Full Report
Moltbot, the viral AI agent, offers immense power but is riddled with critical vulnerabilities, including remote code execution (RCE), exposed control interfaces, and malicious extensions. Read on to understand the vulnerabilities associated with Moltbot and the immediate security practices users must prioritize to mitigate this enormous agentic AI security risk.Key takeawaysMoltbot takes an AI agent, gives it access to your computer, your communication streams, your accounts, and much, much more.Given the severe and active threats, including exposed control interfaces, authentication bypasses, and malicious extensions, users must prioritize the security practices outlined below.The convenience of incredible power cannot outweigh the risk that Moltbot’s vulnerabilities create.What is Clawdbot?Clawdbot (recently rebranded as Moltbot and subsequently to OpenClaw due to a trademark dispute with Anthropic) is a viral open-source AI assistant. It has been praised for its ability to autonomously execute tasks on local hardware, exemplifying what modern AI can do to truly help end users. As of January 2026, and coinciding with the application's widespread viral adoption, security researchers have identified multiple significant vulnerabilities that place Moltbot users at risk.What is Moltbot used for?Moltbot is a multi-function AI agent designed to perform many tasks. Indeed, the website claims it “Works With Everything.” Some features include:Setup: Runs on any machine with a choice of models.Integrations: Works with any chat appBrowse the Web: Submit forms on your behalf, find information.Memory: Remembers context about you and your preferencesExtensible: Use or write plugins and skillsAccess: Ability to read and write to disk, execute commands, and more.Sandbox: Tools and agents can run inside Docker containers and require approval.The agent already has an enormous list of official and custom integrations. Given the large feature set, Moltbot must also have a large attack surface. Let’s take a look at Moltbot from an agentic AI security perspective.Is Moltbot safe? Critical agentic AI security vulnerabilitiesRemote code execution (RCE): Coding issues in the gateway could allow attackers to run commands on the host system with the same permissions as the user, potentially leading to full system compromise. A researcher from depthfirst identified CVE-2026-25253, chaining two findings to execute code on the bot. Two more command injection CVEs have been identified (CVE-2026-24763 and CVE-2026-25157).Malicious skills: An OpenClaw bot at Koi identified a few hundred malicious skills in the ClawHub skills repo.Exposed control interfaces: Researchers from SlowMist and other firms found that many users misconfigure their setups, leaving the Clawdbot Control web interface publicly accessible on the internet without password protection.Authentication bypass: A flaw in how the gateway handles localhost connections allows external attackers to bypass login protections when the software is deployed behind a common reverse proxy (like Nginx).Sensitive data leaks: Moltbot stores authentication tokens (API keys), user profiles, and memories in plaintext Markdown and JSON files. Attackers who gain access can steal these keys to take over accounts or conduct Cognitive Context Theft using private conversation histories.Indirect prompt injection: Because the tool can read emails, chat messages, and web pages, malicious actors can send messages that trick the AI into executing unauthorized commands, such as exfiltrating data or deleting files.Recent risks and rebrandingTrademark rebrand: On January 27, 2026, the project was renamed Moltbot following a legal request from Anthropic.Account hijacking: During the name change, the original @clawdbot handles on X and GitHub were immediately snatched by crypto scammers who are now using them to promote fake tokens ($CLAWD) to the project's more than 60,000 followers.Second trademark rebrand: On January 29, the project was renamed OpenClaw.Malicious extensions: Fake "Clawdbot Agent" extensions for VS Code have been discovered. These fake extensions install trojans and remote access malware on users’ machines.Recommended security practices for Moltbot usersIf you choose to run this software, security experts recommend several immediate hardening steps:Strict whitelisting: Use the OpenClaw Security Guide to explicitly whitelist only necessary tools and block dangerous shell execution capabilities.Verify gateway settings: Ensure gateway.auth.password is set and verify that your reverse proxy correctly passes headers so authentication is not bypassed.Use sandboxing: Enable sandbox mode for the AI agent to restrict its access to your filesystem and browser.Run security audits: Use the built-in security audit tool periodically to check for exposed ports or misconfigurations.Restrict token access: Moltbot uses API keys and other tokens to access services. These should all be scoped appropriately to allow just enough access and disallow dangerous actions.Privacy: Moltbot can be added to group channels where it can read and parse untrusted messages. To help mitigate the risk of prompt injection, grant access only to trusted people and channels.Tenable plugins for Moltbot and OpenClawTenable One has detection plugins for Moltbot. A list of Tenable plugins for this vulnerability can be found on the search page for Moltbot and OpenClaw as they’re released. These links will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.
