Hundreds of Exposed Clawdbot Gateways Leave API Keys and Private Chats Vulnerable

What happened

Researchers discovered that numerous Clawdbot instances, an open-source AI agent gateway used to automate tasks and interface with messaging platforms, are exposed on the public internet without proper authentication. These exposed gateways allow attackers to access sensitive data, including API keys, OAuth tokens, months of private conversation history, and, in some cases, execute commands on the host system.

The root cause is a default “localhost auto-approval” configuration that, when deployed behind common reverse proxies, treats external traffic as local, bypassing intended authentication controls. A hardening pull request has been submitted, and documentation now recommends explicit proxy and authentication settings.

Who is affected

Users and organizations running Clawdbot instances are directly at risk, particularly those with gateways accessible from the internet. This includes individuals and teams integrating Clawdbot with messaging services such as WhatsApp, Telegram, Slack, Discord, Signal, and iMessage. Exposed credentials can compromise associated systems, and attackers may impersonate legitimate users or take control of the agent’s execution capabilities. 

Why CISOs should care

Clawdbot and similar autonomous AI agents concentrate high-value assets, such as credentials, conversation histories, and execution rights, into a single service. Misconfiguration can expose these assets to unauthorized access, leading to credential theft, data exfiltration, impersonation, and unmonitored command execution. The incident highlights broader security challenges with self-hosted AI infrastructure and the need for robust defaults, proxy hardening, and strict access controls. 

3 practical actions

1. Audit and restrict accessibility: Immediately identify and secure any Clawdbot gateways accessible from the internet. Block direct public access or move access behind VPNs or secure tunnels.
2. Harden authentication and proxies: Configure explicit authentication and set trusted proxy headers to prevent localhost auto-approval bypass. Rotate and revoke exposed API keys and tokens.
3. Implement least privilege: Treat agent credentials and stored conversation data as high-value assets. Enforce least-privilege principles, limit where and how the agent can execute commands, and conduct regular security reviews of AI agent deployments.