Is Clawdbot Safe? Security Risks, Vulnerabilities & How to Protect Yourself

Clawdbot — now known as OpenClaw after two rebrands — has exploded to 100,000+ GitHub stars. But security researchers are raising serious alarms.

Google's VP of Security Engineering, Heather Adkins, issued a blunt warning:

"Don't run Clawdbot... it is an infostealer malware disguised as an AI personal assistant."

That's not a random critic. That's one of the founding members of the Google Security Team.

So what's actually going on? Let's break down the real security risks.

Critical Vulnerabilities Discovered

Security researchers have identified serious CVEs in Clawdbot:

CVE-2025-6514 (CVSS 9.6 - Critical)

Command injection vulnerability allowing remote code execution. Attackers can execute arbitrary commands on vulnerable instances.

CVE-2025-52882 (CVSS 8.8 - High)

Arbitrary file access and code execution vulnerability. Enables unauthorized access to system files and potential full compromise.

These aren't theoretical risks — they're documented vulnerabilities with critical severity scores.

Hundreds of Exposed Instances Found

Security researcher Jamieson O'Reilly, founder of red-teaming company Dvuln, ran a routine Shodan scan and discovered alarming results:

"Of the instances I've examined manually, eight were open with no authentication at all and exposing full access to run commands and view configuration data. Forty-seven had working authentication, which I manually confirmed was secure. The remainder fell somewhere in between."

A Shodan search revealed approximately 780 exposed Clawdbot instances on the public internet, leaking:

• IP addresses and locations

• Open ports

• Configuration data

• API keys and credentials

What Attackers Can Access

When O'Reilly examined unprotected instances, he found the WebSocket handshake granted immediate access to:

• Anthropic API keys — worth thousands of dollars in credits

• Telegram bot tokens — full control of bot accounts

• Slack OAuth credentials — access to workspace data

• Months of conversation histories — private messages exposed

The risk extends beyond passive data exposure. According to Bitdefender, attackers could actively control compromised Clawdbot instances to send messages, run tools, and execute commands across connected services.

Plaintext Credential Storage

Hudson Rock security research revealed a fundamental security flaw:

Moltbot stores highly sensitive secrets, including account credentials and session tokens, in plaintext Markdown and JSON files on the host machine.

These files in ~/.clawdbot/ are unencrypted and uncontainerized — what researchers call "sitting ducks" for infostealer malware.

Infostealers Now Targeting Clawdbot

Major Malware-as-a-Service families have adapted to target these files:

• RedLine Stealer — uses FileGrabber to sweep Clawdbot files

• Lumma Stealer — uses heuristics to find files named "secret" or "config"

• Vidar — targets the .clawdbot directory structure

Supply Chain Attack: Poisoned Skills

Jamieson O'Reilly demonstrated a supply chain attack against Clawdbot users:

1. Created a malicious "skill" with a ping payload

2. Published it to the official MoltHub (ClawdHub) registry

3. Artificially inflated the download count

4. Within 8 hours, 16 developers in 7 countries downloaded the poisoned skill

This proves the skill library can be weaponized to distribute malicious code to unsuspecting users.

Prompt Injection: Private Keys Extracted in 5 Minutes

Matvey Kukuy, CEO of Archestra AI, demonstrated how easily Clawdbot can be manipulated:

1. Sent a malicious email with prompt injection to a vulnerable instance

2. The AI read the email and believed it was legitimate instructions

3. Clawdbot forwarded the user's last 5 emails to an attacker address

4. Total time: 5 minutes

This isn't a bug in Clawdbot specifically — it's how AI agents work when given both read access (emails, documents) and write access (send messages, run code).

Enterprise Exposure

Token Security reports that 22% of their enterprise customers have employees actively using Moltbot — likely without IT approval.

Identified risks include:

• Exposed gateways and API/OAuth tokens

• Plaintext storage credentials under ~/.clawdbot/

• Corporate data leakage via AI-mediated access

• Extended prompt-injection attack surface

Expert Warnings

Heather Adkins, VP Security Engineering at Google Cloud

"Don't run Clawdbot... it is an infostealer malware disguised as an AI personal assistant."

Hudson Rock Security Research

"Clawdbot represents the future of personal AI, but its security posture relies on an outdated model of endpoint trust."

SlowMist CISO 23pds

Issued a warning about significant gateway vulnerabilities, with hundreds of API keys and private chat logs susceptible to attacks.

