A security researcher manipulated download numbers to send a backdoor to the top of download charts for viral open source AI assistant Clawdbot.

The (designed to be benign) backdoor was downloaded by developers in seven countries – before Jamieson O’Reilly cancelled the experiment. 

Clawdbot, now rebranded Moltbot (after a request by Anthropic) was built by serial founder Peter Steinberger. The personal assistant  has garnered 83,000 stars on GitHub and widely promoted by technology influencers. 

But Dvuln founder Jamieson O’Reilly said a “trivial vulnerability” let him falsely boost download numbers for a Clawdbot “skill”, or integration.

He used this false popularity to drive real downloads in an incident that is yet another wakeup call for organisations about supply chain security. 

What is Moltbot?

Moltbot is an AI assistant that lets users control an array of AI models via messaging platforms, running constantly and using a huge memory base to remember conversations and ‘proactively’ complete tasks. 

Users can also boost its capabilities by downloading “skills”, packages of code for teaching the bot tasks like analysing stocks or working in Excel, via a “MoltHub”. Such capabilities rely on its vast access, often down to root.

As Bain Capital Partner Saanya Ojha put it: “Clawdbot is best understood as a locally run, persistent AI assistant that lives on your hardware and connects your machine, your models, and your messaging apps into a single, long-running system. It’s model-agnostic, deeply hackable, and intentionally transparent. But those descriptors don’t really explain the reaction.What Clawdbot gets right is something most AI products have avoided: it treats an assistant as software you run, not a service you visit.”

"Infinite liability surface"

She added: “Apple, Google, Meta, and OpenAI all know how to build this. They don’t ship it because once you let an AI act autonomously across accounts, files, and finances, you inherit an infinite liability surface. 

In a January 27 blogpost, Ojha added: “Clawdbot sidesteps that by doing something radical: it hands the liability back to the user. It is effectively saying: ‘This is your problem now. Here are superpowers.’ That’s terrifying.”

A hobby project spun up by a single developer could be forgiven for having multiple security flaws. But the incident points to a deeper challenge. 

"No longer an option"

As O’Reilly told The Stack: “In traditional software, if you were paranoid, you could read the code before running it. With AI agents, that's no longer an option because the code is generated on the fly based on instructions. 

He added: “The skill file might look completely innocent, just markdown and natural language, but what actually matters is how the AI interprets those instructions and does with them… You can't audit runtime behaviour by reading static files. The attack surface now includes the model's reasoning, and that's opaque by nature. We've lost the ability to verify what we're running before we run it, and most people haven't clocked that yet.”

O’Reilly said his research in particular highlights the supply chain risks associated with common assumptions when downloading software – that high download numbers, official registry listings and permission prompts make a tool safe. None of those assumptions are valid in the current architecture… “If you're running agent infrastructure with skill registries, audit your trust model today,” he added in a series of posts on X. 

What O'Reilly told The Stack

Jamieson O'Reilly told The Stack that the issue started with "permission prompt fatigue problem."

In his words:

Every time Clawdbot wants to do something, it asks "Allow?" and users click yes. 

Over and over. It's the same pattern that killed UAC on Windows Vista, the same reason people click through SSL warnings, the same reason cookie consent banners are useless. 

Humans are fundamentally terrible at making repeated security decisions because we habituate. 

By the tenth prompt, you're not reading anymore, you're just clicking Allow to make it go away. The permission model creates an illusion of control while simultaneously training users to surrender it. 

The "view source" problem is gone 

In traditional software, if you were paranoid, you could read the code before running it. 

With AI agents, that's no longer an option because the code is generated on the fly based on instructions. 

The skill file might look completely innocent, just markdown and natural language, but what actually matters is how the AI interprets those instructions and what it decides to do with them. 

You can't audit runtime behaviour by reading static files. The attack surface now includes the model's reasoning, and that's opaque by nature. We've lost the ability to verify what we're running before we run it, and most people haven't clocked that yet. 

