Clawbot, when AI agents go wrong: what failed, how it’s being used, and a fast defense playbook

It starts innocently: an AI “helper” wired into your email, drive, CRM, and helpdesk so it can move faster than your team. Then it starts sending plausible messages you didn’t write, pulling files you didn’t ask for, and creating forwarding rules no one approved. That’s the risk profile researchers highlighted around Clawbot/Clawdbot—an AI agent whose design and deployment shortcuts are being exploited in active campaigns. Here’s what went wrong and how to defend fast.

What failed

• Over-permissioned connectors: The agent is granted broad OAuth scopes across mail, storage, calendars, and ticketing. One compromised token becomes a skeleton key for data discovery, exfiltration, and account changes.

• No human-in-the-loop: Auto-run actions let the agent send emails, create rules, or modify records without review—amplifying any mistake or malicious redirection.

• Prompt and tool injection blind spots: The agent trusts content it ingests (web pages, shared docs, tickets). Attackers seed “invisible” instructions that redirect the agent to leak data or call dangerous tools.

• Weak identity and origin checks: The system can be spoofed into thinking inbound chats, forms, or emails are legitimate, letting attackers steer the agent or harvest internal context.

• Poor secret handling and logging: API keys in configs, lax rotation, and minimal audit trails make lateral movement and cleanup easier for adversaries.

• Inadequate rate limits and egress controls: Once abused, the agent can enumerate drives, forward mail, and drip data to external endpoints with few frictions.

How attackers are weaponizing it

• Phishing and BEC at scale: The agent drafts on-brand, context-aware messages using real threads and files, then auto-sends across inboxes and channels.

• Mail rule manipulation: It creates forwarding and auto-delete rules that hide replies, intercept MFA, or reroute invoices.

• SaaS data mining: With generous scopes, it maps folders, downloads sensitive docs, and lifts contact lists for further targeting.

• Helpdesk and chatbot abuse: Attackers nudge the agent through tickets or chats to reset passwords, provision access, or disclose internal info.

• Persistence via OAuth: Even after password resets, malicious third-party grants and tokens keep access alive unless explicitly revoked.

Your 10-step defense playbook

1. Pause auto-actions: Disable autonomous sending and admin changes. Require human review for external outreach and permission changes.

2. Least privilege, fast: Inventory all agent connectors. Strip to minimum scopes and revoke unused OAuth grants for Google/Microsoft/Slack/CRM.

3. Rotate and vault secrets: Move API keys to a secrets manager, rotate them, and enable service-specific RBAC.

4. Guardrails and allowlists: Constrain tool use to approved domains and functions. Denylist sensitive repositories and admin endpoints.

5. Prompt injection hygiene: Sanitize inputs, strip or neutralize embedded instructions from untrusted content, and add system rules that forbid data exfiltration.

6. Strong identity checks: Enforce MFA, DKIM/DMARC/SPF, and verified sender policies. Require re-auth for high-risk actions prompted by the agent.

7. Egress and DLP controls: Block bulk downloads and unknown destinations. Alert on unusual transfers, file enumerations, and mass sharing changes.

8. Monitor and alert: Log all agent actions. Watch for new mail rules, OAuth grants, spikes in API calls, after-hours sends, and atypical geo/IP access.

9. Email and endpoint protection: Use advanced phishing detection, link isolation, and EDR to catch malicious follow-ons and token theft.

10. Practice incident response: Pre-script playbooks to revoke grants, kill sessions, rotate keys, and notify affected parties. Run tabletop exercises including prompt-injection and SaaS takeover scenarios.

Indicators worth hunting

• Sudden creation of inbox forwarding or auto-delete rules

• New third-party OAuth consents with broad read/write scopes

• Spikes in file listings, downloads, or permission changes

• Unusual volumes of outbound messages that “sound right” but weren’t authored by users

• Agent activity from atypical IPs, countries, or service accounts

Bottom line AI agents can be force multipliers—or breach multipliers. The Clawbot/Clawdbot story is a reminder to treat agents like interns with superpowers: limit what they can touch, watch them closely, and make them ask before doing dangerous things. Start by ripping out excess permissions, turning off auto-send, and lighting up logs. Then iterate toward safer autonomy with guardrails, segmentation, and continuous testing.