X

hacking clawdbot and eating lobster souls
Jan 25
Imagine you hire a butler. 
He's brilliant, he manages your calendar, handles your messages, screens your calls. 
He knows your passwords because he needs them. He reads your private messages because that's his job and he has keys to everything because how else would he help you?
Now imagine you come home and find the front door wide open, your butler cheerfully serving tea to whoever wandered in off the street, and a stranger sitting in your study reading your diary.
That's what I found over the last couple of days. With hundreds of people having set up their @clawdbot
 control servers exposed to the public.
Shout out to @AlexFinn
 for putting the tool on my radar - if you don't know what Clawdbot is I highly recommend you check out his video first.
Alex Finn
@AlexFinn
·
Jan 24
This is it. The most important video you'll watch this year. 

ClawdBot has taken X by storm. And for good reason. It's the greatest application of AI ever

Your own 24/7 AI employee

In this video I cover how it works, how to set it up, and why I think we should all be nervous:
27:42
3.3M
Finding the Attack Surface
Every time a new class of software gains traction, I often ask myself the  question...
What does the real-world deployment surface actually look like? 
I'm talking about the 2am deployment that solved someone's problem and got forgotten about, the one where nobody read the security hardening guide.
Clawdbot's been gaining momentum lately as an open-source AI agent gateway and so given the nature of what it does (connecting large language models to messaging platforms, running persistently, executing tools on behalf of users), I figured the deployment surface would be worth examining.
That is because, if not done right - people could be leaving their literal devices open waiting to be controlled by anyone on the internet.
Turns out I wasn't too far from that - but lets understand the basics first.
Clawdbot has two components that matter here. 
The gateway itself handles the AI agent logic: message routing, tool execution, credential management. 
But Clawdbot Control is the web-based admin interface. It's where you configure integrations, view conversation histories, manage API keys, and essentially operate the entire system. 
Finding an exposed gateway is interesting, but finding an exposed Control UI is the whole different story.
Something users (developers included) often don't realise is, the entire IPv4 internet gets scanned continuously - by people on both sides of the security spectrum. 
Services like Shodan, Censys, and others maintain searchable databases of every responding host, indexed by the content they serve. 
Screenshot of shodan search identifying some of the clawdbot control servers online
If your service has any unique fingerprint in its HTTP response, anyone can query for it and get back a list of every instance on the public internet within hours of deployment.
For Clawdbot, that fingerprint is defined in their code. The control UI serves a distinctive HTML response:
Screenshot of an exposed clawdbot control server
Whether it's a few specific combinations of words in HTML, or a unique favicon/icon, any one of them is enough to build a query. 
I used the title tag because it's the most stable across versions. Searching for "Clawdbot Control" - the query took seconds. 
I got back hundreds of hits based on multiple tools.
The Threat Model
So what can you actually do with Clawdbot Control access?
Read access gets you the complete configuration, which includes every credential the agent uses: API keys, bot tokens, OAuth secrets, signing keys. 
You can pull the full conversation history across every integrated platform, meaning months of private messages and file attachments, everything the agent has seen. That alone would be worth the effort for most attackers.
The real problem is that Clawdbot agents have agency. 
They can send messages on behalf of users across Telegram, Slack, Discord, Signal, WhatsApp. They can execute tools and run commands. 
With Control access, in certain internet facing exposed conditions, you inherit all of that capability. 
You can impersonate the operator to their contacts, inject messages into ongoing conversations, and exfiltrate data through the agent's existing integrations in a way that looks like normal traffic.
And because you control the agent's perception layer, you can manipulate what the human sees. Filter out certain messages. Modify responses before they're displayed. 
The human victim thinks they're having a normal conversation while you're sitting in the middle, reading everything, altering whatever serves your purposes.
Full credential theft, complete conversation history, active impersonation capabilities, perception manipulation, and because these agents run persistently and autonomously, you can maintain access indefinitely without the operator ever knowing.
The more things that are connected, the more control an attacker has over your whole digital attack surface - in some cases, that means full control over your physical devices.
That's what's at stake when Clawdbot Control is exposed to the internet (and misconfigured).
Of those couple hundred I found, many had some form of protection in place - this means that they had working authentication that blocked the auto-approve bypass I'll describe shortly. 
Example of some of the internet facing clawdbot control servers
A handful were test deployments with no real data. 
But the remaining instances ranged from misconfigured to completely exposed, and the worst of them were bad enough to illustrate exactly why this matters.
Two instances in particular were fully open with no authentication at all. WebSocket handshake accepted, immediate access granted. 
Example of configuration data exposed to public
From there I had configuration dumps containing Anthropic API keys, Telegram bot tokens, Slack OAuth credentials and signing secrets, and complete conversation histories going back months.
Redacted example of public facing clawdbot control config
On another server, I saw something as hilarious as it was telling for where we're all heading.
Someone (I won't dox them) had set up their own Signal (encrypted messenger) account on their public facing clawdbot control server - with full read access.
Screenshot of exposed clawdbot configuration files
Screenshot of Signal messenger setup script
Redacted screenshot of Signal device linking metadata
That's a Signal device linking URI. Tap it on a phone with Signal installed and you're paired to the account with full access. All the cryptographic protection Signal provides for message content becomes irrelevant when the pairing credential is sitting in a world-readable temp file because someone's AI agent set up the integration and left the artifacts behind.
I tried to use whatever information was available and I was able to identify someone I believe to be the owner - an "AI Systems engineer".
Again, no interest in doxxing, just think it's important to give people real world examples of how even the "AI experts" can make security mistakes - imagine what that means for the rest of people rushing to get AI all over their devices.