February 1, 2026
Click, Claw, Chaos
1-Click RCE to steal your Moltbot data and keys
One bad click and your AI butler spills secrets — 'told you so' vs 'we sandboxed'
TLDR: A researcher demonstrated a one-click hack that could hijack OpenClaw and expose your messages and keys. Commenters split between “we warned you,” hosted defenders claiming sandbox safety, and skeptics asking why anyone hands an AI the “keys to the kingdom,” highlighting real risks of AI agents controlling your stuff.
OpenClaw, the open‑source “AI butler” formerly known as Moltbot, just got hit with the nightmare headline: a researcher chained bugs into a one‑click hack that could swipe your access token and let someone rummage through your messages and keys. Translation for normals: click a bad link, and your robot assistant might spill your secrets. The kicker? This thing has god mode permissions for many users, from chat apps to your own computer.
The comments section lit up like a server rack on fire. One camp rolled their eyes: dotancohen shrugged that this was old news, basically saying “we saw this coming.” Another camp went full doomsday. mentalgear called the whole idea of letting an agent tap every account a “security nightmare,” and bmit’s existential sigh — “keys to the kingdom” — became the meme of the thread. On defense, clawsyndicate insisted the hosted version is wrapped in a sandbox (think a digital playpen) and treats every app like it’s hostile, so attackers can’t reach the real machine. Cue the debate: sandbox bragging rights vs. the harsh reality that most people run it locally. Meanwhile, overgard asked the awkward question: do busy pros actually trust an AI to act on their behalf? The vibe: spicy, anxious, and sprinkled with jokes about giving your AI the house keys and hoping it doesn’t invite burglars.
Key Points
- •OpenClaw (formerly Moltbot/ClawdBot) contains a critical logic flaw enabling token leakage via a crafted URL.
- •depthfirst General Security Intelligence identified the logic issue; the author combined it with another flaw to build a 1-click RCE exploit.
- •The chain: a gatewayUrl query parameter is persisted, connectGateway() runs immediately, and the authToken is sent in the handshake to the attacker-controlled gateway.
- •An attacker can capture the auth token over WebSocket and access the victim’s OpenClaw instance, including sensitive data and actions.
- •Direct exploitation is limited (no localhost access, no sandbox bypass, no arbitrary code execution), but the author claims to have achieved 1-click RCE and begins to explain bypassing localhost restrictions.