惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
aimingoo的专栏
aimingoo的专栏
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
T
Tailwind CSS Blog
J
Java Code Geeks
博客园_首页
Google Online Security Blog
Google Online Security Blog
Hugging Face - Blog
Hugging Face - Blog
C
CXSECURITY Database RSS Feed - CXSecurity.com
I
Intezer
P
Palo Alto Networks Blog
V
Vulnerabilities – Threatpost
雷峰网
雷峰网
O
OpenAI News
SecWiki News
SecWiki News
小众软件
小众软件
酷 壳 – CoolShell
酷 壳 – CoolShell
美团技术团队
N
News | PayPal Newsroom
Project Zero
Project Zero
Forbes - Security
Forbes - Security
IT之家
IT之家
A
Arctic Wolf
WordPress大学
WordPress大学
Jina AI
Jina AI
T
Tor Project blog
博客园 - 三生石上(FineUI控件)
S
Secure Thoughts
Google DeepMind News
Google DeepMind News
Attack and Defense Labs
Attack and Defense Labs
博客园 - 聂微东
Exploit-DB.com RSS Feed
Exploit-DB.com RSS Feed
P
Privacy International News Feed
Cloudbric
Cloudbric
G
GRAHAM CLULEY
博客园 - 叶小钗
H
Hacker News: Front Page
腾讯CDC
量子位
Help Net Security
Help Net Security
人人都是产品经理
人人都是产品经理
C
Cyber Attacks, Cyber Crime and Cyber Security
月光博客
月光博客
奇客Solidot–传递最新科技情报
奇客Solidot–传递最新科技情报
宝玉的分享
宝玉的分享
爱范儿
爱范儿
L
Lohrmann on Cybersecurity
Hacker News - Newest:
Hacker News - Newest: "LLM"
Recorded Future
Recorded Future
C
CERT Recently Published Vulnerability Notes

The Register - Special Features: Agentic AI

Unaccounted-for AI agents are being handed wide access Google to foist Gemini pane on Chrome users Yes, you can build an AI agent – here's how, using LangFlow Gartner questions if Salesforce AI will stay all-you-can-eat Claude supports MCP Apps, presents UI within chat window Cursor is better at marketing than coding Salesforce willing to lose money on AI to lock in customers Agents of misfortune: The world isn't ready for AI agents MCP vs A2A: Agentic AI protocols take shape
Clawdbot becomes Moltbot, but can’t shed security concerns
2026-01-28 · via The Register - Special Features: Agentic AI

Security concerns for the new agentic AI tool formerly known as Clawdbot remain, despite a rebrand prompted by trademark concerns raised by Anthropic. Would you be comfortable handing the keys to your identity kingdom over to a bot, one that might be exposed to the open internet?

Clawdbot, now known as Moltbot, has gone viral in AI and developer circles in recent days, with fans hailing the open-source "AI personal assistant" as a potential breakthrough.

The long and short of it is that Moltbot can be controlled using messaging apps, like WhatsApp and Telegram, in a similar way to the GenAI chatbots everyone knows about. 

REG AD

Taking things a little further, its agentic capabilities allow it to take care of life admin for users, such as responding to emails, managing calendars, screening phone calls, or booking table reservations – all with minimal intervention or prompting from the user.

REG AD

All that functionality comes at a cost, however, and not just the outlay so many seem to be making on Mac Mini purchases for the sole purpose of hosting a Moltbot instance. 

In order for Moltbot to read and respond to emails, and all the rest of it, it needs access to accounts and their credentials. Users are handing over the keys to their encrypted messenger apps, phone numbers, and bank accounts to this agentic system. 

Naturally, security experts have had a few things to say about it.

First, there was the furor around public exposures. Moltbot is a complex system, and despite being as easy to install as a typical app on the face of it, the misconfigurations associated with it prompted experts to highlight the dangers of running Moltbot instances without the proper know-how.

Jamieson O'Reilly, founder of red-teaming company Dvuln, was among the first to draw attention to the issue, saying that he saw hundreds of Clawdbot instances exposed to the web, potentially leaking secrets.

He told The Register that the attack model he reported to Moltbot's developers, which involved proxy misconfigurations and localhost connections auto-authenticating, is now fixed. However, if exploited, it could have allowed attackers to access months of private messages, account credentials, API keys, and more – anything to which Clawdbot owners gave it access.

According to his Shodan scans, supported by others looking into the matter, he found hundreds of instances exposed to the web. If those had open ports allowing unauthenticated admin connections, it would allow attackers access to the full breadth of secrets in Moltbot.

"Of the instances I've examined manually, eight were open with no authentication at all and exposing full access to run commands and view configuration data," he said. "The rest had varying levels of protection. 

