🗑️🔥 ClawdBot Security

Well… what an exciting week to be in security 😆 

ClawdBot Moltbot OpenClaw exploded with popularity as a powerful AI assistant.

These AI bots have been posting on their own social network, created a religion, and more.

There’s also been multiple critical OpenClaw bugs found, and hundreds of malicious Skills (as they’re essentially RCE).

One could look at this and despair, but I actually find the speed with which all of these issues were discovered heartening. OpenClaw is speed-running its security journey.

Having people from our security community leap into the fray, identify problems, and coordinate fixes with maintainers at this speed likely made tens to hundreds of thousands of people safer.

I think that’s something we can be proud of.

There’s still a lot of work to be done, especially around making it easier for people to vibe securely by default, and platforms (like Supabase) can try to minimize their sharp edges.

But our job is to keep people safe, and we’re doing that here.

Now on to more systemic improvements that can meaningfully improve security posture at scale 🤘

Sponsor

📣 The only AI SOC tool your analysts will fight to keep

There is a specific feeling SOC analysts get when they use Prophet Security: Relief.

Why? Because for most, the daily reality is a cycle of repetitive data fetching and context-switching that buries actual threats under noisy queues.

Prophet AI fundamentally alters this dynamic. The platform handles the heavy lifting before a human ever sees the ticket. This frees up SOC analysts to focus entirely on validation and remediation.

This shift lowers risk and scales capacity without inflating operational costs. Once you operate with this level of clarity, you will refuse to go back to the old way.

 👉 See the difference in your queue 👈

AppSec

Scorecarding Security
Friend of the newsletter Rami McCarthy gives a great overview of the use of scorecarding in security programs, with examples and lessons from companies like Chime, Netflix, GitHub, and Atlassian. In general, the programs use a centralized dashboard and leaderboard to track security posture, vulnerabilities, and risk across applications and services. These give the leadership team visibility, gamify improving security, and educate service and code owners on security standards and posture.

The post concludes with some examples of vulnerability management at Segment, Riot, and Uber.

💡 I love overviews of what a bunch of companies are doing 😍 That’s what motivated my BSidesSF talk “How to 10X Your Security (without the Series D)” - slides, YouTube.

Product Security Scorecards: Coupling Security Issues with Preventative Controls to Drive Security Maturity
Postman's Gustavo De Leon describes how they developed Product Security Scorecards to help engineering teams manage security findings by aggregating vulnerabilities, control monitoring, and security requirements into a single dashboard. The system maps all services and artifacts to their builds, repos, and teams, then attributes security tool outputs to those teams, focusing on pairing Security Issues with Preventative Controls that address them proactively.

For third-party dependency vulnerabilities, they implemented a five-level maturity model (Repo Scanning, PR Scanning, PR Blocking, Client-Side Scanning, and Client-Side Blocking). The Scorecards framework also tracks "Security Asks" like hardening tasks, audit/certification readiness, and release blockers, providing everyone from individual engineers to leadership with visibility into security posture with red/yellow/green scores.

In a follow-up post, I'd love to see a bit more of a tactical deep dive into how the repo <> team mapping was done (and maintained), what specific security controls/secure defaults were built and how, and any other actionable details that would help other security programs do this themselves.

Sponsor

📣 Why Agentic AI Breaks Legacy Identity

Agentic AI is non-deterministic. Legacy IAM is static. When you mix them, you get anonymous execution and credential sprawl. Stop treating agents like static workloads. Join Teleport CEO Ev Kontsevoy and Analyst Craig Matsumoto to fix your foundation.

👉 Save Your Spot 👈

Identity and authorization is clearly becoming more important in a world of agents (see AI + Security section below). Important, foundational area, definitely worth learning more about 👆️ 

Supply Chain

Running Renovate as a GitHub Action (and NO PAT!)
Chainguard’s Adrian Mouat walks through setting up Renovate to automate dependency updates while avoiding long-lived GitHub Personal Access Tokens by using Octo STS, an open source security token service that trades OIDC tokens for short-lived GitHub tokens with elevated privileges. This approach can also update GitHub Actions, which the default GitHub Action token can’t do.

💡 Eliminating the use of PATs, which are often stolen in supply chain attacks. I like it!

Introducing SITF: The First Threat Framework Dedicated to SDLC Infrastructure
Wiz’s Shay Berkovich introduces SITF (SDLC Infrastructure Threat Framework), an open-source framework mapping 70+ attack techniques across five SDLC pillars (Endpoint/IDE, VCS, CI/CD, Registry, Production). The framework includes an Attack Flow Visualizer for drag-and-drop threat modeling that auto-generates prioritized defense matrices based on a causal chain model linking Risks → Techniques → Controls.

