Clawdbot/Moltbot Security Hardening Guide: Fix Gateway Exposure in 15 Minutes & Protect Your API Keys

Summary

With over 1,673+ exposed Clawdbot/Moltbot gateways online, this guide reveals critical privacy risks (leaked API keys, chat histories, server access) and offers a 5-minute exposure check + 15-step hardening process. Secure your self-hosted AI assistant with actionable steps for all skill levels.

If you’re using Clawdbot (formerly known as Moltbot), you’re likely drawn to its convenience: a self-hosted AI assistant that stays online 24/7, connecting to your messages, files, and tools—all under your control. But here’s a sobering fact: security researchers have identified more than 1,673 exposed Clawdbot/Moltbot gateways on the internet. Your API keys, cross-platform chat logs, and even full access to your host server could be accessible to anyone who knows where to look.

The good news? You don’t need advanced technical skills to fix this. Even if you’ve never used a terminal before, you can lock down your Clawdbot in just 15 minutes. This guide walks you through every step—from checking if you’re exposed to implementing ironclad security measures. We’ll also cover advanced protection for cloud server deployments, so you can enjoy Clawdbot’s power without sacrificing privacy.

I. Why Clawdbot Exposure Is a “Digital Naked” Risk

Clawdbot itself isn’t flawed—but its gateway was designed only for local use, not public internet exposure. When you run it on a server or VPS without proper configuration, you’re essentially leaving your digital front door unlocked with a sign that reads, “API keys inside.”

1.1 What Gets Exposed? A Concrete Risk List

Security scans of vulnerable Clawdbot instances have uncovered these sensitive assets:

  • Complete chat histories from Telegram, WhatsApp, Signal, and iMessage
  • API keys for Claude, OpenAI, and other AI service providers
  • OAuth tokens and bot credentials
  • Full shell access to the host machine

Attackers don’t need sophisticated hacking skills to exploit this. One researcher demonstrated extracting a private key from a compromised system in under 5 minutes using a simple prompt injection attack.

1.2 The Email That Leaked Everything (A Real Example)

Here’s a chilling scenario that highlights the risk: A security researcher sent a single email to someone running Clawdbot with email integration. The email contained hidden instructions that tricked the AI into:

  1. Reading the victim’s 5 most recent emails
  2. Summarizing their contents (including client meetings, invoices, and personal messages)
  3. Forwarding the summary to the attacker’s inbox

No brute-force attacks, no malware—just a single email. This isn’t a Clawdbot bug; it’s a byproduct of how AI agents work: they interpret instructions from external content (like emails) and act on them. When exposed to the internet, that functionality becomes a liability.

1.3 Key Clarification: This Isn’t a Clawdbot “Bug”

Many users mistakenly blame Clawdbot for the risk, but the issue lies in misconfiguration. Clawdbot is built for local use—exposing its gateway to the public internet bypasses its intended security model. The fixes below align your setup with Clawdbot’s design while keeping it accessible for your needs.

II. 5-Minute Exposure Check: Are You Vulnerable?

Before hardening your setup, confirm if your Clawdbot gateway is exposed. These two checks deliver definitive answers—no technical expertise required.

2.1 Check 1: Verify Your Gateway’s Bind Address

The “bind” setting determines which devices can connect to your Clawdbot gateway. This is the most critical exposure indicator.

Step-by-Step Instructions:

  1. Open your terminal:

    • Mac: Search for “Terminal” in Spotlight
    • Windows: Search for “Command Prompt” or “PowerShell”
  2. Run this command:
clawdbot gateway status
  1. Locate the “bind” setting and interpret the result (quantified, no ambiguity):

    • bind=loopback (127.0.0.1): Safe. Only your local machine can connect (like talking in a soundproof room).
    • bind=lan or bind=0.0.0.0: High risk. The gateway listens on all networks (like shouting through a megaphone). Fix this immediately.

