Exposed ClawdBot Control Interfaces Leads to Credential Access and Execution - AI Case Study
AI Case StudyA security researcher identified hundreds of exposed ClawdBot control interfaces on the public internet. ClawdBot (now OpenClaw) “is a personal AI assistant you run on your own devices. It answers you on the channels you already use … , plus extension channels. … It can speak and listen on macOS/iOS/Android, and can render a live Canvas you control.”[1] The researcher was able to access credentia...
Overview
Risk patterns
Patterns found in the case record and its linked vulnerabilities.
- 1Dominant ATLAS tactic. Credential Access appears in 2 case steps.
- 2Multiple attack methods. The case connects to 10 unique AI attack methods.
Procedure timeline
Search the case steps or filter them by attacker goal.
-
Reconnaissance The researcher performed targeting by searching for the title tag of ClawdBot’s web-based control interface, “Clawdbot Control” on Shodan, identifying hundreds of ClawdBot control interfaces exposed on the public internet.
-
Initial Access The researcher exploited a proxy misconfiguration present in ClawdBot’s control server to gain access to control interfaces that had authentication enabled.
-
Credential Access The researcher accessed credentials to a variety of services stored in plaintext in ClawdBot’s configuration file (
~/.clawdbot/clawdbot.json, which is visible in the ClawdBot dashboard. Across various exposed ClawdBot instances, they found: - Anthropic API Keys - Telegram Bot Tokens - Slack Oauth Credentials - Signal Device Linking URIs -
Execution
Step 4
Indirect
The researcher was able to prompt ClawdBot directly through the control interface.
-
Discovery
Step 5
System Prompt
The researcher prompted ClawdBot to
cat SOUL.md(the file containing ClawdBot’s system prompt), and it replied with its contents. -
Credential Access The researcher prompted ClawdBot with
envand it responded by invoking itsbashskill and executing theenvcommand, which contained additional secrets for other services. -
Privilege Escalation
Step 7
AI Agent Tool Invocation
The researcher prompted ClawdBot with
rootand it responded by invoking its ‘bash`skill logged in as the root user. -
Defense Evasion The researcher could have used the found Anthropic API Keys to manipulate the ClawdBot’s chat history with the user including deleting or modifying messages.
-
Exfiltration The researcher could have used the discovered application tokens to exfiltrate entire private conversation histories including shared files from any connected messaging apps (e.g. Telegram, Slack, Discord, Signal, WhatsApp, etc.).
-
Impact
Step 10
User Harm
The researcher could have used the discovered application tokens to cause further harms to the user, including impersonation by sending messages on the user’s behalf via any of the connected messaging apps.
Mitigations
Defenses connected to the attack methods in this case.
AI Agent Tools Permissions Configuration
When deploying tools that will be shared across multiple AI agents, it is important to implement robust policies and controls on permissions for the tools. These controls include applying the principle of least privilege along with delegated access, where the tools receive the permissions, identities, and restrictions of the AI agent calling them. These configurations may be implemented either in MCP servers which connect the agents to the tools calling them or, in more complex cases, directly in the configuration files of the tool.
AI Telemetry Logging
Implement logging of inputs and outputs of deployed AI models. When deploying AI agents, implement logging of the intermediate steps of agentic actions and decisions, data access and tool use, installation commands, and identity of the agent. Monitoring logs can help to detect security threats and mitigate impacts.
Additionally, having logging enabled can discourage adversaries who want to remain undetected from utilizing AI resources.
Control Access to AI Models and Data at Rest
Establish access controls on internal model registries and limit internal access to production models. Limit access to training data only to approved users.
Generative AI Guardrails
Guardrails are safety controls that are placed between a generative AI model and the output shared with the user to prevent undesired inputs and outputs. Guardrails can take the form of validators such as filters, rule-based logic, or regular expressions, as well as AI-based approaches, such as classifiers and utilizing LLMs, or named entity recognition (NER) to evaluate the safety of the prompt or response. Domain specific methods can be employed to reduce risks in a variety of areas such as etiquette, brand damage, jailbreaking, false information, code exploits, SQL injections, and data leakage.
Showing 4 of 10
Source evidence
Original public records and references for this case.
Original source
Original source links
Open the MITRE ATLAS data and public references used for this case study.
