Clawdbot Security Flaw Exposes API Keys and Private Data

“A vulnerability has been discovered in the Clawdbot gateway: hundreds of API keys and private chats are at risk. Several unidentified instances are publicly accessible. Flaws in the code could lead to data theft and even remote code execution (RCE),” SlowMist said in a statement.

The company urged users to implement strict IP whitelisting for any open ports.

Security researcher Jamison O’Reilly said that “hundreds of people have configured their Clawdbot management servers with public internet access.”

Clawdbot is an open-source AI assistant created by developer and entrepreneur Peter Steinberger. It runs locally on users’ devices and went viral over the weekend of January 24–25.

Nature of the vulnerability

The agent gateway connects large language models to messaging platforms and executes commands on behalf of users through a web interface called Clawdbot Control.

According to O’Reilly, an authentication bypass vulnerability occurs when the gateway is deployed behind a misconfigured reverse proxy.

Using internet scanning tools such as Shodan, the researcher was able to easily locate exposed servers by searching for distinctive HTML “fingerprints.”

“Collecting intelligence using the Clawdbot Control query took only seconds. I obtained hundreds of results across several tools,” he explained.

O’Reilly gained access to complete credentials, including API keys, bot tokens, OAuth secrets, signing keys, full chat histories across platforms, as well as the ability to send messages on behalf of users and execute commands.

“If you are using AI agent infrastructure, check your configuration immediately. Review what is actually exposed to the internet,” the expert advised.

Theft of private keys

The AI assistant could also be exploited for more malicious purposes, including theft of crypto assets.

Archestra AI CEO Matvey Kukuy reported that he was able to obtain a private key “within five minutes.” He sent Clawdbot an email containing a prompt injection attack and asked the bot to check the mailbox.

Unlike many other AI agents, Clawdbot has full system-level access to the user’s computer. It can read and write files, execute commands, run scripts, and control web browsers.