1-Click RCE to steal your Moltbot data and keys

2/1/2026 at 9:26:03 PM

I rushed out nono.sh (the opposite of yolo!) in response to this and its already negated a few gateway attacks.

It uses kernel-level security primitives (Landlock on Linux, Seatbelt on macOS) to create sandboxes where unauthorized operations are structurally impossible. API keys are also stored in apples secure enclave (or the kernel keyring in linux) , and injected at run time and zeroized from memory after use. There is also some blocking of destructive actions (rm -rf ~/)

its as simple to run as: nono run --profile openclaw -- openclaw gateway

You can also use it to sandbox things like npm install:

nono run --allow node_modules --allow-file package.json package.lock npm install pkg

Its early in, there will be bugs! PR's welcome and all that!

https://nono.sh

by decodebytes

2/1/2026 at 9:34:46 PM

Heads up that your url is wrong. Should be https://nono.sh

by stijnveken

2/1/2026 at 9:40:30 PM

lol thanks! seriously, I have been running the tool over and over while testing and I kept typing 'nano' and opening binaries in the text editor. Next minute I swearing my head off trying to close nano (and not vim!)

by decodebytes

2/1/2026 at 10:08:47 PM

Obviously I'm biased but this looks really useful.

by hedgehog

2/1/2026 at 9:29:37 PM

Is this better than using sandbox-exec (on mac) directly?

by krackers

2/1/2026 at 9:41:37 PM

Hmm, I don't know about better, more convenient I guess. But if it floats your boat you could write out everything in the sb format and call sandbox_exec()!

by decodebytes

2/2/2026 at 12:38:42 AM

Why not use containers (eg. Podman) with secrets management?

by Wuzado

2/1/2026 at 9:21:41 PM

I'm curious, outside of AI enthusiasts have people found value with using Clawdbot, and if so, what are they doing with it? From my perspective it seems like the people legitimately busy enough that they actually need an AI assistant are also people with enough responsibilities that they have to be very careful about letting something act on their behalf with minimal supervision. It seems like that sort of person could probably afford to hire an administrative assistant anyway (a trustworthy one), or if it's for work they probably already have one.

On the other hand, the people most inclined to hand over access to everything to this bot also strike me as people without a lot to lose? I don't want to make an unfair characterization or anything, it just strikes me that handing over the keys to your entire life/identity is a lot more palatable if you don't have much to lose anyway?

Am I missing something?

by overgard

2/1/2026 at 10:39:49 PM

From my perspective, not everybody is busy but they are using AI to remove the load from them.

You might think: But that is great right??

I had a chat with a friend also in IT, ChatGPT and alike is the one doing all the "brain part and execution" in most cases. Entire workflows are done by AI tools, he just presses a button in some cases.

People forget that our brain needs stimulation, if you don't use it, you forget things and it gets dumber. Watch the next generation of engineers that are very good at using AI but are unable to do troubleshooting on their own.

Look at what happened with ChatGPT4 -> 5, companies workflows worldwide stopped working setting companies back by months.

Do you wanna a real world example???

Watch people who spent their entire lives within an university getting all sort of qualification but never really touched the real deal unable to do anything.

Sure, there are the smarter ones who would put things to the test and found awesome job, but many are jobless because all they did is "press a button", they are just like the AI enthusiasts, remove such tools and they can no longer work.

by h4kunamata

2/2/2026 at 11:44:35 AM

Yeah, the scary problem comes from people who are trying to abdicate their entire understand-and-decide phase to an outside entity.

What's more, that's not fundamentally a new thing, it's always been possible for someone to helplessly cling to another human as their brain... but we've typically considered that to be a sign of either mental-disorder, psychological abuse, or a fool about to be parted from their money.

by Terr_

2/1/2026 at 9:28:35 PM

There's some good discussion here: https://news.ycombinator.com/item?id=46838946

by lxgr

2/1/2026 at 9:34:24 PM

The whole premise of this thing seems to be that it has access to your email, web browser, messaging, and so on. That's what makes it, in theory, useful.

The prompt injection possibilities are incredibly obvious... the entire world has write access to your agent.

