Moltbot (formerly known as Clawdbot) is the most viral AI product I’ve seen in a while. The personal AI assistant runs locally and connects via a chat app, like WhatsApp or iMessage. Once you give Moltbot access to your entire device, it can do things on that device for you. This the sort of thing that excites agentic AI pioneers, but worries privacy and security enthusiasts like myself.
And indeed, I have significant concerns about the risks installing Moltbot on your personal machine. Since agentic AI will autonomously perform tasks based on prompts, bad actors can take advantage of the situation by surreptitiously feeding those bots malicious prompts of their own. This is called prompt injection, and it can impact any type of agentic AI system, whether an AI browser, or an AI assistant like Moltbot.
But it’s not just prompt injection that presents an issue for Moltbot users.
Someone has already created a malicious Moltbot extension
As spotted by The Hacker News, Moltbot already has its first malicious extension, dubbed “Clawdbot Agent – AI Coding Assistant” (“clawdbot.clawdbot-agent.”) It seems to have been developed before the bot’s name change. This extension is designed for Visual Studio Code, Microsoft’s open source AI code editor. What’s worse, it was hosted on Microsoft’s official Extension Marketplace, which no doubt gave it legitimacy to Moltbot users looking for a Visual Studio Code extension.
The extension advertised itself as a free AI coding assistant. When you install it, it executes a series of commands that ends up running a remote desktop program (The Hacker News says it’s “ConnectWise ScreenConnect”) on your device. It then connects to a link that lets the bad actor gain remote access to your device. By just installing this extension, you essentially give the hacker the tools to take over your computer from wherever they are.
Luckily, Microsoft has already taken action. The extension is no longer available on the marketplace as of Tuesday. Moltbot has no official Visual Studio Code extension, so assume any you see are illegitimate at best, and malicious at worst. If you did install the extension, researchers have detailed instructions for removing the malware and blocingk any of its processes from running on your device. Of course, to first thing to do is uninstall the extension from Visual Studio Code immediately.
Moltbolt has more security issues too
The Hacker News goes on to highlight findings from security researcher Jamieson O’Reilly, who discovered hundreds of unauthenticated Moltbot instances readily available on the internet. These instances reveal Moltbot users’ configuration data, API keys, OAuth credentials, and even chat histories.
What do you think so far?
Bad actors could use these instances for prompt injection: They could pretend to be a Moltbot user, and issue their own prompts to that user’s Moltbot AI assistant, or manipulate existing prompts and responses. They could also upload malicious “skills,” or specific collections of context and knowledge, to MoltHub and use them to attack users and steal their data.
Speaking to The Hacker News, security researcher Benjamin Marr explains that the core issue is how Moltbot is designed for “ease of deployment” over a “secure-by-default” set up. You can poke around with Moltbot and install sensitive programs without the bot ever warning you about the security risks. There should be firewalls, credential validation, and sandboxing in the mix, and without those things, the user is at greater risk.
To combat against this, The Hacker News recommends that all Moltbot users running with the default security configurations take the following steps:
-
remove any connected service integrations
-
check exposed credentials
-
set up network controls
-
look for any signs of attack
Or, you could do what I’m doing, and avoid Moltbot altogether.
