Your AI Agent Is Probably Exposed: How to Secure Clawdbot, MoltBot, and OpenClaw
175,000 Ollama servers are exposed online. AI agent frameworks like Clawdbot are next. Here's how to lock them down before someone else does.
Last week, SentinelOne reported that 175,000 Ollama servers are sitting exposed on the internet, many with remote code execution enabled. No authentication. No firewall. Just... open.
This week, we saw CVE-2026-25253 — a 1-click RCE in OpenClaw that let attackers steal gateway tokens and fully compromise systems. And over 230 malicious skill packages were pushed through official registries targeting Clawdbot and MoltBot users.
If you're running an AI agent framework — Clawdbot, MoltBot, OpenClaw, or similar — you need to lock it down. Now.
Why AI Agents Are Juicy Targets
Your AI agent isn't just a chatbot. It likely has:
- Shell access — It can run commands on your system
- File access — It can read and write files
- API credentials — Connected to your email, calendar, cloud services
- Network access — Can make HTTP requests, access internal services
- Memory — Stores context about you, your work, your habits
An attacker who compromises your agent gets all of that. It's not just a security issue — it's a privacy nightmare.
The Common Mistakes
1. Exposing the Control Interface
The most common mistake: binding your agent's web interface or API to 0.0.0.0 instead of 127.0.0.1.
# ❌ BAD: Accessible from anywhere
gateway:
host: 0.0.0.0
port: 8080
# ✅ GOOD: Only accessible locally
gateway:
host: 127.0.0.1
port: 8080
If you need remote access, use a VPN or SSH tunnel — not an exposed port.
2. No Authentication
Some setups skip authentication entirely for "convenience." This is like leaving your house keys under the doormat and posting about it on social media.
Always enable authentication:
gateway:
auth:
enabled: true
token: "${GATEWAY_TOKEN}" # Use environment variable, not plaintext
3. Running as Root
Your AI agent doesn't need root access. If it gets compromised, running as root means the attacker owns everything.
# Create a dedicated user
sudo useradd -r -s /bin/false clawdbot
# Run the agent as that user
sudo -u clawdbot clawdbot gateway start
4. Installing Unverified Skills/Packages
Those 230+ malicious packages? They looked legitimate. They had reasonable names. They were in official registries.
Before installing any skill:
- Check the source repository
- Look at the code (yes, actually look)
- Check when it was published (brand new = suspicious)
- Verify the publisher's identity
# Don't just blindly install
clawdbot skill install random-skill-from-internet # ❌
# Check the source first
gh repo view publisher/skill-name # ✅
5. Storing Secrets in Config Files
Your config.yaml shouldn't contain plaintext API keys:
# ❌ BAD
openai:
apiKey: "sk-abc123..."
# ✅ GOOD
openai:
apiKey: "${OPENAI_API_KEY}"
Use environment variables, a secrets manager, or at minimum, a .env file that's not in version control.
The Security Checklist
Here's a quick audit for your setup:
Network Security
- Agent bound to
127.0.0.1, not0.0.0.0 - No ports exposed to the internet without VPN/tunnel
- Firewall rules blocking external access to agent ports
- Using HTTPS if exposing any web interface
Authentication
- Gateway authentication enabled
- Strong, unique token (not "password123")
- Token stored in environment variable, not config
- 2FA enabled if available
Permissions
- Agent running as non-root user
- Minimal file system permissions
- Shell access restricted to necessary directories
- Network egress limited if possible
Supply Chain
- Only installing skills from trusted sources
- Reviewing skill code before installation
- Keeping agent software updated
- Monitoring for security advisories
Monitoring
- Logging enabled for agent actions
- Alerts for unusual activity
- Regular review of what the agent has access to
Clawdbot-Specific Hardening
If you're running Clawdbot specifically, here are some additional tips:
1. Use the Built-in Security Features
# config.yaml
security:
exec:
mode: allowlist # Only allow specific commands
allowlist:
- git
- npm
- node
browser:
enabled: false # Disable if not needed
nodes:
requireApproval: true # Manual approval for new nodes
2. Restrict Tool Access
Not every conversation needs shell access:
channels:
discord:
tools:
exec: false # Disable shell in Discord
browser: false
# Only allow safe tools in public channels
3. Enable Audit Logging
logging:
level: info
audit: true # Log all tool invocations
path: /var/log/clawdbot/
4. Keep It Updated
# Check for updates
clawdbot update check
# Apply updates
clawdbot update run
The CVE-2026-25253 vulnerability was patched in v2026.1.29 — if you're on an older version, update immediately.
The Nuclear Option: Air Gap
If you're handling sensitive data, consider running your agent on an air-gapped or heavily restricted network:
- Separate VLAN with no internet access
- Allowlist only necessary API endpoints
- No ability to exfiltrate data even if compromised
This is overkill for most users, but if you're in healthcare, finance, or handling PII, it's worth considering.
What To Do If You've Been Compromised
If you suspect your agent has been compromised:
- Disconnect immediately — Kill the process, block network access
- Rotate all credentials — Every API key, every token, every password
- Check for persistence — Look for cron jobs, startup scripts, SSH keys
- Review logs — What did the agent do? What files were accessed?
- Reinstall from scratch — Don't try to "clean" a compromised system
The Bottom Line
AI agents are incredibly powerful tools. That power makes them incredibly dangerous if misconfigured.
The good news: most security issues come from simple misconfigurations. Bind to localhost. Enable authentication. Don't run as root. Review what you install.
Take 15 minutes today to audit your setup. Your future self (and your data) will thank you.
Running into issues securing your setup? Drop me a message — happy to help troubleshoot.