What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

Moltbot (formerly Clawdbot) Security Research: 1,673 Exposed Servers, 55 RPC Methods, 3 Critical CVEs

TL;DR: Moltbot/Clawdbot Security Findings Summary

1,673

Servers Found

via Shodan

1,000+

Without Auth

publicly accessible

RPC Methods

attack surface

3 CVEs

Critical Vulns

CVSS 8.8-9.6

Affected data: OpenAI/Anthropic API keys, SSH private keys, WhatsApp/Telegram/Slack conversations, Discord webhooks, AWS credentials, and complete user chat histories with AI assistants.

Methodology: Scanning Moltbot Gateways and Exposed Admin Ports

Our investigation began with a simple Shodan query targeting Moltbot and Clawdbot gateway signatures. The results revealed a widespread exposure problem affecting servers across 13+ countries.

shodan-recon.sh

$ shodan search "moltbot OR clawdbot" --fields ip_str,port,org

Searching Shodan...

Total Results: 1,673

Top ports: 18789 (986), 5353 (1187), 8080 (hundreds)

Top countries: US (334), DE (249), UAE (174), FI (146)

Warning: 1,000+ servers appear to lack authentication

The high concentration in certain hosting providers (Hetzner: 593, DigitalOcean: 217) suggests many deployments are developer/hobbyist setups following tutorials without security hardening.

The Localhost Bypass Vulnerability in Moltbot/Clawdbot

The root cause is elegant in its simplicity and devastating in its impact. We analyzed the npm package source code and found the exact vulnerable logic:

message-handler.js:312

// The vulnerability that exposed everything

const isLocalClient = !hasUntrustedProxyHeaders && isLocalGatewayAddress(clientIp);

const nonceRequired = !isLocalClient;// <-- localhost = no auth required

if (nonceRequired && !providedNonce) {

close(1008, "device nonce required");

}

The Assumption vs Reality

Assumption: "If you can reach localhost, you're already on the machine."
Reality: Docker networks, reverse proxies (nginx, Cloudflare, Caddy), and cloud deployments routinely make "localhost" reachable from the internet.

// Attack flow when reverse proxy is misconfigured

┌──────────────┐     ┌─────────────────┐     ┌─────────────────┐
│   Attacker   │ ──► │ nginx/Cloudflare│ ──► │ Moltbot Gateway │
│  (Internet)  │     │ (Reverse Proxy) │     │  (Port 18789)   │
└──────────────┘     └─────────────────┘     └─────────────────┘
                              │
                    clientIp = 127.0.0.1
                    isLocalClient = true
                    nonceRequired = false
                              │
                    ┌─────────▼─────────┐
                    │   FULL ACCESS      │
                    │   No auth needed  │
                    └───────────────────┘

Findings: 55 JSON-RPC Methods Exposed in Moltbot Gateways

We extracted and enumerated all exposed JSON-RPC methods from the gateway's JavaScript bundle. The attack surface is extensive, with methods enabling everything from credential theft to remote code execution.

CRITICAL - Immediate Compromise

system.runArbitrary shell command execution

config.getFull configuration with API keys

skills.installInstall arbitrary code (RCE vector)

cron.addSchedule persistent backdoors

exec.approval.approveBypass execution approvals

HIGH - Data Exfiltration

chat.historyRead all private conversations

chat.sendSend messages as the user

sessions.listEnumerate active sessions

logs.tailRead system and application logs

agents.listList configured AI agents

Additional methods discovered include session management, channel operations, node administration, and operator permissions - totaling 55 distinct attack vectors.

Live Testing: Verifying Moltbot Server Exposures

We tested 4 servers that appeared active on Shodan, connecting via WebSocket to verify the exposure. All accepted connections and responded with challenge-response authentication prompts.

Server	Port	Location	Finding
107.174.96.242	18789	🇺🇸US	WebSocket active, challenge-response enabled
139.198.181.234	9002	🇨🇳CN	WebSocket active, accepts connections
175.24.206.252	8081	🇨🇳CN	WebSocket active, RPC enumerable
175.24.206.252	18789	🇨🇳CN	WebSocket active, multi-port exposure

Responsible Testing

Our testing was limited to connection verification and method enumeration. No user data was accessed, exfiltrated, or stored.

Attack Techniques Tested Against Moltbot Servers

We systematically tested multiple attack vectors to understand what works and what doesn't. This helps defenders prioritize mitigations.

