Home > Security > Port Exposure Risk

Security Risk: Public Exposure of Clawdbot (Moltbot) Gateway Port

Quick Navigation

1. Unauthenticated Port Exposure 2. API Key & Credential Leakage 3. Private Data & History Exposure 4. Shell Access & Command Execution 5. Browser & Device Control Control Final Security Recommendations

Based on recent community reports (late January 2026), over 1,000 Clawdbot instances have been identified as publicly exposed via Shodan and Censys scans due to improper configuration. This advisory outlines the critical risks of leaving the default 18789 port open without authentication.

1. Unauthenticated Gateway Port Exposure

The Clawdbot gateway daemon defaults to port 18789. If the gateway.bind configuration is set to "all" or "0.0.0.0" instead of the default loopback, it becomes accessible to anyone on the internet without a password or JWT authentication.

Impact: Attackers can bypass localhost restrictions, forge trusted proxies, and gain full access to the control UI title "Clawdbot Control". SOCRadar has reported over 1,000 exposed instances, many on VPS or Cloud hosting where users manually misconfigured the bind address for remote convenience.
Solution:
  • Immediately change gateway.bind to "loopback" or "127.0.0.1" in your config.yaml.
  • Enable JWT or password authentication (e.g., set GATEWAY_AUTH_TOKEN env var).
  • Use Cloudflare Tunnel or Tailscale for secure remote access instead of public IP exposure.

2. API Key & Credential Leakage

Exposed gateways often allow direct reading of configuration files or executing commands to extract sensitive API keys (Anthropic, OpenAI, Telegram Bot tokens, Slack OAuth).

Impact: Many instances store keys in plaintext. Reports show attackers harvesting these keys via automated scripts, leading to massive account billing or bans. One user reported 180M Anthropic tokens consumed after exposure.
Solution:
  • Rotate all active keys immediately if exposure is suspected.
  • Move keys to environment variables instead of plaintext files.
  • Use tools like output-sentinel to prevent AI from leaking keys in responses.
  • Set up fail2ban to monitor and block abnormal IP behavior.

3. Private Data & History Exposure

Unauthenticated exposure grants attackers access to full chat histories, attachments, and Signal linking URIs stored on the instance.

Impact: Months of private conversations can be extracted. This is often used for doxxing or targeted social engineering. Researchers have found hundreds of instances leaking active chat databases.
Solution:
  • Enable End-to-End Encryption (E2EE) on communication channels where possible.
  • Regularly clear history using the clawdbot doctor command.
  • Ensure trustedProxies is restricted to ["127.0.0.1"].
  • Deploy in isolated environments (Docker) to limit file system visibility.

4. Shell Access & Command Execution

A publicly exposed gateway often grants "Root Shell Access" (especially within non-hardened Docker containers), allowing arbitrary command execution and file system manipulation.

Impact: Attackers can inject malware, pivot to other devices on your local network, or use the AI to automate browser tasks for malicious purposes. Without guardrails, this is effectively handing over a shell to the entire internet.
Solution:
  • Run Clawdbot as a non-root user.
  • Disable unnecessary terminal or browser access features in config.
  • Integrate prompt filters to block code injection attempts.
  • Consistently update to the latest version featuring security hardening.

5. Browser & Device Control Control

Clawdbot's powerful browser automation (Computer Use) allows attackers to control your logged-in browser sessions, accessing Gmail, Calendars, and sensitive accounts.

Impact: This goes beyond simple data theft; it represents "Full Identity Hijack". Attackers can operate your accounts 24/7 as if they were you, bypassing standard authentication layers already open in the session.
Solution:
  • Only enable browser automation when absolutely necessary.
  • Use sandboxed browser instances with no saved sessions for critical accounts.
  • Enable Multi-Factor Authentication (MFA) on all linked accounts.
  • Monitor activity logs for unusual browser interactions.

Overall Security Recommendations

Immediate Action

  • Run clawdbot doctor for a health check.
  • Execute clawdbot security audit --deep --fix.
  • Shutdown any publicly exposed instance until fixed.

Best Practices

  • Assume self-hosted tools are "Insecure until proven otherwise".
  • Follow official documentation at docs.molt.bot/security.
  • Never use a "configure later" mentality for public-facing ports.