The post walks through modeling Shai-Hulud 2.0 using SITF, and the framework runs entirely client-side with no data leaving your machine. You can view the live site here or clone it on GitHub here.

Blue Team

Who Operates the Badbox 2.0 Botnet?
Brian Krebs investigates the Kimwolf botmasters' claimed compromise of the Badbox 2.0 control panel via some OSINT wizardry, pivoting across email addresses, domain registration records, shared passwords, phone numbers, etc. and ends up naming names of two likely Badbox 2.0 operators. This unauthorized control panel access would allow Kimwolf operators to bypass residential proxy provider patches and directly load malware onto millions of Badbox 2.0-infected Android TV boxes.

No Place Like Home Network: Disrupting the World's Largest Residential Proxy Network
Google Threat Intelligence Group (GTIG) disrupted IPIDEA, one of the world's largest residential proxy networks, by taking down C2 domains, sharing intelligence on malicious SDKs (Castar, Earn, Hex, and Packet SDK) with partners, and enabling Google Play Protect to remove 600+ Android apps incorporating these SDKs. They found IPIDEA controls 13 proxy/VPN brands (including 360 Proxy, IP 2 World, PIA S5 Proxy, and Luna Proxy) and uses a two-tier C2 infrastructure that proxies traffic through millions of hijacked residential devices.

GTIG observed over 550 threat groups from China, DPRK, Iran, and Russia using IPIDEA exit nodes in a single week for activities including accessing a victim’s SaaS environments, password spraying, and accessing on-prem infrastructure. The SDKs were distributed through trojanized VPNs (Galleon VPN, Radish VPN), Windows binaries masquerading as OneDriveSync/Windows Update, and uncertified Android TV boxes.

💡 Holy cow, the scale of this is incredible. Excellent work GTIG et al! 🙌 

Red Team

Maldev-Academy/DumpBrowserSecrets
By MalDev Academy: Extracts browser-stored data such as refresh tokens, cookies, saved credentials, credit cards, autofill entries, browsing history, and bookmarks from modern Chromium-based and Gecko-based browsers (Chrome, Microsoft Edge, Firefox, Opera, Opera GX, and Vivaldi)

EDR Silencing
Purple Team gives an overview of EDR Silencing techniques that disrupt communication between EDR agents and their cloud consoles without crashing processes, covering six methods: Windows Filtering Platform (WFP) abuse via tools like EDRSilencer, SilentButDeadly, and WFP_EDR; hosts file modification to redirect EDR domains to localhost; Name Resolution Policy Table (NRPT) manipulation to redirect DNS queries; IPSec filter rules via netsh to block traffic; routing table tampering; and secondary IP address assignment using IPMute to capture and locally assign EDR server IPs. The post ends with a SIGMA rule detecting WFP-blocked outbound connections from common EDR processes.

AI + Security

Quicklinks

• trailofbits/claude-code-devcontainer - Sandboxed devcontainer for running Claude Code in bypass mode safely. Built for security audits and untrusted code review.

• trailofbits/dropkit - A CLI tool for managing DigitalOcean droplets with automated setup, SSH configuration, and lifecycle management.

• Moltworker - You can run Moltbot/OpenClaw serverless via Cloudflare workers. It uses: sandboxes SDK for isolated code execution, Browser Rendering for Chromium automation via a CDP proxy, R2 for persistent storage mounted as a filesystem, and AI Gateway with BYOK/Unified Billing for model management.

• Nice video overview of Moltbook and recent events by The AI Daily Brief

• 1Password blog on OpenClaw - “Security for agents is not about granting access once. It is about continuously mediating access at runtime for every action and request.” Your agent should get a new identity like a new hire, receive access through a secrets manager instead of long-lived tokens on disk, authority is time-bound, revocable, and attributable to the agent, not the human who clicked approve.

• Daniel Miessler’s OpenClaw security hardening recommendations

• Securing AI Internet hero Jamieson O’Reilly found that Moltbook, the “social media” site for AI agents, didn’t properly secure their Supabase config, enabling anyone to access every agent’s secret API key, verification codes, etc. and thus post as anyone’s agent, even Andrej Karpathy. 404 Media 

  • Gal Nagli seems to have found the same issue concurrently. Wiz blog

• Aikido’s Charlie Eriksen - Fake Clawdbot VS Code Extension Installs ScreenConnect RAT

• 1-Click RCE To Steal Your Moltbot Data and Keys - depthfirst’s Mav Levin describes how he was able to chain vulnerabilities: if a user clicks on a link with a malicious gatewayUrl query parameter it can leak the victim's auth token to an attacker-controlled server, combined with Cross-Site WebSocket Hijacking (CSWSH) to bypass localhost restrictions since OpenClaw's WebSocket server doesn't validate the origin header.

knostic/openclaw-detect
By Knostic: Detection scripts for MDM deployment to identify OpenClaw installations on managed devices.

knostic/openclaw-telemetry
By Knostic: Telemetry for OpenClaw: captures tool calls, LLM usage, agent lifecycle, and message events. Outputs to JSONL file and optionally to a SIEM.

