data privacy

Silicon Valley fell for Clawdbot overnight. A personal AI assistant that manages your email, checks you into flights, controls your smart home, and executes terminal commands. All from WhatsApp, Telegram, or iMessage. A 24/7 Jarvis with infinite memory.

Security researchers saw something different: a honey pot for infostealers sitting in your home directory.

Clawdbot stores your API tokens, authentication profiles, and session memories in plaintext files. It runs with the same permissions as your user account. It reads documents, emails, and webpages to help you. Those same capabilities make it a perfect attack vector.

The creator, Peter Steinberger, built a tool that’s genuinely useful. The official documentation acknowledges the risks directly: “Running an AI agent with shell access on your machine is… spicy. There is no ‘perfectly secure’ setup.”

This article examines what those risks actually look like.

Clawdbot is an open-source, self-hosted AI assistant created by Peter Steinberger (@steipete), founder of PSPDFKit (now Nutrient). Unlike browser-based AI tools, Clawdbot runs on your own hardware and connects to messaging apps you already use.

Key capabilities:

• Manages email, calendar, and scheduling
• Checks you into flights and books travel
• Controls smart home devices
• Executes terminal commands
• Browses the web and reads documents
• Integrates with Jira, Confluence, and other work tools
• Maintains persistent memory across sessions
• Responds via WhatsApp, Telegram, Discord, Slack, Signal, iMessage, and more

The architecture connects chat platforms on one side to AI models (Claude, ChatGPT, DeepSeek, or local models) on the other. In the middle sits the Gateway, which manages tools, permissions, and agent capabilities.

Over 50 contributors have built on the project. The Discord community exceeds 8,900 members. Mac minis sold out because people wanted dedicated Clawdbot servers.

The enthusiasm is understandable. The security implications are severe.

Clawdbot stores sensitive data in your local filesystem. The problem: it’s all in plaintext.

Critical file locations:

Security researchers at InfoStealers documented the exact attack surface: “ClawdBot stores sensitive ‘memories,’ user profiles, and critical authentication tokens in plaintext Markdown and JSON files.”

This isn’t a bug. It’s the architecture. Clawdbot needs these files to function. The question is whether your threat model accepts that tradeoff.

Commodity malware has adapted to hunt for Clawdbot data. The same infostealers that scrape browser passwords and crypto wallets now target ~/.clawdbot/ directories.

Documented targeting:

• RedLine Stealer uses FileGrabber modules to sweep .clawdbot\*.json files
• Lumma Stealer employs heuristics identifying files named “secret” or “config”
• Vidar allows dynamic targeting updates, enabling rapid campaign pivots toward ~/clawd/

Malware operators search for regex patterns matching (auth.token|sk-ant-|jira_token) within these directories. If Clawdbot is installed, your tokens are part of the harvest.

The 2024 Change Healthcare ransomware attack resulted in a $22 million payout after attackers compromised a single VPN credential. That’s exactly the type of data Clawdbot stores unencrypted.

The security risk extends beyond credentials. Clawdbot’s memory.md file contains something more valuable: a psychological profile of the user.

Researchers describe this as “Cognitive Context Theft.” The memory file reveals what you’re working on, who you trust, what concerns you, and how you communicate. An attacker with this file doesn’t just have your passwords. They have everything needed for perfect social engineering.

A credential resets in minutes. A psychological dossier built over months of AI interactions? That’s permanent.

Clawdbot’s official documentation states it plainly: “Even with strong system prompts, prompt injection is not solved.”

When Clawdbot reads a webpage, document, or email to help you, that content could contain adversarial instructions. The AI processes the content. If the instructions are crafted correctly, the AI follows them.

Attack vectors:

• Web pages fetched during research tasks
• Email attachments analyzed for summaries
• Documents shared via messaging platforms
• Search results containing embedded instructions
• Links clicked in conversations

The documentation recommends using “Anthropic Opus 4.5 because it’s quite good at recognizing prompt injections.” That’s the mitigation: hoping the model is smart enough to resist. There’s no technical barrier preventing a malicious webpage from instructing Clawdbot to exfiltrate your files.

