The Moltbot / ClawdBots Epidemic: AI Assistant Security Crisis

Executive Summary

Moltbot (formerly ClawdBot) is a widely used AI personal assistant that operates through messaging platforms like WhatsApp and Telegram. Unfortunately, a number of Moltbot instances have been exposed to the internet with unauthenticated admin ports, plaintext credential storage, and vulnerable skill libraries. This presents a significant security risk, as these systems are now prime targets for credential theft, supply chain attacks, and infostealer malware.

Immediate action is required to secure these systems. This includes requiring strong authentication, closing open admin ports, encrypting stored credentials, and vetting all skills before installation.

What is Moltbot / ClawdBot?

Moltbot (formerly branded as ClawdBot) is an AI personal assistant designed to operate through popular messaging platforms like WhatsApp and Telegram. It provides users with AI-powered assistance for various tasks, including answering questions and executing automated workflows through its extensible "skill" system.

Platform Characteristics

Critical Security Issues Identified

1. Unauthenticated Admin Ports

Researchers discovered hundreds of Moltbot instances exposing unauthenticated admin ports to the internet. The default HTTP console on port 8080 often lacks authentication, allowing anyone to access administrative functions.

2. Plaintext Credential Storage

User credentials and secrets are written to plaintext Markdown and JSON files, making them easily accessible to infostealers like RedLine, Lumma, and Vidar that target these specific files.

3. Supply-Chain Skill Poisoning

The skill library (ClawdHub) can be poisoned with malicious skills. A proof-of-concept attack demonstrated how a malicious skill could achieve remote command execution on all downstream users who installed it.

4. Unsafe Proxy Configurations

Many deployments were found with unsafe proxy configurations that could allow threat actors to pivot through the network, exfiltrate data, or establish persistent backdoor access.

Threat Actor Capabilities

By exploiting these vulnerabilities, attackers gain significant capabilities:

• Steal Secrets: API keys, passwords, tokens from plaintext storage
• Exfiltrate Code: Access and steal source code repositories
• Deploy Backdoors: Repurpose the assistant as persistent access
• C2 Operations: Use as command-and-control infrastructure

Infostealers Targeting Moltbot Credentials

Because Moltbot stores secrets in plaintext files, it has become a target for commodity infostealers like:

• RedLine Stealer: Targets browser data, crypto wallets, and Moltbot configs
• Lumma Stealer: A modern infostealer that targets plaintext secrets
• Vidar Stealer: Known for credential harvesting from various applications

Mitigation Strategies

Access Control

• Require strong authentication for all Moltbot services
• Close or firewall admin ports (default: 8080)
• Implement IP allowlisting for admin access

Data Protection

• Enable encryption-at-rest for stored secrets
• Sandbox or containerize the runtime environment
• Implement secrets management (Vault, AWS Secrets Manager)

Supply Chain Security

• Vet all skills before installation
• Sign and pin skills from the library
• Monitor for unauthorized skill installations

Monitoring & Response

• Alert on open admin ports and unauth access attempts
• Monitor for unexpected command execution
• Scan hosts for credential-stealing malware

Incident Response Playbook

If a compromise is confirmed, follow these steps:

1. Isolate the affected system immediately
2. Revoke all exposed credentials and API keys
3. Audit all skill installations for malicious content
4. Validate integrity of stored configuration files
5. Check for lateral movement indicators
6. Redeploy Moltbot with hardened security settings
7. Implement continuous monitoring going forward