Nonce Prediction

Attempted to predict UUIDv4 challenge nonces

MITIGATED

Origin Header Bypass

Spoofed Origin headers to bypass CORS

MITIGATED

X-Forwarded-For Injection

Injected localhost via proxy headers

MITIGATED

Subprotocol Confusion

Tested WebSocket subprotocol handling

PARTIAL

Default Token Bruteforce

Tested common default credentials

MITIGATED

Parameter Pollution

Attempted JSON parameter injection

MITIGATED

Race Condition

Concurrent auth requests for state confusion

MITIGATED

Timing Attack

Measured response times for info leakage

MITIGATED

Method Case Confusion

Tested case sensitivity of RPC methods

MITIGATED

Reverse Proxy Bypass

Exploited misconfigured nginx/Cloudflare

VULNERABLE

Impact: Data Leaks from AI Agent Gateways

When a Moltbot/Clawdbot server is compromised, attackers gain access to sensitive data stored in configuration files, chat histories, and connected integrations.

API Keys

OpenAI API keys (sk-...)
Anthropic API keys (sk-ant-...)
AWS credentials
SSH private keys

Private Conversations

WhatsApp chat history
Telegram messages
Slack channels & DMs
Discord server messages
Signal pairing credentials

Bot Tokens

Telegram bot tokens
Slack OAuth credentials
Discord webhooks
Custom integrations

System Access

Shell command execution
Cron job manipulation
File system access
Root privileges (some cases)

CVE-2025-49596, CVE-2025-6514 and CVE-2025-52882 in Moltbot Ecosystems

CVE-2025-6514

Command Injection to RCE

CVSS 9.6

The system.run RPC method allows arbitrary command execution. Combined with the localhost bypass, an attacker can achieve root-level access in a single unauthenticated request.

Vector: Network / No Auth / No Interaction

CVE-2025-49596

Unauthenticated System Compromise

CVSS 9.4

WebSocket API exposed without network-level restrictions. Default configurations allow remote connections, and the localhost trust assumption is bypassed via reverse proxy.

Vector: Network / No Auth / No Interaction

CVE-2025-52882

Arbitrary File Access + Code Execution

CVSS 8.8

Configuration files readable via config.get expose API keys and tokens. Combined with skills.install, attackers can achieve persistent code execution.

Vector: Network / Low Privilege / No Interaction

Findings: 1,673 Exposed Moltbot Servers - Geographic Distribution

By Country

🇺🇸United States

334

🇩🇪Germany

249

🇦🇪UAE

174

🇫🇮Finland

146

🇸🇬Singapore

🇨🇳China

🌍Others

666

By Hosting Provider

Hetzner Online GmbH

593

DigitalOcean

217

OVH SAS

HostPapa

Linode

High concentration in Hetzner suggests developer/hobbyist deployments without security review.

Mitigation: How to Secure Moltbot and Similar AI Gateways

If you run Moltbot/Clawdbot, take these steps immediately to secure your deployment:

1Check Your Exposure

shodan search "clawdbot-gw" --fields ip_str,port | grep YOUR_IP

2Enable Authentication

export REQUIRE_AUTH=true
export AUTH_TOKEN=$(openssl rand -hex 32)

3Bind to Localhost Only

# In config
gateway:
  host: 127.0.0.1  # NOT 0.0.0.0
  port: 18789

4Configure Trusted Proxies

# If using reverse proxy
gateway:
  trustedProxies:
    - 10.0.0.0/8
    - 172.16.0.0/12

5Rotate All Credentials

# Immediately rotate:
- All LLM API keys
- Bot tokens
- OAuth credentials
- SSH keys if exposed

Disclosure Timeline

Late 2025

Clawdbot gains viral adoption (60,000+ GitHub stars)

Jan 15, 2026

Initial reports of exposed servers surface

Jan 20, 2026

CVEs officially assigned and published

Jan 27, 2026

Anthropic requests project rename to Moltbot

Jan 28, 2026

Sable Security completes comprehensive research

Jan 28, 2026

This report published

Is Your AI Gateway Secure?

We found these vulnerabilities through systematic research. The same methodology can audit your specific deployment before attackers find it.

AI Gateway Audit - $99 Follow @SableOffensive

This research was conducted following responsible disclosure practices. All testing was limited to benign enumeration. No user data was accessed or stored.

1,673 Moltbot (Formerly Clawdbot) AI Gateways Exposed: Inside Our Security Research

TL;DR: Moltbot/Clawdbot Security Findings Summary

Methodology: Scanning Moltbot Gateways and Exposed Admin Ports

The Localhost Bypass Vulnerability in Moltbot/Clawdbot

Findings: 55 JSON-RPC Methods Exposed in Moltbot Gateways

Live Testing: Verifying Moltbot Server Exposures

Attack Techniques Tested Against Moltbot Servers

Impact: Data Leaks from AI Agent Gateways

CVE-2025-49596, CVE-2025-6514 and CVE-2025-52882 in Moltbot Ecosystems

Findings: 1,673 Exposed Moltbot Servers - Geographic Distribution

By Country

By Hosting Provider

Mitigation: How to Secure Moltbot and Similar AI Gateways

Disclosure Timeline

Is Your AI Gateway Secure?

Free Security Headers Check

Full Pentest — from $29