The Clawdbot/Moltbot Vector & Remediation
Vulnerability
The Clawdbot framework binds to localhost by default, assuming a trusted environment. Users frequently deploy it behind reverse proxies (like Nginx) without adding an authentication layer. The agent treats the forwarded traffic as local/trusted.
Exploitation
Attackers scan for specific HTML fingerprints (Title: "Clawdbot Control").
Exfiltration
The exposed control panel provides full access to:
Signal Pairing
tsdevice:/?uuid=... URIs found in logs/memory allow instant account takeover.
Identity Tokens
OAuth tokens for Slack, Discord, and Telegram.
Environment Variables
OPENAI_API_KEY, ANTHROPIC_API_KEY, AWS credentials.
MITRE ATT&CK Mapping
Initial Access
T1190 (Exploit Public-Facing Application) - Misconfigured Reverse Proxy.
Collection
T1114 (Email Collection)
T1115 (Clipboard Data)
T1555 (Credentials from Password Stores - e.g., config.json, memory.md).
Exfiltration
T1041 (Exfiltration Over C2 Channel).
Remediation - THE ENTERPRISE TRACK (SANS PICERL)
Phase 1:
Identification & Containment
Network Sweep
Immediately scan internal and perimeter networks for ports associated with AI agents (common defaults: 8041, 3000, 8000) returning titles like "Clawdbot" or "Moltbot".
Kill Switch
Block outbound connections to known C2s associated with "fake" agent extensions (e.g., clawdbot.getintwopc[.]site - observed in related malware campaigns).
Endpoint Query
Use EDR to hunt for node.exe or python.exe processes spawning from non-standard directories with high network IO, specifically referencing clawdbot or moltbot in command lines.
Phase 2: Eradication
Credential Rotation
If an agent was found exposed, ALL credentials accessible to that host must be considered compromised.
This includes:
Revoking Signal/WhatsApp linked devices.
Rolling API Keys (OpenAI, Anthropic, AWS).
Resetting OAuth tokens for integrated apps (Slack, Workspace).
Policy Enforcement
Block unapproved browser extensions. A malicious "Clawdbot Agent" extension for VS Code was recently active; ensure it is removed.
Phase 3: Recovery
Re-Image
Compromised hosts running these agents often grant shell access. Assume full persistence (backdoors/webshells) and re-image the device.
Identity Re-verification
Force re-authentication for all users associated with the compromised endpoints.
Remediation - THE HOME USER TRACK
Priority 1: Secure Your Messaging
Signal
Go to Settings > Linked Devices. If you see any device you do not recognize or a "Linux" device you didn't recently pair, Remove it immediately.
WhatsApp
Go to Settings > Linked Devices and log out of unknown sessions.
Priority 2: Agent Cleanup
If you installed "Clawdbot" or "Moltbot"
Stop the service immediately.
Delete the configuration files
Specifically memory.md and config.json which store your secrets in plain text.
Uninstall
Remove the software until you can configure it with a VPN or strict password authentication (e.g., using htpasswd with Nginx).
Priority 3: Visual Studio Code Check
Check your installed extensions. If you see "Clawdbot Agent - AI Coding Assistant" (Publisher: clawdbot), uninstall it immediately. It is confirmed malware dropping remote access trojans (RATs).
Hardening & References
Guidance
Treat AI Agents as "Unmanaged Insiders." They should not have access to production secrets or primary communication channels.
Configuration
Never expose local AI tools to the internet via tunneling (Ngrok, Cloudflare Tunnel) or Reverse Proxy without an Authentication Middleware (e.g., Authelia, Authentik).
Reference
NIST AI Risk Management Framework (AI RMF 1.0) - Map "Govern" function to third-party AI tools.
Source
CyberInsider
cyberinsider.com
