Moltbot: Local AI Agent Sparks Security Concerns

An open-source AI agent called Moltbot (formerly Clawdbot) is rapidly gaining attention for actually carrying out tasks on users’ behalf. It runs locally on many devices and can be controlled through messaging apps like WhatsApp, Telegram, Signal, Discord, and iMessage. People have shared use cases ranging from managing reminders and logging health and fitness data to communicating with clients. Federico Viticci (MacStories) used Moltbot on an M4 Mac Mini to produce daily audio recaps from his calendar, Notion, and Todoist.

Moltbot forwards requests to whichever model provider you choose (OpenAI, Anthropic, Google) and can automate browser form-fills, emails, calendar management, and more. But the tool’s power comes with risks: users can grant it admin-level access to read/write files, run shell commands, and execute scripts. Security experts warn that combining device admin access with app credentials exposes users to prompt-injection attacks and remote hijacking. Rachel Tobac of SocialProof Security highlighted the danger of interacting with an agent that has privileged access, and security researcher Jamieson O’Reilly found exposed private messages, credentials, and API keys (developers issued a fix).

One Moltbot developer described it as “powerful software with a lot of sharp edges,” urging users to read the security docs before exposing it to the public internet. The project has also been targeted by scammers after its name change.

Source