Written by: Jose Antonio Lanz

Translated by: Chopper, Foresight News

TL;DR:

• A trademark dispute has led to a chaotic situation for the popular AI application Clawdbot, resulting in a name change and account theft;
• In just a few minutes, the market value of the unrelated CLAWD token skyrocketed to $16 million, only to crash shortly after;
• Security researchers have discovered that multiple instances of Clawdbot are exposed to risks, with related account credentials also facing potential leaks.

A few days ago, Clawdbot was one of the hottest open-source projects on GitHub, garnering over 80,000 stars. This technically impressive tool allows users to run AI assistants locally through instant messaging applications like WhatsApp, Telegram, and Discord, with full system access.

Now, this project is not only forced to change its name due to legal issues but has also caught the attention of cryptocurrency scammers; a fake token using its name briefly surged to a market value of $16 million before plummeting, and the project has faced criticism for researchers discovering its gateway exposure and easily accessible account credentials.

The catalyst for this crisis was a trademark infringement claim from AI company Anthropic against Clawdbot founder Peter Steinberger. Many of Clawdbot's features are developed based on Anthropic's Claude model, and the company believes that "Clawd" is too similar to its "Claude" name. To be fair, this claim aligns with trademark law regulations.

However, this trademark dispute triggered a series of chain reactions that ultimately spiraled out of control.

Peter Steinberger tweeted, "Are there any GitHub staff in my Twitter followers? Can you help me recover my GitHub account? It was stolen by cryptocurrency scammers."

Peter Steinberger announced on Twitter that Clawdbot would be renamed Moltbot. Community users were quite accommodating about the name change, and the official project account stated, "The lobster core remains, just with a new shell."

Subsequently, Peter Steinberger initiated the name change for both his GitHub and Twitter accounts. But during the brief window of relinquishing the old account name and completing the registration of the new account name, cryptocurrency scammers seized the opportunity to steal both accounts.

The stolen accounts immediately began promoting a fake token called CLAWD based on Solana. Within just a few hours, speculative traders pushed the market value of this token above $16 million.

Some early investors claimed to have made a fortune, while Peter Steinberger publicly denied any association with the token. Soon after, the token's market value collapsed, resulting in significant losses for investors who bought in at the peak.

Peter Steinberger tweeted, "Everyone in the cryptocurrency circle, listen: stop messaging me, stop harassing me. I will never issue a token in my life; any project listing me as a token issuer is a scam. I will not charge any fees, and your actions are seriously harming the development of this project."

Peter Steinberger's refusal angered some in the cryptocurrency community. Some speculators believed that his public denial led to their losses, prompting a series of harassment actions against him. Peter Steinberger was not only accused of "betrayal" but also pressured to "take responsibility," and even faced joint pressure to endorse projects he had never heard of.

Ultimately, Peter Steinberger successfully recovered the stolen accounts. However, at the same time, security researchers discovered a serious issue: hundreds of Clawdbot instances had no authentication protection and were directly exposed to the public network. This means that the unsupervised permissions granted to this AI by users could easily be exploited by malicious actors.

According to Decrypt, AI developer Luis Catacora discovered through the Shodan search engine that the root of these issues was mostly due to novice users granting excessive permissions to the AI assistant. He stated, "I just checked on Shodan and found a large number of gateways on port 18789 exposed without any authentication. This means anyone can gain shell access to the server, automate browser operations, and even steal your API keys. Cloudflare Tunnel is free; these issues should not exist."

Jamieson O’Reilly, founder of the red-teaming company Dvuln, also found that identifying vulnerable servers was very easy. In an interview with The Register, he stated, "I manually checked several running instances, and 8 of them had no authentication set up at all, remaining completely open, while dozens more had partial protections but did not eliminate exposure risks."

What is the crux of this technical vulnerability? Clawdbot's authentication system automatically accepts connection requests from the local host, meaning users connecting to their own devices. Most users run this software through a reverse proxy, which causes all external connection requests to be recognized as coming from the local loopback address 127.0.0.1 and be automatically authorized, even if those requests actually come from an external network.

Blockchain security company SlowMist confirmed the existence of this vulnerability and issued a warning: the project has multiple code flaws that could lead to user credential theft and even allow malicious actors to execute remote code. Researchers also demonstrated various prompt injection attack methods, one of which, executed via email, tricked the AI instance into forwarding users' private information to the attacker within minutes.

"This is the consequence of rapid expansion without a security audit after the project became popular," wrote Abdulmuiz Adeyemo, a developer at the startup incubation platform FounderOS. "Behind the 'open development' model lies a dark side that no one wants to mention."

For AI enthusiasts and developers, the good news is that the project has not been doomed. Moltbot is essentially the same software as the previous Clawdbot, with high-quality code, and despite its continued popularity, this tool is not user-friendly for novices, which prevents large-scale misuse. Its actual application scenarios do exist, but it still lacks the conditions for mainstream user promotion, and those security issues remain unresolved.

Granting a self-hosted AI assistant server shell access, browser control, and credential management permissions creates numerous attack surfaces, and these attack surfaces are not considered by traditional security protection systems. The characteristics of such systems—local deployment, persistent memory, and proactive task execution—allow them to spread much faster than the adaptation speed of industry security protection systems.

Meanwhile, those cryptocurrency scammers remain lurking in the shadows, waiting for the next opportunity to create chaos.

免责声明：本文章仅代表作者个人观点，不代表本平台的立场和观点。本文章仅供信息分享，不构成对任何人的任何投资建议。用户与作者之间的任何争议，与本平台无关。如网页中刊载的文章或图片涉及侵权，请提供相关的权利证明和身份证明发送邮件到support@aicoin.com，本平台相关工作人员将会进行核查。