2.2 Check 2: Test External Access

If Clawdbot runs on a server, verify if it’s accessible from outside your network.

Step-by-Step Instructions:

  1. Use a device not connected to your WiFi (e.g., your phone’s mobile data).
  2. Try accessing these URLs (replace YOUR-SERVER-IP with your server’s public IP):
http://YOUR-SERVER-IP:18789
https://YOUR-SERVER-IP:18789
  1. For precise port checking, use the netcat command (replace placeholders):
nc -zv {YOUR-SERVER-IP} {PORT}
  1. Interpretation:

    • If you see the Clawdbot interface without entering a password: You’re exposed. Prioritize the hardening steps below.
    • If access is blocked or requires authentication: Temporarily safe, but still complete the full hardening process.

III. 15-Minute Hardening: Lock Down Your Clawdbot Gateway

Below are 6 sequential steps to secure your Clawdbot—each explained with “why it matters” before “how to do it.” Total time: 15 minutes.

3.1 Step 1: Bind to Loopback Address (2 Minutes)

This is the single most important step. It restricts Clawdbot to accept connections only from the machine it’s running on.

Why It Matters:

By binding to 127.0.0.1 (the loopback address), you block external devices—even if your server’s port is open to the internet—from accessing the gateway.

Step-by-Step Instructions:

  1. Open your Clawdbot config file:

    • Mac/Linux: Run this command to open the nano editor:
nano ~/.clawdbot/clawdbot.json
  • Windows: Open File Explorer, paste %USERPROFILE%\.clawdbot\clawdbot.json into the address bar, and edit with Notepad.
  1. Add or update the “gateway” section to match this:
{
  "gateway": {
    "bind": "loopback",
    "port": 18789
  }
}
  1. Save the file:

    • Mac/Linux (nano): Press Ctrl+X, type Y, then press Enter.
    • Windows (Notepad): Click “Save.”
  2. Restart the gateway and verify:
# Restart the gateway
clawdbot gateway restart
# Confirm the change
clawdbot gateway status
  • Success indicator: The output must show bind=loopback (127.0.0.1).

3.2 Step 2: Harden File Permissions (2 Minutes)

Your Clawdbot config files store API keys, credentials, and chat histories. Locking down permissions ensures only you can access them.

Why It Matters:

Even if an attacker gains low-level access to your server, restricted file permissions prevent them from reading sensitive data.

Step-by-Step Instructions:

Option 1: Manual Configuration (Mac/Linux)

Run these commands (permission values are explicitly defined):

# Restrict config directory: Only you can read/write/execute (700)
chmod 700 ~/.clawdbot
# Restrict main config file: Only you can read/write (600)
chmod 600 ~/.clawdbot/clawdbot.json
# Restrict credentials directory: Only you can read/write/execute (700)
chmod 700 ~/.clawdbot/credentials
  • Permission breakdown:

    • 700: Owner has read (r), write (w), and execute (x) permissions; others have none.
    • 600: Owner has read (r) and write (w) permissions; others have none.
Option 2: Automatic Fix (All Platforms)

For simplicity, use Clawdbot’s built-in tool to auto-harden permissions:

clawdbot security audit --fix

3.3 Step 3: Disable Network Broadcasting (1 Minute)

Clawdbot uses mDNS (Bonjour) to broadcast its presence on your local network—convenient for device discovery, but risky for exposure.

Why It Matters:

Disabling mDNS stops your Clawdbot from announcing itself to other devices on the network, reducing the chance of unauthorized detection.

Step-by-Step Instructions:

Mac/Linux:
  1. Open your shell config file (choose based on your shell):
# For bash users
nano ~/.bashrc
# For zsh users
nano ~/.zshrc
  1. Add this line to the file:
export CLAWDBOT_DISABLE_BONJOUR=1
  1. Save and reload the config:
# For bash users
source ~/.bashrc
# For zsh users
source ~/.zshrc
Windows:
  1. Search for “Environment Variables” in the Start Menu and select “Edit the system environment variables.”
  2. Click “Environment Variables” in the pop-up window.
  3. Under “User variables,” click “New.”
  4. Enter:

    • Variable name: CLAWDBOT_DISABLE_BONJOUR
    • Variable value: 1
  5. Click “OK” to save.

