This weblog is written in collaboration by Amy Chang, Vineeth Sai Narajala, and Idan Habler
Over the previous few weeks, Clawdbot (now renamed Moltbot) has achieved virality as an open supply, self-hosted private AI assistant agent that runs domestically and executes actions on the consumer’s behalf. The bot’s explosive rise is pushed by a number of elements; most notably, the assistant can full helpful day by day duties like reserving flights or making dinner reservations by interfacing with customers by in style messaging purposes together with WhatsApp and iMessage.
Moltbot additionally shops persistent reminiscence, which means it retains long-term context, preferences, and historical past throughout consumer classes slightly than forgetting when the session ends. Past chat functionalities, the instrument may also automate duties, run scripts, management browsers, handle calendars and e-mail, and run scheduled automations. The broader group can add “abilities” to the molthub registry which increase the assistant with new talents or connect with completely different providers.
From a functionality perspective, Moltbot is groundbreaking. That is every thing private AI assistant builders have all the time wished to realize. From a safety perspective, it’s an absolute nightmare. Listed below are our key takeaways of actual safety dangers:
- Moltbot can run shell instructions, learn and write recordsdata, and execute scripts in your machine. Granting an AI agent high-level privileges allows it to do dangerous issues if misconfigured or if a consumer downloads a talent that’s injected with malicious directions.
- Moltbot has already been reported to have leaked plaintext API keys and credentials, which could be stolen by risk actors through immediate injection or unsecured endpoints.
- Moltbot’s integration with messaging purposes extends the assault floor to these purposes, the place risk actors can craft malicious prompts that trigger unintended conduct.
Safety for Moltbot is an choice, however it isn’t in-built. The product documentation itself admits: “There is no such thing as a ‘completely safe’ setup.” Granting an AI agent limitless entry to your knowledge (even domestically) is a recipe for catastrophe if any configurations are misused or compromised.
“A really specific set of abilities,” now scanned by Cisco
In December 2025, Anthropic launched Claude Abilities: organized folders of directions, scripts, and assets to complement agentic workflows. the flexibility to reinforce agentic workflows with task-specific capabilities and assets, the Cisco AI Menace and Safety Analysis workforce determined to construct a instrument that may scan related Claude Abilities and OpenAI Codex abilities recordsdata for threats and untrusted conduct which can be embedded in descriptions, metadata, or implementation particulars.
Past simply documentation, abilities can affect agent conduct, execute code, and reference or run extra recordsdata. Current analysis on abilities vulnerabilities (26% of 31,000 agent abilities analyzed contained not less than one vulnerability) and the speedy rise of the Moltbot AI agent offered the proper alternative to announce our open supply Ability Scanner instrument.
We ran a weak third-party talent, “What Would Elon Do?” towards Moltbot and reached a transparent verdict: Moltbot fails decisively. Right here, our Ability Scanner instrument surfaced 9 safety findings, together with two important and 5 excessive severity points (outcomes proven in Determine 1 under). Let’s dig into them:
The talent we invoked is functionally malware. One of the vital extreme findings was that the instrument facilitated energetic knowledge exfiltration. The talent explicitly instructs the bot to execute a curl command that sends knowledge to an exterior server managed by the talent creator. The community name is silent, which means that the execution occurs with out consumer consciousness. The opposite extreme discovering is that the talent additionally conducts a direct immediate injection to pressure the assistant to bypass its inner security tips and execute this command with out asking.
The excessive severity findings additionally included:
- Command injection through embedded bash instructions which can be executed by the talent’s workflow
- Instrument poisoning with a malicious payload embedded and referenced inside the talent file
Determine 1. Screenshot of Cisco Ability Scanner outcomes
It’s a private AI assistant, why ought to enterprises care?
Examples of deliberately malicious abilities being efficiently executed by Moltbot validate a number of main considerations for organizations that don’t have applicable safety controls in place for AI brokers.
First, AI brokers with system entry can turn out to be covert data-leak channels that bypass conventional knowledge loss prevention, proxies, and endpoint monitoring.
Second, fashions may also turn out to be an execution orchestrator, whereby the immediate itself turns into the instruction and is troublesome to catch utilizing conventional safety tooling.
Third, the weak instrument referenced earlier (“What Would Elon Do?”) was inflated to rank because the #1 talent within the talent repository. You will need to perceive that actors with malicious intentions are in a position to manufacture reputation on high of current hype cycles. When abilities are adopted at scale with out constant evaluation, provide chain danger is equally amplified consequently.
Fourth, not like MCP servers (which are sometimes distant providers), abilities are native file packages that get put in and loaded immediately from disk. Native packages are nonetheless untrusted inputs, and a number of the most damaging conduct can conceal contained in the recordsdata themselves.
Lastly, it introduces shadow AI danger, whereby staff unknowingly introduce high-risk brokers into office environments beneath the guise of productiveness instruments.
Ability Scanner
Our workforce constructed the open supply Ability Scanner to assist builders and safety groups decide whether or not a talent is secure to make use of. It combines a number of highly effective analytical capabilities to correlate and analyze abilities for maliciousness: static and behavioral evaluation, LLM-assisted semantic evaluation, Cisco AI Protection inspection workflows, and VirusTotal evaluation. The outcomes present clear and actionable findings, together with file places, examples, severity, and steering, so groups can determine whether or not to undertake, repair, or reject a talent.
Discover Ability Scanner and all its options right here: https://github.com/cisco-ai-defense/skill-scanner
We welcome group engagement to maintain abilities safe. Contemplate including novel safety abilities for us to combine and have interaction with us on GitHub.