Detects infostealer attacks through Clawdbot vulnerability

Clawdbot exposes sensitive data to infostealer attacks

Clawdbot, an agent of automation based on artificial intelligence, presents serious security flaws, allowing infostealers like RedLine and Vidar to carry out attacks undetected. With multiple points of vulnerability, Clawdbot does not require mandatory authentication, which facilitates exploitation. Recent articles have documented these structural issues that allow for shell access and command injection.

By Wednesday, various security researchers confirmed the massive exploitation of these flaws. Shruti Gandhi from Array VC reported 7,922 attack attempts on her instance of Clawdbot. As a result, a collective alert regarding the security posture of this agent was issued.

Exposed critical vulnerabilities

The consultancy SlowMist pointed out that hundreds of Clawdbot gateways were exposed on the internet. Sensitive information, including API keys and chat histories, was accessible without credentials. Additionally, the CEO of Archestra AI, Matvey Kukuy, managed to extract an SSH key in just five minutes through command injection.

Hudson Rock described the process as "Cognitive Context Theft," highlighting that the malware not only collects passwords but also creates detailed user profiles. This information can be utilized for more effective social engineering attacks.

Lack of security in design compromises trust

Clawdbot enables task automation through conversational commands, quickly gaining popularity and accumulating 60,000 stars on GitHub. However, many developers implemented their instances without reading the security documentation, leaving port 18789, by default, open to the public.

Jamieson O'Reilly, founder of Dvuln, used Shodan to scan for "Clawdbot Control" and found hundreds of exposed instances. Several were completely open, compromising data security.

Impact of supply chain attacks

O'Reilly also demonstrated a supply chain attack, where he uploaded a harmless skill to ClawdHub, reaching 16 developers across seven countries. Although the initial payload was not harmful, the possibility of remote execution existed, highlighting the vulnerabilities in ClawdHub's trust system.

Risks related to plaintext storage

Clawdbot stores memory files in unencrypted Markdown and JSON formats. This includes corporate credentials and API tokens, which can be accessed by any process executed by the user.

Hudson Rock emphasized that without proper encryption, AI agents are creating a new class of data exposure that endpoint security was not designed to face.

Challenges for security leaders

The growing adoption of AI agents presents specific risks that many traditional security tools fail to address. Prompt Security's co-founder, Itamar Golan, warns that this issue is more about identity and execution than about AI applications.

Security professionals need to revisit their approach, assessing where agents are being executed and what permissions they possess. The lack of visibility can result in undetected actions that further compromise systems.

Future implications and necessary adaptations

Since its discreet launch in 2025, the adoption of Clawdbot has raised security concerns at an accelerated pace. In the coming years, forecasts suggest that nearly 40% of business applications will integrate AI agents. Consequently, security practices will need to evolve rapidly to keep pace with this new reality.

Organizations must be proactive, conducting inventories, restricting the origin of skills, and ensuring runtime visibility, as the attack surface is expanding faster than security teams can monitor.

Emerging vulnerabilities require institutions to stay alert and ready to face a new scenario where infostealer attacks become increasingly sophisticated and common.