Intruder.io

Titled their analysis "When Easy AI Becomes a Security Nightmare"

Why These Vulnerabilities Exist

1. Power Over Security

Clawdbot was designed for maximum capability: shell access, file system control, browser automation, messaging integration. Security hardening came second.

2. User-Deployed Infrastructure

Unlike managed services, users deploy their own instances. Many lack security expertise and use default configurations with no authentication.

3. Rapid Growth

Going from 0 to 100,000 stars in a week left no time for security audits. The codebase evolved faster than security could keep up.

4. Broken Trust Model

Clawdbot assumes:

• The network is secure (often wrong)

• Users configure authentication (often don't)

• Skills from ClawdHub are safe (proven false)

• Connected accounts are legitimate (can be spoofed)

How to Protect Yourself

If you still want to use Clawdbot despite these risks:

Essential Security Measures

1. Never expose to the public internet — No port forwarding, VPN access only, firewall all external connections

2. Enable authentication immediately — Set strong passwords, use API keys for all endpoints, enable 2FA where available

3. Run in Docker container — Isolate from host system, limit file system access, restrict network capabilities

4. Use dedicated hardware — Don't run on main computer, use separate VM or physical machine

5. Monitor API usage — Set hard spending limits, enable billing alerts, watch for unusual patterns

6. Avoid sensitive integrations — No banking apps, no password managers, no financial services

7. Audit skills before installing — Review source code, check author reputation, avoid unverified extensions

SlowMist Recommendation

Urgently apply strict IP whitelisting measures on exposed ports.

Should You Use Clawdbot?

Don't use Clawdbot if you:

• Lack security expertise

• Can't dedicate time to proper hardening

• Need to connect sensitive accounts

• Handle confidential business data

• Want a "set and forget" solution

Only consider Clawdbot if you:

• Have strong security background

• Can isolate on dedicated hardware

• Will actively monitor for threats

• Accept the risk of potential compromise

• Use only for non-sensitive tasks

Safer Alternatives

If you want AI automation without becoming a security expert, consider managed platforms:

• Serenities AI — Enterprise-grade, managed, all-in-one automation

• Zapier — Managed cloud for simple workflows

• Make — Managed cloud for complex integrations

Why Serenities AI is Safer

Serenities AI provides similar automation capabilities without the security nightmare:

• No self-hosting — we handle infrastructure security

• No exposed ports — nothing to misconfigure

• Managed updates — security patches applied automatically

• Sandboxed execution — isolated environments

• Audit logging — full visibility into all actions

You get the power of AI automation without the CVEs, exposed instances, and sleepless nights.

Get Started Free →

The Bottom Line

Clawdbot/OpenClaw represents an exciting vision of AI assistants. But the security reality is concerning:

• CVE-2025-6514 (CVSS 9.6) — Critical command injection

• ~780 exposed instances found on Shodan

• Plaintext credential storage — targeted by infostealers

• Supply chain attacks — poisoned skills in 8 hours

• Google's security VP calls it "malware"

Unless you're a security professional who can properly harden a deployment, the risks currently outweigh the benefits.

For production-ready automation, consider managed platforms like Serenities AI that don't require you to become a security expert.

Frequently Asked Questions

Is Clawdbot actually malware?

Clawdbot itself is legitimate open-source software. However, Heather Adkins (Google's VP of Security) called it "infostealer malware disguised as an AI assistant" because of how it stores credentials in plaintext and the risks of misconfiguration.

What are the CVEs for Clawdbot?

CVE-2025-6514 (CVSS 9.6) for command injection and CVE-2025-52882 (CVSS 8.8) for arbitrary file access. Both are serious vulnerabilities.

How many Clawdbot instances are exposed?

Shodan scans have revealed approximately 780 exposed instances, with varying levels of vulnerability. At least 8 were found completely open with no authentication.

Is OpenClaw safer than Clawdbot?

OpenClaw is just the new name (as of January 30, 2026). The security concerns are identical — it's the same codebase.

What's the safest way to use AI automation?

Use a managed platform like Serenities AI that handles security for you, rather than self-hosting tools with known vulnerabilities.

Related Articles

• What is Clawdbot (OpenClaw)? Everything You Need to Know

• How Much Does Clawdbot Cost?

• Best Clawdbot Alternatives in 2026

Last updated: January 30, 2026

Sources:

• The Register

• Bitdefender

• SOC Prime

• Cisco Blogs

• Intruder.io