Risky NPM Package (Agentic AI assistant)

Background

Because the saga of AI and agentic clients continues, organizations can be put at risk since threat actors may target such solutions. This has prompted an effort to understand what is working under the hood of one particular solution, which has been renamed moltbot, openclaw, and clawdbot, as well as to explore ways to detect its presence.

What is clawdbot, moltbot, openclaw The solution is an AI agentic helper that enables remote control of a machine through platforms such as WhatsApp, Telegram, email, and others. In other words, it is a remote assistant designed to help organize daily tasks. This solution is available on the NPM repository and is a complex system with 50 or more dependencies, with its main engine/controller built on simple Node.js.

The installation ways

It can be installed using out-of-the-box PS1 and Bash scripts, which help configure the Node environment, download required dependencies, and perform other setup tasks. Alternatively, it can be installed using a simple NPM command.

Installation Layers The solution can be installed directly on operating systems such as Windows, Linux, and macOS. On Windows, it also supports installation on WSL (Windows Subsystem for Linux) systems.

Risks By itself, the solution is quite useful, but in the wrong hands or with incorrect configuration, it can become a potential weapon and the root cause of data breaches. This is because the solution requires certain secrets related to the components it interacts with.

Detection In this article I will cover only the detection of the solution installatrion on direct windows .

During installation, according to the official documentation, the user needs to use IWR (Invoke-WebRequest), and the system will execute the downloaded script with IEX (Invoke-Expression). One trace left by this process is a PowerShell connection to the page where the Bash/PS1 installation file is stored.

Then, after PowerShell configures the environment, a simple npm install command will be executed by the node.exe process.

After this process, the solution will operate using its NPM packages, where the path node_modules\openclaw will be visible in the image path of node.exe.

After installing the solution, Node.js needs to execute npm\openclaw.cmd, which initiates the build process for some dependencies.

On the last level, it is building some dependencies over CMD in the directory node_modules\openclaw.

The noted approach is the only file-based detection approach for direct Windows systems; other detections should be performed on WSL-connected systems and at the network layer.

Improvements done by maintainers side - The server GUI supports only authentication over TOKEN, users without authentication cannot do any changes and view any data. - Bash shell and other dangerous component executions are turned off by default.

Network detection

• Detect any connection to the official domain from where the user can run environmental configuration files.
• Detect unusual connections to the Tailscale IP pool, because it has the capability to work with Tailscale.

Conclusion: AI agentic helpers (clawdbot/moltbot/openclaw) provide valuable remote machine control for organizing tasks via various platforms. However, their complexity and reliance on Node.js, combined with the possibility of misconfiguration or malicious use, introduce significant risks of data breaches and unauthorized access. Detection should focus on file paths, network connections to official domains or Tailscale IPs, and process monitoring on Windows systems. Although recent updates have improved security through token-based authentication and by disabling dangerous executions, organizations must remain vigilant, verify installations, and continuously monitor for unusual activity to mitigate the risks posed by these powerful tools.