Deploying Moltbot (Formerly Clawdbot)
Would you be comfortable handing the keys to your identity kingdom over to a bot, one that might be exposed to the open internet?
[…]
Jamieson O’Reilly, founder of red-teaming company Dvuln, was among the first to draw attention to the issue, saying that he saw hundreds of Clawdbot instances exposed to the web, potentially leaking secrets.
[…]
“Of the instances I’ve examined manually, eight were open with no authentication at all and exposing full access to run commands and view configuration data,” he said. “The rest had varying levels of protection.
Within an hour of setting up MoltBot on my Mac, it had already built a fully featured kanban board where I could assign it tasks and track their state.
I have seen other stories that are even wilder. One user shared an anecdote about asking it to make a restaurant reservation, and when it realized it could not do it through OpenTable, it went and got its own AI voice software and just called the restaurant, then secured the reservation over the phone.
[…]
None of those are pre-programmed routines. They are dynamic behaviors born out of an agentic loop that takes a goal and improvises a plan, grabbing whatever tools it needs to execute. It can apply general world knowledge, specific skills, and near-perfect memory into organized action toward objectives you set, and, more sobering, objectives it decides to set for itself.
[…]
That combination is why it feels both a glimpse at the future, but presented as a goal, where between us and the future realized, is a lot of hard work to make it safe.
Got a mac mini for clawdbot. Had a lot of fun setting this up today. Instead of access to my accounts, I gave it:
✅ its own apple account for messages
✅ its own gmail to sign up for stuff
✅ its own github to push code
I’m seeing lots of reports like this.
Everyone buying Mac minis for Clawdbot makes sense but like why did you not already have a Mac mini for AI stuff? Best fucking deal in computing fr.
Please don’t buy a Mac Mini, rather sponsor one of the many contributors of @clawdbot.
You can deploy this on Amazon’s Free Tier.
There are plenty of secure ways to run @clawdbot even on your local machine. Buying a new Mac mini shouldn’t even be an option (Mac studio I can still understand for local LLMs). Better to put that support into tokens or sponsoring the project.
Mysk:
I love buying new hardware as much as the next guy, but you don’t need to buy a Mac mini to try out @clawdbot
Use a virtual machine instead: @UTMapp is open source and supports macOS guests
With a VM you’d isolate clawdbot from your data on the host machine. I still wouldn’t trust LLMs and their providers to run through my data
You’d be one prompt-injection away from leaking all your passwords. Fun! 😬
While the internet was amused, it seems Anthropic wasn’t.
Clawdbot → Moltbot
Clawd → MoltySame lobster soul, new shell. Anthropic asked us to change our name (trademark stuff), and honestly? “Molt” fits perfectly - it’s what lobsters do to grow.
Here’s the new Web site.
This is the story of how fast things fall apart when legal teams, hackers, and viral hype collide.
[…]
During the rename process, Steinberger made a critical mistake. He tried to rename the GitHub organization and X/Twitter handle simultaneously. In the gap between releasing the old name and claiming the new one, crypto scammers snatched both accounts in approximately 10 seconds.
Previously:
5 Comments RSS · Twitter · Mastodon
Incredible story for so many reasons.
One thing that strikes me, I don't understand how so very many people can be technical enough to set this up yet have zero security awareness apparently. Maybe it's just me but I thought allow listing and data segregation were pretty basic.
Then again, I don't understand a lot of the modern internet personality who posts everything publicly and is keen to hand an AI keys to everything just to see what it can do.
Is this not the exact philosophy that brings about Skynet?
Only thing that makes this story nuttier is if someone asked moltbot to hijack itself and it did. Who knows, maybe that's next with one of these products.
Move fast and break self.
I think a lot of people assume things like this work great and don't actually have major security flaws... until something critical goes wrong and something is hijacked.
More generally, people often don't protect themselves until they experience a bad outcome. That's not universally true, but I've noticed it applies a lot more with tech.
Peter built this thing, and the Mac integration, yes? Can't imagine why he couldn't see the appeal of a Mac Mini dedicated to this thing. GUI apps, iMessage, primary iCloud, etc. and all running 24/7 headless. A Linux VM would certainly offer a lot, but not the complete feature set. But, yes, a macOS VM would be OK now (except there would be no MAS, of course). I didn't buy my Mac Mini for AI, but definitely for "server" duties, and although it's not as pleasant for FOSS software, it definitely has a lot to recommend it as a VM host for FOSS running in Linux plus the Mac sauce, including Arq for backup and SpamSieve for filtering with Mail.
Anyway. All the awful, terrible, very bad, no good things people predicted would happen if you just, like, expose an LLM agent to the Internet would happen, actually happened. That would appear to be the story here. I'd be lying if I said it wasn't insanely sexy, but it's also, quite obviously, profoundly stupid.
