Infostealers added Clawdbot to their target lists before most security teams knew it was running

Clawdbot's MCP implementation has no mandatory authentication, allows prompt injection, and grants shell access by design. Monday's VentureBeat article documented these architectural flaws. By Wednesday, security researchers had validated all three attack surfaces and found new ones.

(The project rebranded from Clawdbot to Moltbot on January 27 after Anthropic issued a trademark request over the similarity to "Claude.")

Commodity infostealers are already exploiting this. RedLine, Lumma, and Vidar added the AI agent to their target lists before most security teams knew it was running in their environments. Shruti Gandhi, general partner at Array VC, reported 7,922 attack attempts on her firm's Clawdbot instance.

The reporting prompted a coordinated look at Clawdbot's security posture. Here's what emerged:

SlowMist warned on January 26 that hundreds of Clawdbot gateways were exposed to the internet, including API keys, OAuth tokens, and months of private chat histories — all accessible ...