become ubiquitous, the attack patterns documented here will apply to:

• Enterprise AI assistants with access to internal systems
• Developer tools with repository and CI/CD access
• Personal assistants with financial and communication access

Organizations deploying AI agents must treat them as privileged access pathways, not just productivity tools. The SentinelOne detections in this post provide a starting point, but the fundamental architecture of agentic AI needs a security first redesign.

About The Author
Elli Shlomo is a security researcher specializing in identifying and analyzing emerging cyber threats. With hands-on experience in vulnerability research and threat analysis, Elli focuses on translating complex security findings into practical insights that help MSPs better understand and reduce risk.

About Guardz
Guardz arms MSPs to deliver security from detection to resolution through a single, intelligently connected platform, delivering ruthless efficiency and continuous oversight. Cutting noise and surfacing real risk so teams act faster, remediate decisively, and protect clients continuously with expert support when it matters.