Exposed Clawdbot Gateways Risk API Keys and Private Chats Security
Clawdbot, a rising open-source AI agent, is currently under scrutiny due to significant security vulnerabilities. Over 900 unauthenticated instances have been discovered online, exposing various sensitive private data and API keys. These issues stem from multiple code flaws, allowing unauthorized access and credential theft.
Understanding Clawdbot’s Functionality
Clawdbot serves as a personal AI assistant compatible with popular messaging platforms such as WhatsApp, Telegram, Slack, Discord, Signal, and iMessage. It operates using a Gateway designed for control plane tasks, which include:
- WebSocket handling
- Tool execution
- Credential management
The user interface is web-based, allowing for configuration, conversation history tracking, and API key management, facilitating its deployment through npm on Node.js version 22 or higher.
Security Threats Identified
In a detailed analysis shared on January 23, 2026, security researcher Jamieson O’Reilly highlighted the misconfigurations that jeopardize this AI gateway. Using Shodan, he identified the Control UI’s unique HTML title tag, “Clawdbot Control,” and uncovered hundreds of exposed instances shortly after their release.
Services such as Shodan and Censys index HTTP fingerprints, which allow for the swift discovery of these vulnerabilities. Following scans revealed over 900 exposed Gateways on port 18789, many of which lacked proper authentication.
Sensitive Data at Risk
Some instances left sensitive configurations and data, including:
- Anthropic API keys
- Telegram and Slack tokens
- Months of chat histories
The root of the issue arises from localhost auto-approval within Clawdbot’s authentication logic, which was initially intended for local development. Unfortunately, this logic is exploitable when integrated with reverse proxies.
Consequences of Exposed Gateways
Compromised servers present serious risks. Attackers can access and exploit the following:
| Access Type | Compromised Assets | Exploitation Examples |
|---|---|---|
| Configuration | API keys, token credentials | Theft for Anthropic, Telegram, Slack |
| Conversation History | Private messages and files | Exfiltration of months of data |
| Command Execution | Root shell access | Arbitrary commands without authentication |
Some instances even operate as root containers, granting attackers extensive control without authentication.
Mitigation Steps and Recommendations
Clawdbot’s documentation stresses the importance of conducting thorough security audits. Suggested measures include:
- Tightening group policies and permissions
- Enforcing authentication modes through CLAWDBOT_GATEWAY_PASSWORD
- Managing trusted proxies effectively
- Rotating secrets immediately after any exposure
Users are recommended to transition to safer connection methods like Tailscale Serve/Funnel or Cloudflare Tunnels to avoid direct bindings. The latest software release, 2026.1.14-1, made on January 15, highlights the urgency of these measures. A proactive approach, including immediate audits for vulnerabilities, is crucial as AI agents handle valuable assets.
Stay updated with the latest cybersecurity news by following Filmogaz.com on Google News, LinkedIn, and X. For inquiries or to feature your stories, please contact us.
