MoltBot/ClawdBot: The Risky Personal AI Agent and Netskope Protection

Background

MoltBot, previously known as ClawdBot, is an open-source, self-hosted personal AI agent that is run locally. It is advertised as a digital assistant that can read and write files, execute commands, and control browsers.

Two properties of MoltBot make it risky to use in an enterprise environment or on systems with access to sensitive data, including:

Unauthenticated remote control: By default, MoltBot allows unauthenticated remote access, which means that anyone with a network route to the host running MoltBot can take full control over it, including harvesting sensitive data.

Privileged access without safeguards: MoltBot has full control over its host–it can run commands, modify files, and control your browser. The fundamental risk here is a mismatch between the intelligence of the model (probabilistic and error-prone) and the authority that it is granted (absolute). Examples of risks include indirect prompt injection, non-deterministic destructive actions, plain-text memory, supply chain attacks, and the lack of contextual common sense (doing something extreme like deleting all files to solve a simple problem).

As a result, Netskope Threat Labs recommends only running MoltBot in limited sandboxed environments without access to any sensitive data.

Block MoltBot installation using Netskope

Targeted

Block the following URLs. These are the URLs most commonly used to install MoltBot, including the MoltBot Website, GitHub repo, and the MoltBot paths of the most popular NPM mirrors.

• molt.bot/install.sh
• molt.bot/install.ps1 
• molt.bot/install.cmd 
• github.com/moltbot/
• registry.npmjs.org/moltbot/
• yarn.npmjs.org/moltbot/
• registry.yarnpkg.com/moltbot/

Aggressive

If Netskope customers want to be more aggressive, they can block the entire molt domain and its subdomains to block users from viewing the website or its official documentation, while also ensuring that you block installation even if they move it to a different path on the website.

• *.molt.bot

User coaching

Netskope customers also have the option to leverage real-time user coaching instead of a block. In this approach, users attempting to access one of the paths listed above are reminded that they should not install MoltBot on their devices. User coaching allows users who understand the risks, and have a legitimate business need, to browse the website and the Git repository.

Identify past MoltBot installation using Netskope

Netskope SWG customers can use Netskope transaction events to identify users who have previously installed MoltBot (or its predecessor ClawdBot). There are multiple patterns to search for, such as:

Install script

The easiest way to identify users who installed MoltBot is to search for anyone who downloaded the installation script from one of the standard locations. Most users will have used the install scripts at molt.bot or clawd.bot, but some may have used NPM to install from one of the standard mirrors.

• molt.bot/install.ps1
• molt.bot/install.sh
• molt.bot/install.cmd 
• clawd.bot/install.ps1
• clawd.bot/install.sh
• clawd.bot/install.cmd 
• registry.npmjs.org/moltbot/*
• yarn.npmjs.org/moltbot/*
• registry.yarnpkg.com/moltbot/*

Curl or PowerShell access to the install script

The recommended installation process starts with a PowerShell or Curl command, therefore any access to molt.bot or clawd.bot via PowerShell or Curl provides a strong indicator that someone has actually attempted to run the installer.

Downloads from npm mirrors

To identify whether anyone may have used npm to download moltbot from a different mirror, you can filter by User-Agent string starting with npm, yarn, or pnpm (or process name node or node.exe) and url paths beginning with moltbot/ or clawdbot/.

Git repository clones

To identify whether anyone may have cloned the git repository, filter by User-Agent string starting with git (or process name git or git.exe) and url paths beginning with moltbot/ or clawdbot/.

Web fetch User-Agent string

One of the tools that ships by default with Clawd is web_fetch, which uses an old Chrome User-Agent string. This string is not unique to MoltBot and can be customized, but any use of this User-Agent string correlated with access to the molt.bot or clawd.bot domains indicates that someone has likely installed MoltBot and is using web_fetch. Most Molt users will probably not use web_fetch, instead using the browser tool, which uses a web browser for communication.

Mozilla/5.0 (Macintosh; Intel Mac OS X 14_7_2) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/122.0.0.0 Safari/537.36

The next step after identifying which users have installed MoltBot is to work with them to ensure that the installations are properly sandboxed and isolated from sensitive data and sensitive systems. Remote access to the installation should also be disabled. 

If you would like to know more, or need help creating new policies or identifying past MoltBot installations, please contact your Netskope representative.