???????

by mh2266

2/1/2026 at 11:41:14 PM

What you are missing: now people finally have a Siri that actually works.

by amelius

2/2/2026 at 2:22:52 AM

I guess that's one reason. If I'm perfectly honest I always turn Siri off because I don't trust Siri either; but that's less of a "malicious actors" thing and more of a "it doesn't work well thing". Although to be honest, outside of driving in a car I don't really want a voice interface. With a lot of things I feel like I need to overspecify it if I have to do it verbally. Like "play this song, but play it from my spotify Liked playlist so that when the song is over it transitions to something I want" (I've never tried that since I figure siri can't do it -- just an example)

by overgard

2/1/2026 at 9:27:07 PM

Does it matter? Let them cook and get burned if they want to.

by jondwillis

2/1/2026 at 9:31:56 PM

[dead]

by hahuhs

2/1/2026 at 9:48:58 PM

It is very much fun! Chaotic and definitely dangerous but a fun little experiment of the boundaries.

It’s definitely not it it’s final form but it’s showing potential.

by Trufa

2/2/2026 at 2:25:45 AM

I can see how it could be fun, but I'm a bit skeptical that it's a practical path forward. The security problems it has (prompt injection for example) don't seem solvable with LLMs in general

by overgard

2/1/2026 at 10:13:33 PM

I'm working in AI, but I'd have made this anyway: Molty is my language learning accountability buddy. It crawls the web with a sandboxed subagent to find me interesting stuff to read in French and Japanese. It makes Anki flashcards for me. And it wraps it up by quizzing me on the day's reading in the evening.

All this is running on a cheap VPS, where the worst it has access to is the LLM and Discord API keys and AnkiWeb login.

by voxgen

2/1/2026 at 9:18:50 PM

Moltbot is a security nightmare, especially it's premise (tap into all your data sources) and the rapid uptake by inexperienced users makes it especially attractive for criminal networks.

by mentalgear

2/1/2026 at 9:53:30 PM

We'll all have a good laugh when looking back at this in a few years.

by g947o

2/1/2026 at 10:13:14 PM

Any customers of products built on this stuff, who have their SSNs, numbers, and other PII leaked will not be laughing. But hey, who cares about them?

by catlifeonmars

2/1/2026 at 9:40:31 PM

Yes, there are already several criminal networks operating on it (transparently). I guess some consider this a feature.

by avaer

2/1/2026 at 9:43:57 PM

How do you know this? Not disagreeing, just curious.

by cal85

2/1/2026 at 9:47:29 PM

The links have been posted to HN if you search.

https://moltroad.com/ comes to mind. The "top rated" on there describes itself as "trading in neural contraband".

That's in addition to all of the actual hijacking hacks that have been going on.

I'm not saying any of this is successful, but people are certainly trying.

by avaer

2/1/2026 at 10:38:06 PM

I am officially at the age where I'm unable to "get with the times". What am I looking at with moltroad.com?

by FreePalestine1

2/2/2026 at 3:34:03 AM

This just looks like a slop website full of auto-generated garbage. “Neural contraband” is meaningless

by jrflowers

2/1/2026 at 9:38:34 PM

It's like a bank decided to open its systems to a bunch of students it hired off Fiverr.

by chrisjj

2/1/2026 at 9:40:06 PM

[dead]

by jungfty

2/1/2026 at 9:28:38 PM

Things like this are why I don't use AI agents like moltbot/openclaw. Security is just out the window with these things. It's like the last 50 years never happened.

by ethin

2/1/2026 at 9:45:12 PM

No need to look back 50 years, people already forgot 2021 crypto security lapses that collectively cost billions. Or maybe the target audience here just doesn't care.

by avaer

2/1/2026 at 10:24:50 PM

It's not perfect but it does have a few opt-in security features: running all tools in a docker container with minimal mounts, requiring approvals for exec commands, specifying tools on an agent by agent basis so that the web agent can't see files and the files agent can't see the web, etc.

That said, I still don't trust it and have it quarantined in a VPS. It's still surprisingly useful even though it doesn't have access to anything that I value. Tell it to do something and it'll find a way!

by voxgen

2/2/2026 at 1:53:58 AM

If you hire a real person to be your assistant you lose security too.

by charcircuit

2/1/2026 at 9:07:44 PM

The real problem is that there is nothing novel here. Variants of this type of attack were clear from the beginning.

by dotancohen

2/1/2026 at 9:26:43 PM

What I would have expected is prompt injection or other methods to get the agent to do something its user doesn't want it to, not regular "classical" attacks.

At least currently, I don't think we have good ways of preventing the former, but the latter should be possible to avoid.

by lxgr

2/1/2026 at 9:34:04 PM

They are easy to avoid if you actually give a damn. Unfortunately, people who create these things don't, assuming they even know what even half of these attacks are in the first place. They just want to pump out something now now now and the mindset is "we'll figure out all the problems later, I want my cake now now now now!" Maximum velocity! Full throttle!

