Intruder, a leader in exposure management, today released new security research detailing vulnerabilities in Moltbot, formerly known as Clawdbot, an open-source, self-hosted AI assistant. The research, “Clawdbot: When Easy AI Becomes a Security Nightmare,” finds that Moltbot’s emphasis on rapid, simplified deployment has created a significant and unintended attack surface.

Intruder’s analysis shows that Moltbot is often deployed without baseline security protections, leaving instances exposed across multiple cloud providers. The platform does not enforce secure-by-default configuration settings such as firewall controls, credential validation, or sandboxing for third-party plugins. Moltbot is commonly used to automate tasks across email, social media, and cloud services, often with access to sensitive credentials. Attackers are actively exploiting these misconfigurations.

Intruder warns that the absence of fundamental AI safety guardrails has led to widespread insecure deployments and active exploitation. Organizations that have run Moltbot with default settings should assume compromise and respond immediately.

Key findings include:

• Exposed credentials: Publicly accessible API keys, authentication tokens, and configuration files caused by misconfigured cloud instances.
• Prompt injection attacks: Moltbot instances integrated with social platforms leak private data when attackers craft malicious prompts due to missing guardrails.
• Malicious plugins: Threat actors are distributing backdoored plugins that enable credential harvesting and botnet recruitment.
• Unintended AI behavior: Instances performing unauthorized actions, including data exfiltration and automated posting.

Intruder recommends that organizations running Moltbot take immediate action:

• Disconnect third-party integrations.
• Rotate potentially exposed credentials.
• Restrict access using firewall rules and IP allowlists.
• Remove and audit third-party plugins.
• Review logs for unauthorized activity.

FAQ

What is Moltbot?

Moltbot is an open-source, self-hosted AI assistant designed for easy deployment through plugins and integrations.

Is this an active threat?

Yes. Intruder observed real-world exploitation, including credential theft, prompt injection, and unauthorized automated actions.

What should organizations do now?

Assume compromise, revoke integrations, rotate credentials, restrict access, and audit logs immediately.

About Intruder

Intruder’s exposure management platform helps lean security teams stop breaches before they start by proactively discovering attack surface weaknesses. By unifying attack surface management, cloud security and continuous vulnerability management in one intuitive platform, Intruder makes it easy to stay secure by cutting through the noise and complexity. Founded in 2015 by Chris Wallis, a former ethical hacker turned corporate blue teamer, Intruder is now protecting over 3,000 companies worldwide. Learn more at https://intruder.io.

View source version on businesswire.com: https://www.businesswire.com/news/home/20260202321249/en/