Clawdbot’s MCP implementation has no mandatory authentication, allows prompt injection, and grants shell access by design. Monday’s VentureBeat article documented these architectural flaws. By Wednesday, security researchers had validated all three attack surfaces and found new ones.(The project rebranded from Clawdbot to Moltbot on January 27 after Anthropic issued a trademark request over the similarity to “Claude.”)Commodity infostealers are already exploiting this. RedLine, Lumma, and Vidar added the AI agent to their target lists before most security teams knew it was running in their environments. Shruti Gandhi, general partner at Array VC, reported 7,922 attack attempts on her firm’s Clawdbot instance.The reporting prompted a coordinated look at Clawdbot’s security posture. Here’s what emerged:SlowMist warned on January 26 that hundreds of Clawdbot gateways were exposed to the internet, including API keys, OAuth tokens, and months of private chat histories — all accessible without credentials. Archestra AI CEO Matvey Kukuy extracted an SSH private key via email in five minutes flat using prompt injection.Hudson Rock calls it Cognitive Context Theft. The malware grabs not just passwords but psychological dossiers, what users are working on, who they trust, and their private anxieties — everything an attacker needs for perfect social engineering.How defaults broke the trust model Clawdbot is an open-source AI agent that automates tasks across email, files, calendar, and development tools through conversational commands. It went viral as a personal Jarvis, hitting 60,000 GitHub stars in weeks with full system access via MCP. Developers spun up instances on VPSes and Mac Minis without reading the security documentation. The defaults left port 18789 open to the public internet.Jamieson O’Reilly, founder of red-teaming firm Dvuln, scanned Shodan for “Clawdbot Control” and found hundreds of exposed instances in seconds. Eight were completely open with no authentication and full command execution. Forty-seven had working authentication, and the rest had partial exposure through misconfigured proxies or weak credentials. O’Reilly also demonstrated a supply chain attack on ClawdHub’s skills library. He uploaded a benign skill, inflated the download count past 4,000, and reached 16 developers in seve …