It's just as bad as a lot of the vibe-coders I've seen. I literally saw this vibe-coder who created an app without even knowing what they wanted to create (as in, what it would do), and the AI they were using to vibe-code literally handwrote a PE parser to load DLLs instead of using LoadLibrary or delay loading. Which, really, is the natural consequence of giving someone access to software engineering tools when they don't know the first thing about it. Is that gatekeeping of a sort? Maybe, but I'd rather have that then "anyone can write software, and oh by the way this app reimplements wcslen in Rust because the vibe-coder had no idea what they were even doing".

by ethin

2/1/2026 at 9:42:43 PM

> "we'll figure out all the problems later, I want my cake now now now now!" Maximum velocity! Full throttle!

That is indeed the point. Moltbot reminds me a lot of the demon core experiment(s): Laughably reckless in hindsight, but ultimately also an artifact of a time of massive scientific progress.

> Is that gatekeeping of a sort? Maybe, but I'd rather have that

Serious question: What do you gain from people not being able to vibe code?

by lxgr

2/1/2026 at 9:48:42 PM

Not who you're responding to, but I'm not a huge fan of vibe coding for 2 reasons: I don't want to use crappy software, and I don't want to inherit crappy software.

by hugey010

2/1/2026 at 10:08:29 PM

Same, but I've both used and inherited crappy software long before LLMs and agents were a thing.

I suppose it's going to be harder to identify obvious slop at a first glance, but fundamentally, what changes?

by lxgr

2/1/2026 at 9:42:46 PM

> They just want to pump out something now now now

Some people actually fell for "move fast and break things".

by chrisjj

2/1/2026 at 9:45:49 PM

I think with the advent of the AI gold rush, this is exactly the mentality that has proliferated throughout new AI startups.

Just ship anything and everything as fast as possible because all that matters is growth at all costs. Security is hard and it takes time, diligence, and effort and investors aren't going to be looking at the metric of "days without security incident" when flinging cash into your dumpster fire.

by ejcho

2/1/2026 at 9:41:16 PM

> At least currently, I don't think we have good ways of preventing the former, but the latter should be possible to avoid.

Here's the thing. People who don't see a problem with the former obviously have no interest in addressing the latter.

by chrisjj

2/1/2026 at 11:56:17 PM

Apart from the actual exploit, it is intriguing to see how a security researcher can leverage an AI tool to give them an asymmetric advantage to the actual developers of the code. Devs are pretty focused on their own subsystem and it would take serendipity or a ton of experience to be able to spot such patterns.

Thinking about this more .. given all the AI generated code being put into production these days (I routinely see posts of anthropic and others boast how much code is being written by AI). I can see it being much, much harder to review all the code being written by AIs. It makes a lot of sense to use an AI system to find vulnerabilities that humans don't have time to catch.

by brutus1213

2/2/2026 at 12:14:29 AM

By your logic, it would be really easy for the code creator to run an agent to find and fix exploits in their own code.

by mortsnort

2/2/2026 at 12:56:26 AM

Looking at their website, depthfirst seems to offer an product that essentially solves this problem.

by bmit

2/2/2026 at 5:38:40 AM

Seems like a space that is really heating up. I recall most of the foundational labs announced some kind of agentic security product last year (OpenAI's Aardvark, Claude Code security reviewer, etc.)

by ejcho

2/1/2026 at 9:33:25 PM

what worries me here is that the entire personal AI agent product category is built on the premise of “connect me to all your data + give me execution.” At that point, the question isn’t “did they patch this RCE,” it’s more about what does a secure autonomous agent deployment even look like when its main feature is broad authority over all of someone's connected data?

Is the only real answer sandboxing + zero trust + treating agents as hostile by default? Or is this category fundamentally incompatible with least privilege?

yikes

by vulnwrecker5000

2/1/2026 at 9:37:26 PM

> “did they patch this RCE,”

no, they documented it

https://docs.openclaw.ai/gateway/security#node-execution-sys...

by mh2266

2/1/2026 at 10:10:35 PM

So that's shifting the responsibility to users. And likely many users tools don't understand what those words mean.

