Clawdbot: The Stealthy Infostealer

Clawdbot’s implementation of the Mission Control Protocol (MCP) lacks mandatory authentication, allowing for prompt injection and granting shell access intentionally. An article by VentureBeat highlighted these architectural weaknesses on Monday. By Wednesday, security researchers confirmed the existence of these vulnerabilities and identified new ones.

The AI agent, previously known as Clawdbot, was rebranded as Moltbot on January 27 following a trademark dispute with Anthropic. Unfortunately, commodity infostealers have already begun exploiting these vulnerabilities. RedLine, Lumma, and Vidar have added Moltbot to their target lists, catching many security teams off guard. Shruti Gandhi, a general partner at Array VC, reported a staggering 7,922 attack attempts on her company’s Clawdbot instance.

The security concerns surrounding Clawdbot prompted a thorough examination of its security posture. The investigation uncovered several critical issues:

SlowMist alerted on January 26 that numerous Clawdbot gateways were exposed to the internet, potentially compromising API keys, OAuth tokens, and private chat histories without the need for credentials. Matvey Kukuy, CEO of Archestra AI, was able to extract an SSH private key via email in just five minutes using prompt injection techniques.

Referred to as “Cognitive Context Theft” by Hudson Rock, the malware associated with Clawdbot can not only steal passwords but also psychological profiles, work-related information, trust networks, and personal anxieties, providing attackers with valuable data for social engineering tactics.

Clawdbot, an open-source AI agent designed to automate various tasks, gained widespread popularity due to its resemblance to a personal assistant, amassing over 60,000 stars on GitHub in a short period. However, many developers deployed instances without thoroughly reviewing the security documentation, leaving port 18789 exposed to the public internet.

Jamieson O’Reilly, the founder of red-teaming firm Dvuln, identified numerous exposed Clawdbot instances through a Shodan scan. Some instances had no authentication measures in place, allowing for full command execution, while others had weak authentication or misconfigured proxies, leading to partial exposure.

O’Reilly also conducted a supply chain attack on ClawdHub’s skills library, uploading a benign skill that quickly attracted developers from various countries. This incident highlighted the risks associated with unvetted code execution.

Despite efforts to address some security vulnerabilities promptly, such as the gateway authentication bypass, Clawdbot’s architectural flaws remain a challenge. Issues like plaintext memory file storage, insecure supply chains, and prompt injection pathways are deeply embedded in the system’s design.

As the adoption of AI agents continues to rise, with Gartner estimating that 40% of enterprise applications will integrate with such agents by the end of the year, security teams face an expanding attack surface that outpaces their ability to monitor and secure these systems effectively.

O’Reilly’s supply chain attack on ClawdHub underscored the ease with which developers can be targeted, emphasizing the need for enhanced security measures in the deployment and management of AI agents.

The storage of memory files in plaintext Markdown and JSON formats poses a significant risk, as sensitive information such as VPN configurations, corporate credentials, and API tokens are stored unencrypted on disk. This data exposure class created by local-first AI agents presents a new challenge for endpoint security solutions.

Itamar Golan, the co-founder of Prompt Security, highlighted the identity and execution issues posed by AI agents, emphasizing the need for security leaders to treat these agents as part of the production infrastructure rather than mere productivity tools.

Traditional security defenses may prove ineffective against threats like prompt injection, as they do not trigger firewalls or raise alarms with endpoint detection and response (EDR) systems. The rapid adoption of AI agents driven by fear of missing out (FOMO) further complicates security efforts.

As the weaponization of AI agents becomes more prevalent, security leaders must adopt a new mindset and approach to securing these systems. This includes conducting thorough inventories of deployed agents, enforcing least privilege access, and implementing runtime visibility to monitor agent activities effectively.

In conclusion, the rapid rise of Clawdbot and similar AI agents underscores the urgent need for robust security measures to protect against potential vulnerabilities and attacks. Security teams must adapt quickly to the evolving threat landscape to stay ahead of potential exploits and safeguard sensitive data effectively.