3.4 Step 4: Run a Deep Security Audit (2 Minutes)

Clawdbot’s built-in audit tool scans for common vulnerabilities and auto-fixes issues—think of it as a “security health check.”

Why It Matters:

The audit verifies file permissions, network exposure, configuration errors, and known vulnerabilities—ensuring you haven’t missed critical gaps.

Step-by-Step Instructions:

  1. Run the deep audit:
clawdbot security audit --deep
  • This outputs a detailed report of issues (e.g., weak permissions, outdated settings).
  1. Auto-fix detectable issues:
clawdbot security audit --deep --fix
  1. Critical step: Review the output to confirm all high-risk issues are resolved. Manual fixes may be required for external issues (e.g., outdated Node.js).

3.5 Step 5: Update Node.js to Version 22.12.0+ (3 Minutes)

Clawdbot runs on Node.js, and older versions have known security flaws that attackers can exploit to bypass protections.

Why It Matters:

Node.js 22.12.0 and above patches critical vulnerabilities in the runtime environment—eliminating a potential “backdoor” to your Clawdbot.

Step-by-Step Instructions:

  1. Check your current Node.js version:
node --version
  • If v22.12.0 or higher: No update needed.
  • If lower: Follow the platform-specific steps below.
  1. Update Node.js:

    • Mac (Homebrew):
brew update && brew upgrade node
  • Ubuntu/Debian Linux:
curl -fsSL https://deb.nodesource.com/setup_22.x | sudo -E bash -
sudo apt-get install -y nodejs
  • Windows: Download the latest installer (v22.12.0+) from the official Node.js website and run it.
  1. Verify the update: Re-run node --version to confirm the new version.

3.6 Step 6: Enable Gateway Authentication (3 Minutes)

Add a password or token requirement to ensure only authorized users can access your Clawdbot—even if previous protections fail.

Why It Matters:

Authentication acts as a final barrier: without the correct credentials, attackers can’t access the gateway, even if it’s accidentally exposed.

Two Authentication Options (Choose One)

Option A: Token Authentication (Recommended for Security)
  1. Generate a secure 32-character hex token:
openssl rand -hex 32
  • Copy the output (e.g., a1b2c3d4e5f67890a1b2c3d4e5f67890).
  1. Set the token as an environment variable:

    • Mac/Linux:
export CLAWDBOT_GATEWAY_TOKEN="your-32-character-token"
  • Windows: Create a new environment variable (per Step 3.3) named CLAWDBOT_GATEWAY_TOKEN with your token as the value.
  1. Restart the gateway:
clawdbot gateway restart
Option B: Password Authentication
  1. Edit your clawdbot.json config file:
{
  "gateway": {
    "auth": {
      "mode": "password"
    }
  }
}
  1. Set your password as an environment variable:

    • Mac/Linux:
export CLAWDBOT_GATEWAY_PASSWORD="your-secure-password"
  • Windows: Create a new environment variable named CLAWDBOT_GATEWAY_PASSWORD with your password as the value.
  1. Restart the gateway:
clawdbot gateway restart

IV. Advanced Protection: Secure Cloud Server Deployments with Tailscale

If you run Clawdbot on a cloud server (AWS, DigitalOcean, Hetzner, etc.), add Tailscale to create a private, encrypted tunnel for remote access—no public exposure required.

4.1 What Is Tailscale?

Tailscale creates a secure, private network between your devices and your server. You can access Clawdbot from anywhere in the world without exposing its gateway to the public internet.