REG AD

"Forty-seven had working authentication, which I manually confirmed was secure. The remainder fell somewhere in between. Some appeared to be test deployments, some were misconfigured in ways that reduced but didn't eliminate exposure."

On Tuesday, O'Reilly published a second blog detailing a proof-of-concept supply chain exploit for ClawdHub – the AI assistant's skills library, the name of which has not yet changed.

He was able to upload a publicly available skill, artificially inflate the download count to more than 4,000, and watch as developers from seven countries downloaded the poisoned package.

The skill O'Reilly uploaded was benign, but it proved he could have executed commands on a Moltbot instance.

"The payload pinged my server to prove execution occurred, but I deliberately excluded hostnames, file contents, credentials, and everything else I could have taken," he said.

"This was a proof of concept, a demonstration of what's possible. In the hands of someone less scrupulous, those developers would have had their SSH keys, AWS credentials, and entire codebases exfiltrated before they knew anything was wrong."

ClawdHub states in its developer notes that all code downloaded from the library will be treated as trusted code – there is no moderation process at present – so it's up to developers to properly vet anything they download.

Therein lies one of the key issues with the product. It is being heralded by nerds as the next big AI offering, one that can benefit everyone, but in reality, it requires a specialist skillset in order to use safely.

REG AD

Eric Schwake, director of cybersecurity strategy at Salt Security, told The Register: "A significant gap exists between the consumer enthusiasm for Clawdbot's one-click appeal and the technical expertise needed to operate a secure agentic gateway. 

"While installing it may resemble a typical Mac app, proper configuration requires a thorough understanding of API posture governance to prevent credential exposure due to misconfigurations or weak authentication. 

"Many users unintentionally create a large visibility void by failing to track which corporate and personal tokens they've shared with the system. Without enterprise-level insight into these hidden connections, even a small mistake in a 'prosumer' setup can turn a useful tool into an open back door, risking exposure of both home and work data to attackers."

The security concerns surrounding Moltbot persist even when it is set up correctly, as the team at Hudson Rock pointed out this week.

Its researchers said they looked at Moltbot's code and found that some of the secrets shared with the assistant by users were stored in plaintext Markdown and JSON files on the user's local filesystem.

The implication here is that if a host machine, such as one of the Mac Minis being bought en masse to host Moltbot, were infected with infostealer malware, then it would mean the secrets stored by the AI assistant could be compromised.

Hudson Rock is already seeing malware as a service families implement capabilities to target local-first directory structures, such as those used by Moltbot, including Redline, Lumma, and Vidar. 

It is fathomable that any of these popular strains of malware could be deployed against the internet-exposed Moltbot instances to steal credentials and carry out financially motivated attacks.

If the attacker is also able to gain write access, then they can turn Moltbot into a backdoor, instructing it to siphon sensitive data in the future, trust malicious sources, and more.

"Clawdbot represents the future of personal AI, but its security posture relies on an outdated model of endpoint trust," said Hudson Rock. "Without encryption-at-rest or containerization, the 'Local-First' AI revolution risks becoming a goldmine for the global cybercrime economy."

The start of something bigger

O'Reilly said that Moltbot's security has captured the attention of the industry recently, but it is only the latest example of experts warning about the risks associated with wider deployments of AI agents.

In a recent interview with The Register, Palo Alto Networks chief security intel officer Wendi Whitmore warned that AI agents could represent the new era of insider threats.

As they are deployed across large organizations, trusted to carry out tasks autonomously, they become increasingly attractive targets for attackers looking to hijack these agents for personal gain.

The key will be to ensure cybersecurity is rethought for the agentic era, ensuring each agent is afforded the least privileges necessary to carry out tasks, and that malicious activity is monitored stringently.

"The deeper issue is that we've spent 20 years building security boundaries into modern operating systems," said O'Reilly. "Sandboxing, process isolation, permission models, firewalls, separating the user's internal environment from the internet. All of that work was designed to limit blast radius and prevent remote access to local resources.

"AI agents tear all of that down by design. They need to read your files, access your credentials, execute commands, and interact with external services. The value proposition requires punching holes through every boundary we spent decades building. When these agents are exposed to the internet or compromised through supply chains, attackers inherit all of that access. The walls come down."

Heather Adkins, VP of security engineering at Google Cloud, who last week warned of the risks AI would present to the world of underground malware toolkits, is flying the flag for the anti-Moltbot brigade, urging people to avoid installing it.

"My threat model is not your threat model, but it should be. Don't run Clawdbot," she said, citing a separate security researcher who claimed Moltbot "is an infostealer malware disguised as an AI personal assistant."

Principal security consultant Yassine Aboukir said: "How could someone trust that thing with full system access?" ®