Moltbot, the open-source framework for distributed automation and agent orchestration hosted at github.com/openclaw, has gained traction for building autonomous systems.
But a scan of public networks shows operators routinely exposing sensitive details through misconfigured multicast DNS (mDNS) announcements.
These leaks reveal hostnames, ports, paths, and even credentials from messaging apps, often leading straight to accessible control panels.
Security researchers using tools like Modat Magnify identified over 1,487 Moltbot instances broadcasting via mDNS on UDP port 5353.
While mDNS is meant for local discovery, many deployments run it on networks bridged to the public internet, turning it into a reconnaissance goldmine. Attackers don’t need to scan ports or guess endpoints. Moltbot nodes announce themselves.
mDNS Leaks: The First Giveaway
mDNS records from Moltbot gateways spill specifics that map out entire deployments. Captures show entries like:
_moltbot._tcp.local PTR Clawdbot-Gateway-XYZ._moltbot._tcp.local
Clawdbot-Gateway-XYZ._moltbot._tcp.local TXT (
"path=/opt/clawdbot/bin/clawd"
"port=18789"
"ssh=2222"
"role=gateway"
"lan4=192.168.1.100"
"lan6=fd00::1"
)This isn’t just service names. It includes full hostnames (e.g., “Clawdbot-Gateway-XYZ”), the default Clawdbot Control port (18789), SSH ports, internal paths to executables, and local IP addresses in both IPv4 and IPv6.
On shared networks, think hotel Wi-Fi or co-working spaces, this hands attackers a blueprint for lateral movement.
Scans covered 53 countries, with the heaviest clusters in the US (42%), followed by Germany (11%), the UK (8%), and India (6%). Hosting skewed toward cloud providers: DigitalOcean (38%), AWS (22%), OVH (12%), and smaller VPS outfits.
Not every mDNS hit led to a live panel. Of the 1,487 announcements, researchers checked TCP port 18789 and variants.
Only 88 web interfaces responded publicly as of January 28, 2026, and 66 had both mDNS and panels exposed simultaneously.
Ports varied widely; 18789 dominated (72%), but others, such as 8080, 3000, and 8443, also appeared, suggesting custom setups without consistent hardening.
Web Panels: From Local to Internet-Exposed
Modat Magnify pulled 635 live Clawdbot Control panels over HTTP.
These matched the mDNS map: US-heavy, cloud-dominated. Port diversity confirmed sloppy configs, one honeypot even mimicked 25 ports, suggesting threat actors are already hunting.
Panels ran stock Clawdbot interfaces, often with defaults: no auth on some, weak passwords on others. Banner grabbing confirmed versions tied to openclaw repos like “lobster” (workflow shell, 330 stars) and “clawdbot-ansible” (automated installs, 142 stars).
Open Directories: Credential Goldmine
The real damage came from open directory listings on these hosts. HTTP probes for “/moltbot”, “/clawdbot”, and common paths uncovered unprotected folders.
Several artifacts from Signal, Telegram, and WhatsApp were spilled, including identity keys, registration secrets, and pairing QR codes. These let attackers impersonate agents fully.
One directory listed:
- signal-identity-key
- telegram-session.json (with auth tokens)
- whatsapp-qr.png
- moltbot-logs.tar.gz (operational traces)
Logs included API keys, prompt histories, and tool configs from Moltbot’s “skills” repo. No exploitation needed; curl the URL, grab the files.
| IP Address | Port | Service | Exposed Data | AS Provider | Location | Notes |
|---|---|---|---|---|---|---|
| 167.99.XX.45 | 18789 | Clawdbot Control | Web panel, no auth | DigitalOcean | US (NY) | mDNS leaks hostname “claw-01” |
| 142.93.XX.112 | 8080 | HTTP Directory | Signal keys, logs | DigitalOcean | UK | Open /clawdbot/files/ |
| 18.XX.45.201 | 18789 | Clawdbot Control | Default login exposed | AWS | US (VA) | mDNS + panel match |
| 51.XX.89.34 | 3000 | Clawdbot Gateway | Telegram session files | OVH | France | Honeypot-like multi-port |
| 192.XX.12.78 | 8443 | HTTPS (self-signed) | WhatsApp QR codes, ansible playbooks | Hetzner | Germany | Weak TLS, open dir |
| 159.65.XX.201 | 18789 | Clawdbot Control | Lobster workflow configs | DigitalOcean | Canada | 330+ stars repo fingerprints |
| 34.XX.67.123 | 2222 | SSH (announced via mDNS) | Banner: Clawdbot-Ansible | Google Cloud | US (CA) | Paired with panel exposure |
Table notes: IPs partially masked for this report; full list available via Modat Magnify.
All confirmed Moltbot instances via fingerprints like “Clawdbot-Gateway” in mDNS TXT records or at/opt/clawdbot paths.
Research Method and Scope
Researchers tackled three questions:
- mDNS Discoverability: How much do Moltbot nodes leak locally? Answer: Everything from paths to IPs, across 1,487 hits.
- Panel Correlation: Do mDNS finds match internet-facing controls? Answer: 88/1,487 panels live; 66 dual-exposed.
- Artifact Risks: What sensitive data sits in misconfigs? Answer: Messaging credentials topping the list.
Enumeration used Modat Magnify for mDNS sweeps (UDP 5353), followed by TCP connects on announced ports. HTTP checks targeted Clawdbot banners, then directory fuzzing (/admin, /files, /logs, /moltbot). No logins attempted; exposure was passive.
Geodata came from MaxMind; ASNs from BGP tools. Scans ran January 25-28, 2026, from ethical vantage points.
Technical Breakdown: Why This Happens
Moltbot (from openclaw) builds on Clawdbot components, such as Ansible playbooks, for quick deploys.
The “clawdbot-ansible” repo (57 forks) automates installs with Tailscale VPN, UFW, and Docker but skips mDNS binding to loopback. Default Avahi-daemon configurations are broadcast globally if eth0 faces the internet.
Web panels default to port 18789 without auth middleware. Open directories stem from nginx/Apache aliases like location /clawdbot { alias /opt/clawdbot/; autoindex on; } left enabled.
Messaging leaks trace to agent “skills”. Moltbot bots use Signal/Telegram for C2-like comms. QR codes and sessions land in /tmp or /var/lib, and are symlinked to the web roots during deploys.
Fixes are straightforward:
- Bind mDNS to 127.0.0.1: Edit /etc/avahi/avahi-daemon.conf, set allow-interfaces=lo.
- Firewall port 18789: UFW allow from VPN only.
- Auth panels: Add basic auth to nginx or use Clawdbot’s built-in tokens.
- Scrub dirs: rm -rf /opt/clawdbot/files/*signal* post-deploy, or .htaccess deny.
Broader Implications
This isn’t Moltbot-specific. Any mDNS-heavy tool (Zeroconf services, IoT) risks the same on bridged networks.
Honeypot presence flags active scanning likely red teams or script kiddies probing for RCE via prompt injection, as noted in prior Snyk and BleepingComputer reports.
Operators: Audit your mDNS with mdns-scan or dns-sd -B _moltbot._tcp. Check Shodan for 18789 + “Clawdbot”. Patch now; these leaks enable agent hijacking without the need for exploits.(Source)
%20(1).webp "Technitium: Self-Hosted DNS Server for Enhanced Privacy and Security")
