Popular 'Clawdbot' AI Tool Threatens User Privacy Through Security Flaws
Cybersecurity experts are sounding alarms over a critical security flaw in Clawdbot, an AI assistant that has left hundreds of servers vulnerable, exposing API credentials and private data through improperly configured proxy settings.
Security professionals specializing in cybersecurity have issued warnings concerning Clawdbot, an emerging artificial intelligence-powered personal assistant, cautioning that it may be unintentionally leaking sensitive personal information and API credentials to unauthorized parties.
On Tuesday, SlowMist, a blockchain-focused security company, disclosed that an exposure in Clawdbot's "gateway" has been discovered, leaving "hundreds of API keys and private chat logs at risk."
"Multiple unauthenticated instances are publicly accessible, and several code flaws may lead to credential theft and even remote code execution," it added.
The initial findings were documented by security researcher Jamieson O'Reilly on Sunday, who noted that "hundreds of people have set up their Clawdbot control servers exposed to the public" during the previous several days.
Developed by entrepreneur and software developer Peter Steinberger, Clawdbot is an open-source artificial intelligence assistant designed to operate locally on individual user devices. During the recent weekend, discussion surrounding this application "reached viral status," according to a Tuesday report from Mashable.
Scanning for "Clawdbot Control" accesses credentials
The gateway for this AI agent serves as a bridge between large language models (LLMs) and various messaging platforms, carrying out commands for users through a web-based administrative interface known as "Clawdbot Control."
According to O'Reilly's explanation, the authentication bypass security flaw in Clawdbot manifests when the gateway is positioned behind a reverse proxy that lacks proper configuration.
Leveraging internet scanning platforms such as Shodan, the security researcher was able to locate these vulnerable servers with ease by conducting searches for unique fingerprints embedded within the HTML code.
"Searching for 'Clawdbot Control' - the query took seconds. I got back hundreds of hits based on multiple tools," he said.
O'Reilly revealed that he gained access to comprehensive credentials including API keys, bot tokens, OAuth secrets, signing keys, complete conversation histories spanning all chat platforms, the capability to transmit messages impersonating the user, and command execution functionalities.
"If you're running agent infrastructure, audit your configuration today. Check what's actually exposed to the internet. Understand what you're trusting with that deployment and what you're trading away," advised O'Reilly
"The butler is brilliant. Just make sure he remembers to lock the door."
Extracting a private key took five minutes
The artificial intelligence assistant presents additional opportunities for malicious exploitation, particularly concerning cryptocurrency asset protection.
Matvey Kukuy, who serves as CEO at Archestra AI, demonstrated an even more severe attack by attempting to extract a private cryptographic key.
He published a screenshot demonstrating the process of transmitting an email to Clawdbot containing a prompt injection, requesting that Clawdbot review the email, and successfully obtaining the private key from the compromised system, a process which "took 5 minutes."
What distinguishes Clawdbot from comparable agentic AI applications is its complete system-level access to users' computers, granting it the ability to read and write files, run commands, execute scripts, and control browsers.
"Running an AI agent with shell access on your machine is… spicy," reads the Clawdbot FAQ, which adds, "There is no 'perfectly secure' setup."
The FAQ documentation additionally emphasized the threat landscape, indicating that malicious individuals can "try to trick your AI into doing bad things, social engineer access to your data, and probe for infrastructure details."
"We strongly recommend applying strict IP whitelisting on exposed ports," advised SlowMist.