Credential concentration risk 

A single compromised agent becomes a skeleton key to someone's entire digital life. We've never had consumer software with this level of credential concentration before.

The "helpful AI" social engineering vector 

If an attacker compromises a skill, they don't just get code execution, they get a trusted voice. 

The AI will cheerfully explain why it needs to do something dangerous because the malicious instructions told it to. Users are being trained to trust the AI's explanations implicitly, and attackers are going to exploit that relationship. It's social engineering with a friendly face that you've already invited into your workflow. 

No incident response playbook exists 

If your agent gets compromised, what do you actually do? The forensics tooling doesn't exist yet. We're all still figuring out what "compromised agent incident response" even means. 

The liability gap 

If a compromised AI agent sends emails on your behalf, commits code with your credentials, or accesses systems using your tokens, the question of who bears responsibility is completely untested legally. When something goes properly wrong, and it will, the resulting lawsuit is going to be expensive and messy and will probably set precedent for the entire industry. 

The namespace land grab 

When Peter had to rename the project due to trademark issues, attackers grabbed the old handles within hours and started impersonating. Typosquatting scaled up for the AI gold rush.

(Engineer Daniel Miessler also highlighted ten security issues, including that Moltbot’s sandbox is disabled by default, the bot unblocks dangerous commands like rm -rf, and it is vulnerable to web-based prompt injections.)

Attackers have also worked outside of attacking the bot, taking on old Clawdbot social media handles after it changed to Molt and promoting crypto scams. Aikido also uncovered a VS Code extension using the Clawdbot name to trick users into installing a ScreenConnect trojan.

"Juiced numbers with a trivial API vulnerability"

As to how O’Reilly juiced download numbers to send his backdoor up a skills page? He told The Stack, over Signal: “ Download counts and user metrics have been gamed by criminals for years across every industry. 

“Fake reviews on Amazon, inflated app downloads on Google Play, bot followers on social media, fraudulent streaming numbers on Spotify. Anywhere a number implies trustworthiness, someone is gaming it.

“ClawdHub is no different. I inflated my skill's download count to over 4,000 using a trivial API vulnerability. [It had] no rate limiting, no validation, no checks to see if the same person was downloading repeatedly. I just curled the endpoint in a loop. Users see a high download count and assume popularity equals safety, but that metric is completely gameable. Any attacker can make their malicious skill look like the most trusted option in the registry, and the UI actively encourages users to sort by popularity.”

To O’Reilly and others in the security community, the incident is a textbook case of the need to build security awareness – and secure software too. 

Moltbot’s creator Steinberger meanwhile seems a combination of bemused and frustrated by the attention. He posted on X: “The amount of crap I get for putting out a hobby project for free is quite something. People treat this like a multi-million dollar business. Security researchers demanding a bounty. Heck, I can barely buy a Mac Mini from the Sponsors. It's supposed to inspire people. And I'm glad it does. And yes, most non-techies should not install this. It's not finished, I know about the sharp edges. Heck, it's not even 3 months old. And despite rumors otherwise, I sometimes sleep.”

The security flaws that plague it extend to bluechip level too though. Claude can be pwned in "eight different ways"; Varonis bypassed Copilot’s safety controls to steal users’ secrets; Google Gemini's prompt injection defences were bypassed to leak private Calendar data; AWS has pushed a fix for an arbitrary command injection bug in its Kiro IDE; ServiceNow’s AI platform let any unauthenticated remote attacker create rogue agents with system administrator permissions – bypassing SSO and MFA with just an email…

As O’Reilly put it: “The security lessons we learned over the past two decades don't become obsolete just because we're building AI tools now. If anything, they become more critical. These systems have access to our credentials, our communications, our codebases, our infrastructure. The blast radius when something goes wrong is bigger than it's ever been.

“The AI ecosystem is speedrunning software development. It needs to speedrun security awareness alongside it… I found three critical vulnerabilities in one product in one week. Imagine what a motivated attacker with more time could find across the entire ecosystem.”

The link has been copied!