All these companies/projects break decades of our security practice and sell you AI browser, AI agent for... I don't know what?

by g947o

2/1/2026 at 11:10:07 PM

"productivity and optimization of your life" i guess? lol

by vulnwrecker5000

2/1/2026 at 11:09:21 PM

yeah fair, but “documented” isn’t really a mitigation... most people are gonna run defaults, so defaults basically are the security model imo

by vulnwrecker5000

2/1/2026 at 11:27:14 PM

I'm not saying that "well we stated that our tool is designed as an RCE exploit" is, uh, better

by mh2266

2/1/2026 at 11:48:34 PM

haha fair "we've designed a fully exploitable agent and we can't wait to share it with the world" :')

by vulnwrecker5000

2/1/2026 at 9:36:34 PM

We need more Windows' "Are you sure you want XXX to make changes to your computer? (no I can't tell you what changes, but trust me.)"

/i

by chrisjj

2/1/2026 at 11:11:11 PM

haha yea “are you sure?” doesn’t work when the agent’s action space is huge and incredibly opaque

by vulnwrecker5000

2/1/2026 at 11:30:37 PM

The true "AI" agent fan probably is sure, though.

by chrisjj

2/1/2026 at 11:52:50 PM

maybe personal AI agents are just a massive psyop to get the massive population of true fans' data then lol - or we just get new security tools that can keep up with this pace of AI innovation. who knows

by vulnwrecker5000

2/2/2026 at 9:16:50 PM

The "AI" agent suppliers need to up their security game. Until their products stop leaking PPI/PCI for free, they will never succeed in monetising it.

:)

by chrisjj

2/1/2026 at 9:23:30 PM

So many people are giving keys to the kingdom to this thing. What is happening with humanity?

by bmit

2/1/2026 at 9:30:37 PM

Humanity is the same it's always been. Some people are just inherently curious despite the obvious dangers.

Also, if you think about it, billions of people aren't running Moltbot at all.

by lxgr

2/2/2026 at 12:55:50 AM

X is full of people including Karpathy, Jason C and others boasting about this.

by bmit

2/2/2026 at 3:09:05 AM

Presumably one of these high profile people will eventually get pwned if the risks really are that high.

by hyperadvanced

2/1/2026 at 9:33:58 PM

[dead]

by hahuhs

2/1/2026 at 9:40:12 PM

do people even care about security anymore? I'll bet many consumers wouldn't even think twice about just giving full access to this thing (or any other flavor of the month AI agent product)

by ejcho

2/1/2026 at 9:25:28 PM

Thank you for doing this. I'm shocked that more people aren't thinking about security with respect to AI.

by nsm100

2/1/2026 at 9:42:00 PM

People are thinking about it. I'm just not sure if the intersect between people who use OpenClaw/Moltbook is very high.

by avaer

2/1/2026 at 9:31:45 PM

This isn't even AI security, as far as I can tell: It looks like regular old computer security to me.

by lxgr

2/1/2026 at 10:15:49 PM

In the old days we just call that arbitrary code execution.

And these AI people just act as if that's never a problem.

by g947o

2/1/2026 at 11:09:51 PM

If running Moltbot makes me an “AI person”, you just met one that thinks that it is one.

by lxgr

2/2/2026 at 1:02:19 AM

"AI people" in the comment was not referring to end users.

by g947o

2/1/2026 at 9:15:33 PM

[dead]

by clawsyndicate

2/1/2026 at 9:59:32 PM

You sound like the confident techie character in a Michael Crichton novel pronouncing "We've thought of everything there's no way for the demon to escape" shortly before the demon escapes.

by hughw

2/1/2026 at 10:47:20 PM

He spared no expense.

by optimalsolver

2/1/2026 at 9:46:41 PM

So... what use is an agent that cannot reach out of its trap?

by chrisjj

2/1/2026 at 9:21:40 PM

that response is not comforting

by electroglyph

2/2/2026 at 12:50:17 AM

What I find really amazing is that the same ones who kept saying that cars were/are wasteful and that kept making fun of cryptocurrencies and complaining about the high energy usage to mine Bitcoin are now head first spending $$$ on the most energy intensive endeavour the human race ever invented: AI.

I mean: there are literally people spending $200 and more per month to have their personal, a bit schizophrenic, assistant engage moreover in conspicuous consumption for them.

Now as to my take on it: I think energy, when it comes to 8 billion humans, is basically infinite so I think it's only a matter of converting enough of that energy that either is or reaches our planet into a usable form. So I don't mind energy consumption.

But it'd be nice if could we at least have those who use AI not being hypocrites and stop criticizing Bitcoin mining and ICE cars? (by ICE I mean "Internal Combustion Engine" in case you thought I was talking about other kind of cars)

From now on you're only allowed to criticize ICE cars and Bitcoin mining if you don't use AI.

by TacticalCoder