- Trending
- Comments
- Latest
Hundreds of misconfigured Clawdbot AI assistants are exposing private chat logs, API keys, cryptocurrency private keys, and system-level access to the public internet, according to security researchers who discovered the vulnerability over the weekend.
The issue, disclosed over the weekend and confirmed by multiple security firms, underscores the growing risks tied to rapidly deployed agentic AI tools.
The findings center on Clawdbot, a locally run AI personal assistant developed by entrepreneur Peter Steinberger.
While designed to give users full control over their data by running on-device, the Clawdbot vulnerability arises when its gateway infrastructure is improperly exposed online often without authentication or access controls.
Blockchain security firm SlowMist said on Tuesday that it identified a widespread “gateway exposure” affecting Clawdbot deployments, warning that hundreds of users may have unknowingly placed sensitive credentials at risk.
“Multiple unauthenticated instances are publicly accessible, and several code flaws may lead to credential theft and even remote code execution,” — SlowMist, in a public security advisory.
According to SlowMist, exposed Clawdbot gateways could allow attackers to retrieve API keys for large language models, OAuth secrets, bot tokens, signing keys, and full conversation histories across messaging platforms.
In some cases, attackers could also execute commands remotely, depending on how the assistant was configured.
The Clawdbot vulnerability was first detailed by independent security researcher Jamieson O’Reilly, who said he discovered hundreds of publicly accessible Clawdbot control servers within days of the tool going viral online.
“Hundreds of people have set up their Clawdbot control servers exposed to the public over the last few days,” — Jamieson O’Reilly, security researcher.
O’Reilly explained that the issue typically occurs when Clawdbot’s gateway is placed behind an unconfigured reverse proxy, bypassing authentication entirely.
Using publicly available internet scanning tools, O’Reilly said he was able to locate exposed Clawdbot instances almost instantly by searching for unique identifiers embedded in the software’s web interface.
“Searching for ‘Clawdbot Control’ — the query took seconds. I got back hundreds of hits based on multiple tools,” — Jamieson O’Reilly.
Once accessed, the exposed interfaces reportedly provided sweeping visibility into user activity, including the ability to read private messages, impersonate users across chat platforms, and issue commands directly through the AI agent.
This breadth of access is what makes the Clawdbot vulnerability particularly severe compared to more limited data leaks.
The risk is amplified by Clawdbot’s design philosophy. Unlike many AI assistants that operate within constrained environments, Clawdbot has full system-level access by default.
“Running an AI agent with shell access on your machine is… spicy. There is no ‘perfectly secure’ setup,” — Clawdbot FAQ.
The project’s own documentation acknowledges that malicious actors may attempt to manipulate the AI through prompt injection, social engineering, or infrastructure probing risks that become far more dangerous when gateways are left publicly exposed.
Beyond general data exposure, the Clawdbot vulnerability has drawn particular concern from crypto security professionals due to its potential impact on private keys and wallet infrastructure.
Matvey Kukuy, CEO of AI security firm Archestra AI, demonstrated how the assistant could be exploited via prompt injection to extract sensitive information from a compromised system.
“It took 5 minutes,” — Matvey Kukuy, CEO, Archestra AI, describing an experiment extracting a private key via Clawdbot.
Because Clawdbot can read and write files, execute scripts, and control browsers, any machine handling crypto wallets, signing tools, or treasury infrastructure could face elevated risk if the assistant is misconfigured.
SlowMist urged users running agentic AI infrastructure to immediately review their deployments.
O’Reilly echoed that warning, emphasizing that convenience should not come at the expense of basic security hygiene.
“If you’re running agent infrastructure, audit your configuration today. Check what’s actually exposed to the internet,” — Jamieson O’Reilly.
The Clawdbot vulnerability arrives at a moment when agentic AI tools capable of acting autonomously across systems are being adopted faster than security best practices can keep pace.
While Clawdbot’s open-source nature allows transparency and rapid improvement, the incident highlights how easily powerful tools can become liabilities when deployed without safeguards.
For crypto investors and developers alike, the episode serves as a reminder that AI convenience and on-chain security increasingly intersect.
As AI agents gain deeper access to financial infrastructure, configuration errors not just code flaws may become one of the most significant sources of risk.