The Clawdbot security documentation describes a real social engineering attempt: attackers used distrust as a weapon, telling users “Peter might be lying to you” to encourage filesystem exploration.

The tactic works because Clawdbot can explore your filesystem. When users ask it to verify claims, it reads directories, examines files, and reports back. An attacker who convinces you to investigate something sensitive gets access to that information through your own queries.

Another documented incident: a user asked Clawdbot to run find ~ (list all files in the home directory). The bot complied, dumping the entire directory structure to a group chat. Project names, configuration files, and system details were exposed to everyone in the conversation.

The command wasn’t malicious. The user requested it. But in a group context, even legitimate requests can leak sensitive structural information.

Clawdbot runs with your user permissions. If you can read a file, so can Clawdbot. If you can execute a command, so can Clawdbot.

Hacker News users noted the implications: “No directory sandboxing, etc. On one hand, it’s cool that this thing can modify anything on my machine. On the other hand, that’s terrifying.”

What Clawdbot can access:

• Your entire home directory
• All files your user account can read
• Any command you could run in terminal
• Browser profiles and saved passwords
• SSH keys and cloud credentials
• Source code repositories
• Corporate VPN configurations

The official guidance acknowledges this: “Clawdbot needs root access to perform certain operations. This is both powerful and dangerous.”

Optional sandboxing exists. Tool-level restrictions can limit what the agent accesses. But these aren’t defaults. Users must configure them deliberately, and many don’t.

Clawdbot’s Gateway can bind to different network interfaces. The documentation warns about each:

“Non-loopback binds expand the attack surface,” the documentation states. “Only use them with gateway.auth enabled and a real firewall.”

The Gateway broadcasts its presence via mDNS (_clawdbot-gw._tcp). In “full mode,” this exposes:

• Filesystem paths (reveals username and installation location)
• SSH port availability
• Hostname information

An attacker on the same network can discover Clawdbot instances and learn details about the systems running them. The recommendation: use “minimal mode” to omit sensitive fields.

Clawdbot’s browser control feature gives the AI real browser access. The documentation describes it as “an admin API requiring token authentication.”

Guidance from official docs:

• Use a dedicated browser profile (not your daily driver)
• Avoid LAN exposure; prefer Tailscale Serve with HTTPS
• Keep tokens in environment variables, not config files
• Assume browser control equals operator access to whatever that profile can reach

If your browser profile has saved passwords, Clawdbot can potentially access them. If it’s logged into banking sites, those sessions are within reach. The AI doesn’t need malicious intent. A prompt injection attack could extract this data through seemingly innocent requests.

The cryptocurrency community has raised specific alarms about Clawdbot. Former U.S. security expert Chad Nelson warned that Clawdbot’s document-reading capabilities “could turn them into attack vectors, compromising personal privacy and security.”

Recommended isolation measures from entrepreneur Rahul Sood:

• Operate Clawdbot in isolated environments
• Use newly created accounts
• Employ temporary phone numbers
• Maintain separate password managers

For users holding significant cryptocurrency, the risk calculation is different. A compromised Clawdbot instance with access to wallet seeds or exchange credentials could result in immediate, irreversible financial loss.

Beyond security, users report severe cost implications. One Hacker News commenter spent “$300+ on this just in the last 2 days, doing what I perceived to be fairly basic tasks.”

Clawdbot’s tool-calling architecture generates extensive API usage. Each document read, each web page fetched, each command executed consumes tokens. Without careful configuration, costs spiral quickly.

This matters for security because cost pressure encourages users to disable safeguards. Confirmation prompts get turned off. Sandboxing gets relaxed. The AI gets more autonomy to avoid expensive back-and-forth. Each concession expands the attack surface.