4.2 Step-by-Step Tailscale Setup

Step 1: Install Tailscale on Your Server

# Download and install Tailscale
curl -fsSL https://tailscale.com/install.sh | sh
# Start Tailscale and log in
sudo tailscale up
  • After running sudo tailscale up, a URL will appear. Copy it to your browser, log in with a Tailscale account (free for personal use), and authorize the server.

Step 2: Install Tailscale on Your Personal Device

Download the Tailscale app for your computer/phone (available for Windows, Mac, iOS, Android) and log in with the same account used for the server. Your devices will now be on the same private network.

Step 3: Configure Clawdbot to Use Tailscale

Edit your clawdbot.json config file to enable Tailscale integration:

{
  "gateway": {
    "bind": "loopback",
    "tailscale": {
      "mode": "serve"
    }
  }
}
  • Restart the gateway:
clawdbot gateway restart

You can now access Clawdbot securely from any device on your Tailscale network—no public IP exposure.

V. SSH Hardening Basics: Secure Server Access

If you access your Clawdbot server via SSH, disable password authentication (a common attack vector) and use SSH keys instead.

Core Step: Disable Password Authentication

  1. Generate an SSH key pair on your local machine (if you don’t have one):
ssh-keygen -t ed25519 -C "your-email@example.com"
  1. Copy the public key to your server:
ssh-copy-id your-username@your-server-ip
  1. Edit the SSH config file on your server:
sudo nano /etc/ssh/sshd_config
  1. Update these settings:
PasswordAuthentication no
PubkeyAuthentication yes
  1. Restart the SSH service:
sudo systemctl restart sshd
  • This ensures only devices with your SSH key can log into the server—blocking brute-force password attacks.

VI. FAQ: Common Clawdbot Security Questions

Q1: Why does binding to 127.0.0.1 (loopback) prevent external access?

A1: The loopback address (127.0.0.1) refers exclusively to the local machine. When Clawdbot binds to this address, it only responds to connection requests from the same device. Even if your server’s 18789 port is open to the internet, external devices will be rejected—like a door that only opens for the homeowner.

Q2: Will clawdbot security audit --deep --fix resolve all issues?

A2: No, but it fixes most common problems (e.g., weak file permissions, misconfigured bindings). It cannot update external software (e.g., Node.js) or modify SSH settings. Always review the audit output to address remaining high-risk issues manually.

Q3: What if I forget my authentication token or password?

A3: For token authentication: Generate a new token with openssl rand -hex 32, update the CLAWDBOT_GATEWAY_TOKEN environment variable, and restart the gateway. For password authentication: Update the CLAWDBOT_GATEWAY_PASSWORD environment variable with a new password and restart the gateway.

Q4: Can I still access Clawdbot on my local network after disabling Bonjour?

A4: If your gateway is bound to 127.0.0.1, no—Bonjour or not, only the local machine can connect. If you need LAN access, temporarily set bind=lan and enable authentication (Step 3.6) to restrict access to authorized users.

Q5: Do I still need to bind to loopback if I use Tailscale?

A5: Yes! Binding to loopback is a foundational security measure. Tailscale adds a private tunnel for remote access, but loopback ensures the gateway never listens for public connections—even if Tailscale is misconfigured.

Conclusion

Clawdbot is a powerful self-hosted AI assistant, but its security depends on proper configuration. With over 1,673 exposed gateways online, the risk of leaked API keys, chat histories, and server access is very real—but easily preventable.

By following this guide:

  • Spend 5 minutes checking for exposure
  • Complete 6 core hardening steps in 15 minutes
  • Add Tailscale and SSH key authentication for cloud deployments

You’ll lock down your Clawdbot without sacrificing functionality. Remember: The risk isn’t a “bug” in Clawdbot—it’s misconfiguration. With these steps, you can enjoy the convenience of a self-hosted AI assistant while keeping your digital privacy and assets secure.

Don’t wait for an attack to happen—harden your Clawdbot today.