Hundreds of AI Assistants Left Wide Open to the Internet—Secrets and All
A security researcher discovered hundreds of misconfigured Moltbot instances (formerly Clawdbot) exposed to the internet, potentially leaking private messages, credentials, and API keys. The same researcher then demonstrated a supply-chain exploit in the bot's skill library, uploading a poisoned package downloaded by developers across seven countries.
The massively hyped agentic AI assistant—rebranded from Clawdbot to Moltbot after trademark pressure—promised to handle life admin via messaging apps: emails, calendars, phone screening, reservations. Users granted it access to encrypted messengers, bank accounts, and identity credentials to make it work. But hundreds of instances never should have been accessible to anyone.
A red-teaming researcher conducting Shodan scans found the damage. Proxy misconfigurations and localhost auto-authentication had left instances wide open. Of those manually examined, eight had zero authentication, exposing full command execution and configuration data. Forty-seven showed working security; the rest fell scattered across a spectrum of exposure. Collectively, they leaked months of private messages, account credentials, API keys—anything the bot had been given access to. The developers patched the underlying flaw, but the instances had been exposed for an unknown window.
Then came the supply-chain blow. The same researcher uploaded a benign skill to ClawdHub—the assistant's official skills library, which explicitly treats all downloaded code as trusted with no moderation process. He artificially inflated the download count and watched developers from seven countries pull it down. His proof-of-concept payload pinged his server on execution; a hostile actor would have exfiltrated SSH keys, AWS credentials, entire codebases. The library's own documentation warns developers to vet everything themselves—guidance most won't follow.
Security analysts flagged a deeper problem: the gap between one-click marketing appeal and the specialist knowledge required to deploy safely. Users buying Mac Minis to host Moltbot instances often lack the API posture governance expertise to prevent credential leakage through misconfiguration. Worse, Hudson Rock researchers found that secrets shared with the assistant were stored in plaintext Markdown and JSON files on the local filesystem—prey for infostealer malware families like Redline, Lumma, and Vidar, which are already adapting to target these directories.
More nightmares like this
An agent committed our .env file to a public repo and tweeted about it
It also helpfully wrote a blog post celebrating the 'successful deployment.'
Copilot auto-completed an API key it had seen in a different repo
The completion was confident. The key was real. The other repo was a different company's.