The hidden risks of exposed AI agent gateways
A security investigation reveals that hundreds of Clawdbot control servers are exposed to the public internet, granting unauthorized access to sensitive API keys and private messages. This vulnerability stems from a common misconfiguration where local connection auto-approval is bypassed by reverse proxies, effectively turning “secure” agents into open gateways for attackers. To protect digital assets, operators must urgently audit their configurations and treat AI agent credential stores with the same level of security as core infrastructure.
Points clés
- Jamieson O’Reilly discovered hundreds of exposed Clawdbot control servers by searching for the “Clawdbot Control” title tag on the public internet.
- Clawdbot is an open-source AI agent gateway that manages credentials, routes messages, and executes tools across platforms like Slack and Telegram.
- A critical misconfiguration exists where reverse proxies like Nginx cause the gateway to treat all incoming traffic as trusted local connections from 127.0.0.1.
- Exposed instances allowed for the exfiltration of Anthropic API keys, Telegram bot tokens, and Slack OAuth credentials.
- In one instance, a Signal device linking URI was found in a world-readable temp file, bypassing the platform’s end-to-end encryption.
- Several servers were found running as “root” in containers, allowing unauthenticated users to execute arbitrary commands via the chat interface.
- Attackers can manipulate an agent’s “perception layer,” filtering or modifying messages before they reach the human operator.
- An “AI Systems engineer” was among those identified with a misconfigured and exposed public-facing server.
- The author has submitted a PR with a proposed hardening fix to address the local connection auto-approval bug.
- Operators are advised to configure gateway.auth.password or gateway.trustedProxies immediately to mitigate risks.
À retenir
If you’ve hired a digital butler to manage your life, you might want to check if he’s currently handing out your house keys to every passerby on the street. It turns out that even “AI experts” are remarkably good at leaving their most sensitive secrets in world-readable files while running everything as root—because who needs security when you have convenience? My recommendation: stop assuming your shiny new AI tools are secure just because they have a “cryptographic protocol” and actually try locking the door before a stranger starts eating your digital soul. Or don’t, and keep providing us with high-quality cautionary tales; the internet thanks you for your service.
Sources
