The Clawdbot (Moltbot) gateway defaults to port 18789. Recent scans by tools like Shodan
and Censys have identified over 1,000+ exposed instances. This is not a software bug,
but a critical misconfiguration where the gateway daemon listens on all interfaces
(0.0.0.0) without authentication enabled.
Exposed gateways allow immediate reading of configuration files containing plaintext API keys for Anthropic, OpenAI, and Telegram. Attackers have been reported stealing keys resulting in massive billings.
Attackers gain root shell access within the execution environment. Combined with browser automation, this allows them to control Gmail, bank accounts, or sensitive internal dashboards.
Additional Chain Risks: Brute-force attacks (up to 8,500+ attempts daily), mDNS leakage, and reverse proxy bypass vulnerabilities often accompany these exposures.
A security researcher discovered a Clawdbot instance via Shodan where the user had months of private chat history and attachments exposed. Within hours of being indexed, the instance's API keys were harvested, leading to the consumption of over 180M tokens on the user's Anthropic account before it was detected.
SOCRadar reported instances where a misconfigured reverse proxy allowed attackers to bypass authentication entirely. Attackers injected commands to extract the entire directory structure and used the browser agent to access the user's private Signal messages.
Edit your config.yaml or clawdbot.json. Change
gateway.bind from "all" or "0.0.0.0" to "loopback" or
"127.0.0.1".
Set the environment variable CLAWDBOT_AUTH_TOKEN to a strong, unique secret. Restart
the service to apply.
Instead of exposing ports, use Cloudflare Tunnel or Tailscale for remote access. This closes the public port entirely while maintaining connectivity.
Execute the command: clawdbot security audit --deep --fix. This tool identifies and
patches common leakage points and mDNS vulnerabilities.
Assume your instance is insecure until you have manually verified the bind address and authentication layers.