Clawdbot Becomes Moltbot After Anthropic Trademark Issue

Of course, it was first a play on words referring to Claude, Anthropic’s AI models: With Clawdbot, Austrian developer and founder Peter Steinberger (ex-PSPDFKit) recently scored an AI hit. The bot can be installed locally on your own hardware (e.g., a Mac Mini) and then used via digital channels like Telegram, WhatsApp, or Signal – essentially an open source alternative to common chatbots like ChatGPT.

When naming the project, Steinberger, who recommends Anthropic’s Claude Opus 4.5 AI model when connecting to the AI agent, drew inspiration from “Claude.” This became “Clawd,” and this claw was quickly expanded in the logo and communications to the crustacean. At Anthropic, which as reported is currently experiencing its ChatGPT moment and could have a mega-IPO in 2026, they were not quite so “amused” by the name similarity.

Anthropic Intervened Over Trademark Rights

And so Steinberger quickly decided to rename Clawdbot to Moltbot – the crustacean has thus “molted.” “Anthropic asked us to change our name (trademark stuff), and honestly? Molt fits perfectly – it’s what lobsters do to grow,” the brief statement on the rebranding says. Otherwise, everything remains the same.

Steinberger has created with Clawdbot/Moltbot an AI assistant that operates entirely on local hardware and can be controlled via established messaging services. The open-source project received considerable attention from the developer community in a very short time, yet at the same time security researchers identified serious vulnerabilities that endanger sensitive user data.

The software enables comprehensive system interactions: it reads and writes files, executes shell commands, controls web browsers, and automatically fills out forms. Users communicate with the assistant via WhatsApp, Telegram, Signal, iMessage, or other platforms without needing to open a dedicated application. The architecture is based on a central gateway that communicates with various messaging services via WebSocket. The system automatically manages emails and calendars, extracts data from websites, executes scripts, and integrates over 50 external services. Optional companion apps exist for macOS, iOS, and Android, providing additional features such as voice control or camera access.

Security Vulnerabilities Endanger User Data

While Steinberger’s project includes a sandbox mode for group chats by default and implements a pairing mechanism for unknown senders, cybersecurity experts have uncovered fundamental vulnerabilities. Security firm SlowMist announced earlier this week that an authentication bypass in the gateway system makes several hundred API keys and private conversation histories publicly accessible. Security researcher Jamieson O’Reilly documented over the weekend that hundreds of users operate their Clawdbot control servers unprotected on the internet. Using internet scanning tools like Shodan, exposed servers can be identified within seconds through characteristic HTML fingerprints.

The technical cause lies in the authentication logic: the system automatically approves localhost connections without authentication, which proves problematic when the software runs behind a reverse proxy on the same server. All connections then appear as local and are automatically authorized, even though they actually originate externally. O’Reilly discovered completely unprotected instances that granted immediate access to Anthropic API keys, Telegram bot tokens, Slack OAuth credentials, and months of conversation histories.

Particularly alarming was a case in which a user had set up his Signal messenger account on a publicly accessible server. Another exposed system enabled the execution of arbitrary commands with root privileges without privilege separation. CEO of Archestra AI Matvey Kukuy demonstrated the severity of the vulnerability by extracting a private key from a compromised system via prompt injection within five minutes.

Recommendations and Fundamental Challenges

SlowMist urgently recommends applying strict IP whitelisting measures on exposed ports. O’Reilly has submitted a pull request with hardening measures and urges operators to review their configurations immediately. Security experts are calling for improved default configurations that protect users who do not fully implement security guidelines. The project’s documentation acknowledges that no perfectly secure setup exists when operating an AI agent with shell access. The threat model includes attempts by malicious actors to induce the AI to perform harmful actions, gain access through social engineering, and spy on infrastructure details.

The issue reveals fundamental tensions in the architecture of autonomous AI systems: to be useful, such agents must read messages, store credentials, execute commands, and maintain persistent states – requirements that inevitably violate established security models. Credential stores of agents concentrate multiple high-value access credentials at a network-accessible location and should be treated with the same sensitivity as professional secrets management systems. While the economics of autonomous systems drive their proliferation, the industry’s security posture must adapt quickly enough to enable their safe use. Clawdbot demonstrates both the potential of decentralized, transparent AI assistants under full user control and the significant security challenges that come with this approach.