Analysis Summary
# Vulnerability: Multiple Critical Flaws in OpenClaw (formerly Moltbot/Clawdbot) AI Agent
## CVE Details
- **CVE ID:** CVE-2026-25253 (RCE via exploit chain), CVE-2026-24763 (Command Injection), CVE-2026-25157 (Command Injection)
- **CVSS Score:** Not explicitly rated in article (estimated Critical 9.0-10.0 based on RCE/Auth Bypass)
- **CWE:** CWE-78 (OS Command Injection), CWE-287 (Improper Authentication), CWE-94 (Instruction Injection)
## Affected Systems
- **Products:** OpenClaw / Moltbot / Clawdbot AI Assistant
- **Versions:** All versions prior to late January 2026; specifically identified during viral adoption period.
- **Configurations:**
- Deployments using the "Clawdbot Control" web interface without password protection.
- Installations behind reverse proxies (e.g., Nginx) without proper header validation.
- Agents with local disk access or shell execution enabled.
## Vulnerability Description
Security researchers have identified several critical flaws in the agentic AI framework:
1. **Remote Code Execution (RCE):** Coding errors in the gateway component allow attackers to execute system-level commands. One specific chain (CVE-2026-25253) allows full system compromise.
2. **Authentication Bypass:** A flaw in gateway localhost handling allows remote attackers to spoof local status when the agent is behind a reverse proxy, bypassing login requirements.
3. **Indirect Prompt Injection:** Because the agent reads untrusted data (emails, web pages), malicious input can trigger unauthorized actions like data exfiltration or file deletion.
4. **Credential Exposure:** The application stores API keys, tokens, and conversation history in plaintext Markdown and JSON files.
## Exploitation
- **Status:** **Exploited in the wild.** Active campaigns involve "ClawHub" malicious skills and fake VS Code extensions targeting users. Crypto scammers have also hijacked associated social handles.
- **Complexity:** Low to Medium
- **Attack Vector:** Network (unauthenticated web access/indirect injection)
## Impact
- **Confidentiality:** **High** (Plaintext API keys, private chat history, and tokens can be stolen)
- **Integrity:** **High** (Attackers can execute arbitrary commands or manipulate AI memory)
- **Availability:** **High** (Potential for file deletion and system takeover)
## Remediation
### Patches
- Users are advised to migrate to the latest **OpenClaw** (rebranded) releases. Explicit version numbers for permanent fixes should be verified via the official OpenClaw Security Guide.
### Workarounds
- **Authentication:** Enable `gateway.auth.password` and verify reverse proxy header integrity.
- **Sandboxing:** Enable mandatory Docker sandboxing for all agent tools.
- **Whitelisting:** Disable dangerous shell execution capabilities and restrict tool access to a "Need-to-Use" basis.
- **Token Management:** Scope API keys to the minimum required permissions (least privilege).
## Detection
- **Indicators of Compromise:**
- Unauthorized shell commands in system logs.
- Presence of "$CLAWD" related crypto-promotions in control interfaces.
- Unrecognized VS Code extensions labeled "Clawdbot Agent."
- **Detection methods and tools:**
- Use the built-in **OpenClaw Security Audit Tool**.
- Utilize Tenable One detection plugins for Moltbot/OpenClaw.
## References
- Tenable Blog: hxxps://www[.]tenable[.]com/blog/agentic-ai-security-how-to-mitigate-clawdbot-moltbot-openclaw-vulnerabilities
- OpenClaw Security Guide: hxxps://docs[.]openclaw[.]ai/gateway/security
- Vulnerability Feeds: hxxps://www[.]tenable[.]com/plugins/search?q=openclaw