If you’ve been keeping an eye on developer news in 2026, you’ve probably come across ClawdBot. Maybe you know it as MoltBot or the latest fork, OpenClaw. No matter what it’s called today, the story is the same: this tool has become a textbook example of how not to build and launch an open-source AI project.

ai agent

The idea behind ClawdBot was appealing. Who wouldn’t want a local AI assistant that lives in your terminal, helps manage files, refactors code, and keeps everything on your machine instead of the cloud? It sounded like a dream for privacy and productivity. But as it turns out, the reality has been a security disaster, leaving thousands of developer environments exposed.

This isn’t just about buggy software. The real problem is a deep architectural flaw, made worse by a wave of supply chain malware. It’s a perfect storm for anyone who cares about keeping their data safe.

Back in January, ClawdBot exploded in popularity. It was marketed as the ultimate personal assistant for developers, able to run on your own machine and handle tasks for you. But within just a few days, the excitement turned into alarm as security researchers started digging into the code and found some serious problems.

The team behind the project tried to escape the bad press by quickly rebranding to MoltBot and then OpenClaw. But as Forbes pointed out, changing the name doesn’t fix a broken foundation.

Security experts at Cisco were blunt: the tool’s design is fundamentally unsafe. To do its job, ClawdBot needed a lot of access: full shell control, the ability to read and write anywhere on your system, and open internet access. That’s a recipe for disaster.

The “localhost” problem

The biggest risk wasn’t some advanced hacking technique. It was much simpler: the front door was left wide open.

MoltBot and OpenClaw use a dashboard (the “control plane”) that listens on Port 18789. In theory, only you should be able to access it. But researchers found that the “localhost trust” logic was deeply flawed. The app assumed any request from 127.0.0.1 was safe, without really checking where it came from.

This meant that if you had ClawdBot running and visited a malicious website, that site could send commands to your local port. The agent would see the request as coming from “localhost” and just do whatever it was told.

This is a supercharged version of Cross-Site Request Forgery (CSRF). Attackers could use your AI agent to steal SSH keys, install backdoors, or even wipe your files. In late January, Shodan scans found hundreds of these dashboards exposed to the internet, with no authentication at all. Anyone who found the right IP could see your chat history and run commands.

The honeypot effect

Warnings from the security community have been loud and clear: servers running these bots are being hammered by attackers. This isn’t an exaggeration.

Because ClawdBot spread so quickly, it created a huge, uniform target. Attackers love when everyone uses the same tool, especially if it stores secrets in predictable places like ~/.clawdbot/clawdbot.json. They don’t need to be clever, just quick.

Security companies like Guardz have seen active campaigns scanning specifically for OpenClaw and MoltBot. Attackers aren’t just looking for random bugs; they’re using known vulnerabilities in older versions to break in. And with the project’s frantic update pace, almost every version is “old” within hours.

Malware in disguise

If the real tool wasn’t risky enough, the situation got worse with fake versions and malicious add-ons. We’ve seen a wave of typosquatting and bogus extensions. One of the worst was a “ClawdBot Agent” for VS Code, which claimed to integrate the bot into your editor but actually installed ScreenConnect and other remote access trojans (RATs).

On platforms like Telegram and Discord, links to “cracked” or “premium” OpenClaw versions are everywhere. Almost all of them are just malware droppers, designed to steal your crypto wallets and API keys. It’s a cruel twist: people looking for a productivity boost end up getting robbed.

What’s next? The Shai-Hulud scenario

The scariest part isn’t what’s already happened: it’s what could happen next.

We’re looking at the possibility of a devastating mix of supply chain attack and privacy breach. The main threat on the horizon is the Shai-Hulud malware, which hit the NPM ecosystem in late 2025. Unlike most malware, Shai-Hulud is self-replicating. It hunts for files like .npmrc and cloud credentials, then uses them to publish malicious versions of your packages, spreading itself even further. Wiz researchers have a great breakdown of how it works.

Now, think about how OpenClaw stores its settings. The config file at ~/.clawdbot/clawdbot.json often contains plain text API keys (for OpenAI, Anthropic, AWS) and sometimes even unencrypted session tokens.

If Shai-Hulud (or something like it) starts targeting this file, the fallout could be huge. The malware wouldn’t just take over your NPM packages: it could also grab your AI agent’s chat history, context, and the power to act as you.

Picture a worm that doesn’t just spread through code, but uses your AI agent to send believable, context-aware phishing messages to your colleagues on Slack. That’s the nightmare scenario: a supply chain attack supercharged by AI.

Why the JSON file is a goldmine

Why is ~/.clawdbot/clawdbot.json such a big deal?

In their rush to add features, the developers behind ClawdBot and MoltBot chose convenience over security. Instead of using secure storage like the macOS Keychain or Windows Credential Manager, they just dumped everything into a plain JSON file in your home directory.

Popular info-stealer malware like RedLine, Lumma, and Vidar have already been updated to look for this file.

So if you get hit by any common malware, even from a sketchy ad, the attackers instantly get:

  1. Your LLM provider keys (which could rack up huge bills).
  2. Your GitHub Personal Access Tokens (often stored for coding tasks).
  3. Access to any cloud infrastructure the agent was set up to manage.

It’s like taping your spare house key, debit card, and PIN to your front door.

Final thoughts: Time to move on

There’s a time for experimenting, and a time to cut your losses. With ClawdBot, we’re way past the point of harm reduction.

This project showed there’s real demand for local AI, but also highlighted exactly how not to build it. The rapid rebranding to MoltBot and OpenClaw isn’t progress: it’s just damage control.

Still thinking of using it?

If you do, you’re betting your digital identity that you can patch faster than an automated worm can exploit. You’re trusting your firewall to block attacks that can come from inside your own browser.

Here’s what you should do:

  1. Uninstall ClawdBot, MoltBot, and OpenClaw right away.
  2. Delete the ~/.clawdbot directory (and check for ~/.moltbot and ~/.openclaw too).
  3. Rotate every credential that was ever accessible to the agent: OpenAI keys, GitHub tokens, AWS credentials, everything.
  4. Wait for a mature, security-audited solution that uses proper sandboxing and secrets management.

AI agents are the future, but let’s make sure we have a secure machine to run them on. Don’t let the promise of productivity turn your laptop into the next node in a botnet.