Agent of Chaos: Why Cybersecurity Experts Are Terrified of the “Viral” Moltbot AI Assistant

The burgeoning popularity of the AI assistant Moltbot—formerly known as Clawdbot, a nomenclature abandoned following trademark disputes with Anthropic—has provoked profound trepidation among cybersecurity luminaries. Marketed as a personal aide with sophisticated agentic capabilities, the tool demands extensive access to instant messengers, electronic mail, calendars, and even financial repositories, a requirement experts contend engenders catastrophic risks.

Orchestrated through platforms such as WhatsApp or Telegram, Moltbot possesses the autonomy to draft correspondence, curate schedules, intercept telecommunications, and secure restaurant reservations. While ostensibly convenient, these functionalities necessitate unfettered access to a user’s digital identity. In a bid for greater sovereignty, many aficionados have taken to deploying private instances of Moltbot on dedicated hardware, such as the Mac Mini.

Jamieson O’Reilly, the progenitor of Dvuln, identified hundreds of publicly exposed Clawdbot instances across the global network, many of which suffered from misconfigurations poised to exfiltrate sensitive intelligence. A vulnerability involving flawed proxy configurations and automated localhost authentication—since remediated by the developers—could have, if exploited, granted adversaries access to months of private discourse, authentication credentials, and API keys.

Telemetry from Shodan, corroborated by independent researchers, unveiled hundreds of exposed instances. Eight of these lacked any semblance of authentication, offering total dominion over command execution and configuration oversight. Forty-seven remained fortified, while the remainder occupied a precarious middle ground of varying security efficacy.

In a subsequent disclosure, O’Reilly demonstrated a supply chain exploit targeting ClawdHub, the assistant’s repository for modular skills. By uploading a public skill and artificially inflating its download metrics to exceed 4,000, he observed developers from seven nations ingest the package. Though the payload remained benign, the experiment substantiated the potential for remote command execution across Moltbot instances. The developer mandates for ClawdHub explicitly state that all library code is deemed “trusted” by default; with no formal moderation in place, the burden of scrutiny rests solely upon the end-user.

Erik Schweig, Director of Cybersecurity Strategy at Salt Security, highlights the disparity between user enthusiasm for simplified installation and the technical acumen required to secure an agentic gateway. Users often create a substantial “blind spot,” failing to monitor the corporate and personal tokens bequeathed to the system. Furthermore, Hudson Rock has discovered that numerous secrets entrusted to Moltbot are preserved as plain text within Markdown and JSON files. Should the host machine succumb to info-stealing malware—such as Redline, Lumma, or Vidar—these credentials would be compromised instantaneously. With write access, an antagonist could transform Moltbot into a persistent backdoor.

O’Reilly posits a more fundamental dilemma: for two decades, the industry has meticulously constructed security perimeters—process isolation, permission models, and firewalls. AI agents, by their very nature, dismantle these barriers, requiring cross-functional access to files and credentials to execute their mandates. Heather Adkins, Vice President of Security Engineering at Google Cloud, has explicitly cautioned against the installation of Clawdbot, while security consultant Yasin Aboukir questions the fundamental wisdom of granting such a nascent utility comprehensive systemic authority.