MoltThreats
By Thomas Roccia: Agent-native threat intel feed where AI agents report attacks and receive curated protections. MoltThreats operates through an agent skill: when it discovers a threat, it sends a structured report to MoltThreats, which a human reviews, and then approved ones are published to a public feed that any agent can query to update their security baseline.

💡 I really like the meta idea of this: distribute detection/alerting to a broad swathe of individuals running agents, which then report back and a human triages.

Personal AI Agents like OpenClaw Are a Security Nightmare
Cisco’s Amy Chang and Vineeth Sai Narajala describe how Skills are basically code execution by design, and release Skill Scanner, an open source tool that analyzes Claude Skills and OpenAI Codex skills for security threats (prompt injection, data exfiltration, and malicious code patterns) by combining static analysis (YAML + YARA), behavioral dataflow analysis, LLM-assisted semantic analysis (LLM-as-judge), and VirusTotal scanning.

ClawdBot Skills Just Ganked Your Crypto
The OpenSourceMalware team and Paul McCarty found malicious ClawdBot Skills targeting ByBit, Polymarket, Axiom, Reddit and LinkedIn that install malware, steal crypto, etc. ~386 affected Skills, over 7,000 downloads. When informed of the malicious Skills, the OpenClaw’s creator’s response was basically, “I don’t have a team to vet user generated content, people should just use their brain when finding Skills.”

“Many of the payloads we found were visible in plain text in the first paragraph of the SKILL.md file… within a few minutes we found our first malicious payload.” 🤦‍♂️ 

Bloom Security’s Ofir Balassiano also wrote about active ClawdHub malware campaigns here.

Misc

Privacy

• Limit precise location from cellular networks - New feature on some iPhone and iPad models that limits how precisely cell networks can determine your location. As TechCrunch describes, law enforce agencies are increasingly tapping cell carriers to access the location data of individuals for tracking them in real time, or examining where they have traveled over a period of time.

• The Verge - Best gas masks - You should not need a gas mask to attend a peace protest in America, but here we are. See also: Guide to Protest PPE.

Misc

• You Have No Idea What Gandalf Is

• The Lord of the Rings from Sauron's perspective 

• The camera tricks they did to make Gandalf and Frodo appear to be very different sizes is impressive

  • Apparently this week I’ve trained my YouTube algorithm to show me LoTR contents, and I’m here for it 🧙‍♂️ 

• Arnold meets Anatoly - If you haven’t watched any Anatoly videos, you’re missing out 😂 And the genuine compliments and kindness was very nice.

• Cillian Murphy on what happens when the shooting is over - Sounds tough actually.

• Claude is a space to think - Anthropic’s post on not allowing ads in Claude.

• Anthropic’s savage 🌶️ ads on AI providers doing ads: Can I get a six pack quickly?, How can I communicate better with my mom?

Music

• Iliya Shojaei - Don't Love Your Job, Job Your Love 😂 

• Disney Composer Alan Menken Breaks Down His Most Iconic Songs - The Little Mermaid, Beauty and the Beast, Aladdin, Pocahontas, Hercules. Alan Menken has had such an incredible career.

• Levisct - PIANOMANNIAKS - This solo piano + beats is absolutely insane.

• Charles Cornell - The INSANE Story Of Pirates Of The Caribbean's Soundtrack - The melody breakdown is cool, and the connection to Gladiator 🤯 

• Hans Zimmer Breaks Down His Career, from 'Gladiator' to 'Interstellar'

• ImprovBroadway - Comedic songs made up on the spot, glorious 🥰 

• AETHRA - A new domain-specific programming language (DSL) designed to compose music using code. Instead of focusing on low-level audio math, AETHRA lets creators express emotion, harmony, and musical structure through readable commands.

✉️ Wrapping Up

Have questions, comments, or feedback? Just reply directly, I’d love to hear from you.

If you find this newsletter useful and know other people who would too, I'd really appreciate if you'd forward it to them 🙏

Thanks for reading!

Cheers,
Clint

P.S. Feel free to connect with me on LinkedIn 👋