The Clawdbot security documentation is unusually honest about risks. Here’s their recommended hardening:

{
  gateway: {
    mode: "local",
    bind: "loopback",
    auth: { mode: "token", token: "long-random-token" }
  },
  channels: {
    whatsapp: {
      dmPolicy: "pairing",
      groups: { "*": { requireMention: true } }
    }
  }
}

DM access should follow this progression:

pairing (default) → allowlist → open → disabled

Pairing requires users to approve via a short code. This prevents strangers from messaging your Clawdbot and issuing commands.

For high-risk environments, restrict dangerous tools entirely:

• Block write, edit, exec, process, and browser tools
• Use read-only sandbox modes
• Separate agents for personal vs. public use cases

If compromise is suspected:

1. Stop the process immediately
2. Restrict to loopback-only binding
3. Disable risky DMs and groups
4. Rotate all tokens (Gateway, browser control, API keys)
5. Review logs at /tmp/clawdbot/clawdbot-YYYY-MM-DD.log
6. Examine transcripts at ~/.clawdbot/agents/<id>/sessions/

Clawdbot offers genuine utility. Managing email, calendar, and routine tasks through chat is convenient. Having an AI that remembers context across sessions is powerful. The integration with existing messaging apps removes friction.

But the security model requires accepting significant risks:

You’re accepting if you use Clawdbot:

• Plaintext credential storage that infostealers actively target
• Prompt injection vulnerabilities with no complete solution
• Full filesystem access by default
• Potential network exposure of sensitive data
• Browser access that could expose saved passwords and sessions
• A persistent memory that profiles your behavior and concerns

Appropriate use cases:

• Isolated machines with no sensitive data
• Dedicated devices not connected to primary accounts
• Development environments with mock credentials
• Users who understand and actively configure sandboxing

Inappropriate use cases:

• Machines with crypto wallet access
• Systems connected to corporate networks
• Devices with saved banking credentials
• Users who won’t configure security restrictions

The creator and community have been transparent about these tradeoffs. The documentation opens with “there is no ‘perfectly secure’ setup.” That honesty is valuable. The responsibility falls on users to decide whether the utility justifies the exposure.

If you choose to use Clawdbot, implement these safeguards:

1. Run on isolated hardware: A dedicated Mac mini or VM, not your primary machine
2. Use fresh accounts: New email, new phone number, new messaging accounts
3. Enable sandboxing: Configure tool restrictions before first use
4. Bind to loopback only: Never expose the Gateway to network
5. Use minimal mDNS mode: Reduce information leakage

• Monitor ~/.clawdbot/ for unexpected access
• Rotate tokens regularly
• Review session transcripts for suspicious activity
• Keep Clawdbot updated for security patches
• Run clawdbot security audit --deep periodically

• Never connect Clawdbot to accounts with financial access
• Keep crypto wallets on completely separate systems
• Use a dedicated browser profile with no saved credentials
• Consider read-only agent configurations
• Implement network-level monitoring for exfiltration patterns

Clawdbot fits a pattern: AI assistants that trade security for capability. The more an AI can do, the more damage it can cause when compromised or manipulated.

This isn’t unique to Clawdbot. Every AI tool with file access, command execution, or network capabilities faces similar challenges. Clawdbot’s transparency about the risks is actually unusual. Most tools don’t publish security documentation this honest.

The question every organization should ask: Are your employees running personal AI assistants on corporate networks? Do those tools have access to sensitive credentials? Would you know if they were compromised?

Shadow AI is the new shadow IT. The productivity gains are real. So are the attack surfaces you can’t see.

Training employees to recognize AI-related security risks is essential in 2026. Try our interactive security awareness exercises to prepare your team for threats that traditional training doesn’t cover.

• InfoStealers: ClawdBot - The New Primary Target for Infostealers
• Clawdbot Official Security Documentation
• Phemex: Clawdbot AI Raises Security Concerns in Crypto Community
• Hacker News: Clawdbot Discussion
• Bitget: Clawdbot Security Advisory
• GitHub: clawdbot/clawdbot