February 3, 2026

4 Min Read

Moltbot, the viral AI agent, offers immense power but is riddled with critical vulnerabilities, including remote code execution (RCE), exposed control interfaces, and malicious extensions. Read on to understand the vulnerabilities associated with Moltbot and the immediate security practices users must prioritize to mitigate this enormous agentic AI security risk.

What is Clawdbot?

Clawdbot (recently rebranded as Moltbot and subsequently to OpenClaw due to a trademark dispute with Anthropic) is a viral open-source AI assistant. It has been praised for its ability to autonomously execute tasks on local hardware, exemplifying what modern AI can do to truly help end users. As of January 2026, and coinciding with the application's widespread viral adoption, security researchers have identified multiple significant vulnerabilities that place Moltbot users at risk.

What is Moltbot used for?

Moltbot is a multi-function AI agent designed to perform many tasks. Indeed, the website claims it “Works With Everything.” Some features include:

• Setup: Runs on any machine with a choice of models.
• Integrations: Works with any chat app
• Browse the Web: Submit forms on your behalf, find information.
• Memory: Remembers context about you and your preferences
• Extensible: Use or write plugins and skills
• Access: Ability to read and write to disk, execute commands, and more.
• Sandbox: Tools and agents can run inside Docker containers and require approval.

The agent already has an enormous list of official and custom integrations. Given the large feature set, Moltbot must also have a large attack surface. Let’s take a look at Moltbot from an agentic AI security perspective.

Is Moltbot safe? Critical agentic AI security vulnerabilities

• Remote code execution (RCE): Coding issues in the gateway could allow attackers to run commands on the host system with the same permissions as the user, potentially leading to full system compromise. A researcher from depthfirst identified CVE-2026-25253, chaining two findings to execute code on the bot. Two more command injection CVEs have been identified (CVE-2026-24763 and CVE-2026-25157).
• Malicious skills: An OpenClaw bot at Koi identified a few hundred malicious skills in the ClawHub skills repo.
• Exposed control interfaces: Researchers from SlowMist and other firms found that many users misconfigure their setups, leaving the Clawdbot Control web interface publicly accessible on the internet without password protection.
• Authentication bypass: A flaw in how the gateway handles localhost connections allows external attackers to bypass login protections when the software is deployed behind a common reverse proxy (like Nginx).
• Sensitive data leaks: Moltbot stores authentication tokens (API keys), user profiles, and memories in plaintext Markdown and JSON files. Attackers who gain access can steal these keys to take over accounts or conduct Cognitive Context Theft using private conversation histories.
• Indirect prompt injection: Because the tool can read emails, chat messages, and web pages, malicious actors can send messages that trick the AI into executing unauthorized commands, such as exfiltrating data or deleting files.

Recent risks and rebranding

• Trademark rebrand: On January 27, 2026, the project was renamed Moltbot following a legal request from Anthropic.
• Account hijacking: During the name change, the original @clawdbot handles on X and GitHub were immediately snatched by crypto scammers who are now using them to promote fake tokens ($CLAWD) to the project's more than 60,000 followers.
• Second trademark rebrand: On January 29, the project was renamed OpenClaw.
• Malicious extensions: Fake "Clawdbot Agent" extensions for VS Code have been discovered. These fake extensions install trojans and remote access malware on users’ machines.

Recommended security practices for Moltbot users

If you choose to run this software, security experts recommend several immediate hardening steps:

• Strict whitelisting: Use the OpenClaw Security Guide to explicitly whitelist only necessary tools and block dangerous shell execution capabilities.
• Verify gateway settings: Ensure gateway.auth.password is set and verify that your reverse proxy correctly passes headers so authentication is not bypassed.
• Use sandboxing: Enable sandbox mode for the AI agent to restrict its access to your filesystem and browser.
• Run security audits: Use the built-in security audit tool periodically to check for exposed ports or misconfigurations.
• Restrict token access: Moltbot uses API keys and other tokens to access services. These should all be scoped appropriately to allow just enough access and disallow dangerous actions.
• Privacy: Moltbot can be added to group channels where it can read and parse untrusted messages. To help mitigate the risk of prompt injection, grant access only to trusted people and channels.

Tenable plugins for Moltbot and OpenClaw

Tenable Vulnerability Management has detection plugins for Moltbot. A list of Tenable plugins for this vulnerability can be found on the search page for Moltbot and OpenClaw as they’re released. This link will display all available plugins for this vulnerability, including upcoming plugins in our Plugins Pipeline.