Clawbot: Hyped AI agent risks leaking personal data, security experts warn

It is currently the latest craze in the fast-paced AI circus: Clawdbot. This is an AI assistant created by Austrian founder and developer Peter Steinberger, which is intended to serve as a personal virtual butler installed locally on users’ own devices. Instead of having to use it in a separate app, you can interact with it via Telegram, WhatsApp, Signal, or iMessages, and you can optionally connect a preferred LLM, such as Claude from Anthropic, a GPT model from OpenAI, or – if you are technically very proficient – an open-source model.

Clawdbot has gone viral via GitHub and X in recent days – at least among all those tech-savvy individuals who can set up such software themselves. But as appealing as the idea of a completely personal AI assistant running locally on your own hardware instead of Big Tech’s cloud centers is, there are indeed some compromises to accept. Especially if you don’t fully understand technically how to properly set up such software.

Because cybersecurity experts have identified serious security vulnerabilities in the AI-powered personal assistant Clawdbot that endanger sensitive user data and access credentials. The blockchain security firm SlowMist announced earlier this week that a vulnerability in the system’s gateway exposes several hundred API keys and private chat histories to public access.

Numerous unauthenticated instances are accessible over the internet, with multiple code errors potentially leading to credential theft and even remote code execution. Security researcher Jamieson O’Reilly has already documented the issue in detail over the weekend and found that hundreds of users are operating their Clawdbot control servers unprotected on the internet.

The security vulnerability apparently arises from an authentication bypass when the gateway is operated behind an improperly configured reverse proxy. The system connects large language models with messaging platforms and executes commands on behalf of users via a web admin interface called Clawdbot Control.

O’Reilly was able to identify exposed servers using internet scanning tools like Shodan by searching for characteristic HTML fingerprints. A simple search for the term Clawdbot Control yielded hundreds of results within seconds. The affected instances grant access to complete configuration data including API keys, bot tokens, OAuth secrets, and signature keys, as well as complete conversation histories across all integrated chat platforms.

Completely open systems with root access discovered

During his investigation, O’Reilly discovered several completely unprotected instances without any authentication. In two cases, the WebSocket handshake granted immediate access to configuration data containing Anthropic API keys, Telegram bot tokens, Slack OAuth credentials, and months of conversation histories. Particularly alarming was a case in which a user had set up his Signal messenger account on a publicly accessible Clawdbot server, with pairing credentials lying in globally readable temporary files.

Another exposed system of an AI software agency allowed unauthenticated users to execute arbitrary commands on the host system, which was operated with root privileges without privilege separation. The CEO of Archestra AI, Matvey Kukuy, demonstrated the severity of the vulnerability by extracting a private key from a compromised system via prompt injection within five minutes.

The technical cause lies in the design of Clawdbot’s authentication mechanisms. While the system has cryptographic device identity with challenge-response protocol, it automatically grants localhost connections without authentication. This default setting proves problematic because most real-world deployments run behind nginx or Caddy as a reverse proxy on the same server. All connections then appear to come from 127.0.0.1 and are treated as local, so external access is also automatically granted. A configuration option for trusted proxies exists, but remains empty by default, causing the gateway to ignore X-Forwarded-For headers and use only the socket address.

Fundamental security considerations for autonomous AI agents

The vulnerability reveals fundamental tensions in the architecture of autonomous AI systems. Clawdbot differs from other AI assistants through complete system access on user machines, including the ability to read and write files, execute commands, launch scripts, and control browsers.

The project’s FAQ acknowledges that there is no perfectly secure setup when operating an AI agent with shell access. The threat model includes attempts by malicious actors to induce the AI to perform harmful actions, gain access to data through social engineering, and spy on infrastructure details. O’Reilly emphasizes that the functional requirements of such agents inevitably violate established security models: they must read messages, store credentials, execute commands, and maintain persistent states to be useful.

SlowMist urgently recommends applying strict IP whitelisting measures on exposed ports. Security experts call for better default configurations that protect users who do not read hardening guides. Software that is typically operated behind reverse proxies should assume this configuration from the outset. Agent credential stores must be treated with the same sensitivity as professional secrets management systems, as they concentrate multiple high-value access credentials in a network-accessible location.

O’Reilly has submitted a pull request with proposed hardening measures and urges operators of agent infrastructure to review their configurations immediately. The issue signals a broader challenge for the industry: while the economics of autonomous systems make their proliferation inevitable, the security posture must adapt quickly enough to enable their safe use.