Security researchers warn that insecure enterprise deployments of the Moltbot (formerly Clawdbot) AI assistant can leak API keys, OAuth tokens, conversation history, and credentials while allowing command execution and root access. Exposed admin interfaces, supply-chain risks via malicious Skills, and a lack of sandboxing have led to incidents like Signal account pairing and warnings about info‑stealers such as RedLine targeting local Moltbot storage. #Moltbot #RedLine
Keypoints
- Moltbot/Clawdbot instances exposed online can allow unauthenticated access to admin interfaces.
- Misconfigured reverse proxies cause deployments to auto-approve remote connections as “local.”
- Exposed deployments risk leaking API/OAuth tokens, plaintext credentials, conversation history, and enabling remote command execution.
- Supply-chain attacks via promoted malicious Skills and a malicious VSCode extension installing ScreenConnect RAT have been demonstrated.
- Safe deployment requires isolating Moltbot in a VM, enforcing firewall rules, and avoiding running the agent with root access.