Clawdbot Security Issues: Over 1,000 AI Agent Servers Exposed to Unauthenticated Access

A surge in Clawdbot adoption has resulted in a critical security crisis, with cybersecurity researchers identifying over 1,000 internet-facing servers exposed without authentication. Clawdbot is a self-hosted AI assistant that uses Anthropic's Claude API to manage browsing, shell commands, and scheduling and was designed to function as an autonomous AI agent with full system access. 

Clawdbot gained explosive popularity with over 60,000 GitHub stars within weeks of its launch in late 2025. However, easy installation scripts encouraged rapid deployment and by default left port 18789 open to the public internet, creating a security vulnerability that allows attackers to gain complete control of exposed instances within minutes.

Security researchers from SlowMist and independent investigators documented multiple critical vulnerabilities in exposed Clawdbot instances:

• Unauthenticated remote access allowing attackers to execute shell commands without any barriers
• API key exposure for platforms including OpenAI and Anthropic stored in plaintext
• Remote code execution capabilities enabling injection of malicious code
• Full system privilege access with no directory sandboxing or access controls
• Credential theft vulnerabilities exposing OAuth secrets and bot tokens
• Prompt injection attacks demonstrated in under 5 minutes, resulting in unauthorized email forwarding

The crisis escalated on January 27, 2026, when Anthropic issued a trademark dispute forcing a rebrand from Clawdbot to Moltbot due to the name's similarity to "Claude." During the hasty rename process, Steinberger made a critical error while attempting to simultaneously rename the GitHub organization and X/Twitter handle. In approximately 10 seconds between releasing the old handles and claiming new ones, crypto scammers hijacked both the original @clawdbot X account and GitHub organization. 

The hijacked accounts immediately began pumping fake cryptocurrency announcements to tens of thousands of followers, while a fraudulent $CLAWD token emerged on Solana, reaching a peak market capitalization of $16 million before collapsing when Steinberger publicly denounced it as a scam. The project, which was driving legitimate Claude API usage and revenue for Anthropic, became caught in a storm of legal pressure, account hijacking, and crypto exploitation.

Researcher Jamieson O'Reilly demonstrated that using basic Shodan searches for "Clawdbot Control" could reveal complete credentials, full conversation histories, and the ability to send messages and execute commands as legitimate users. Security researcher ItakGol issued public warnings describing the situation as dangerous, noting that thousands of autonomous agents running on cloud servers with open ports and zero authentication created an open invitation for hostile takeovers. One documented incident showed a malicious email with prompt injection causing an AI agent to read and forward a user's last five emails to an attacker address within minutes.

The project's community of over 8,900 Discord members faces ongoing challenges including harassment from token speculators, security vulnerability patches, and rebuilding brand recognition after the forced rebrand. Steinberger continues fighting to recover the hijacked accounts while managing the security fallout. 

Cybersecurity experts recommend that users cannot immediately secure their instances should use IP whitelisting to restrict access, avoid running agents on primary machines with access to sensitive data, use dedicated hardware with isolated accounts, implement strict authentication controls before exposing any ports to the internet, and regularly audit exposed endpoints.