What is Agent-as-a-Service pentesting?

Agent-as-a-Service (AaaS) pentesting lets you chat with autonomous pentesting agents that scan your application on demand. Instead of waiting weeks for a manual engagement, you talk to specialized agents — pen-scout (recon and surface mapping), pen-recon (deeper enumeration), pen-triage (validates and prioritizes findings), pen-fixer (remediation guidance), and pen-compliance (OWASP/standards mapping). Findings are validated with proof-of-concept and re-test, not just flagged. You start with 150 free credits, no credit card.

What are credits and how do they work?

Credits are how you run agent scans. Each scan or agent action consumes credits based on its depth. New accounts get 150 free credits with no card required. After that you can buy one-time credit packs ($29, $79, or $199) for pay-as-you-go use, or subscribe to a monthly tier ($49, $149, or $399/mo) for continuous, on-demand pentesting. The agents pen-scout, pen-recon, pen-triage, pen-fixer and pen-compliance all draw from the same credit balance.

Yes. Every new account gets 150 free credits with no credit card required — enough to chat with the pentesting agents and run real scans against your app. There is also a free security headers scan at sable.somoswilab.com/free-scan and a sample report at sable.somoswilab.com/sample-report. The free tier runs on OpenRouter models so you can evaluate the autonomous agents before paying.

What is penetration testing for startups?

Penetration testing (pentesting) is a simulated cyberattack against your application to find security vulnerabilities before real attackers do. For startups, we focus on the issues that matter most at your stage: authentication flaws, data exposure, API security, and common mistakes in modern stacks like Next.js, Supabase, and Firebase.

How much does a pentest cost?

Traditional pentests cost $10,000-$50,000+. SableOffensive starts at $29 for a Pre-Launch Check covering OWASP Top 10 and secrets detection. Founder Shield ($79) adds IDOR testing, auth bypass, and a debrief call. Scale Secure ($199) is a full-scope assessment. Every plan includes a professional report with remediation steps.

How long does a security scan take?

Pre-Launch Check reports are delivered within 24-48 hours. Founder Shield and Scale Secure may take 2-3 business days depending on the complexity of your application.

What do I need to provide?

At minimum, just your application URL. For more comprehensive testing, we may ask for staging credentials, API documentation, or GitHub repository access. We sign NDAs for all engagements.

What is OWASP Top 10?

OWASP Top 10 is the industry standard list of the most critical web application security risks. It includes injection attacks, broken authentication, cross-site scripting (XSS), server-side request forgery (SSRF), and security misconfigurations. Every SableOffensive assessment tests against the full OWASP Top 10.

Do you test AI-generated code?

Yes. Code generated by AI tools like Cursor, GitHub Copilot, and v0 often contains subtle security issues: hardcoded secrets, missing input validation, insecure API patterns, and overly permissive access controls. We have specific testing procedures for AI-generated codebases.

How do you secure Supabase and Firebase apps?

For Supabase, we audit Row Level Security (RLS) policies, test for direct table access, and check for exposed service keys. For Firebase, we review security rules, test Firestore/RTDB access patterns, and check Cloud Functions for vulnerabilities.

What if you find zero vulnerabilities?

50% money back guarantee. If our scan finds zero security issues, you get half your money back.

Is there a free pentesting option?

Yes. SableOffensive offers a free security headers scan at sable.somoswilab.com/free-scan. It instantly checks your website for 8 critical security headers (HSTS, CSP, X-Frame-Options, and more) and gives you an A-F grade with copy-paste fixes. No signup or payment required.

Can I get a free vulnerability scan?

Our free security headers check scans your website instantly and grades your security posture. For a deeper free assessment, contact us — we occasionally offer complimentary scans for early-stage startups and open source projects.

OpenClaw (formerly Moltbot/Clawdbot) Security Research: 900+ Exposed Instances, 8 Critical Vulnerabilities, CVE-2025-49596

TL;DR: OpenClaw = Moltbot = Clawdbot (Same Vulnerabilities)

900+

Instances Exposed

via Shodan (Jan 2026)

512

Security Findings

from Argus audit

Critical Vulns

CVSS 7.5-9.8

181

Secrets Leaked

65 still valid

Key finding: OpenClaw is the third name for the same codebase. All vulnerabilities we reported in Moltbot remain present. The rebrand was for trademark reasons, not security.

The Rebrand Timeline: Clawdbot to Moltbot to OpenClaw

Three names in three months. Each rebrand was triggered by external pressure - never by security concerns:

Nov 2025

Clawdbot

Original release by Peter Steinberger

TRADEMARK

Jan 2026

Moltbot

Renamed after Anthropic trademark concerns

NO FIXES

Jan 30, 2026

OpenClawCURRENT

Rebranded again - same vulnerabilities remain

SAME CODE

Name Changes Don't Fix Code

Peter Steinberger acknowledged the name changes were due to trademark concerns from Anthropic. The security vulnerabilities that expose 900+ instances remain unchanged across all versions.

Industry Expert Warnings About OpenClaw/Moltbot

“

Don't run Clawdbot.

Heather Adkins

VP Google Cloud

“

How could someone trust that thing with full system access?

Yassine Aboukir

Principal Security Consultant

8 Critical Vulnerabilities in OpenClaw (Unchanged from Moltbot)

The Argus Security audit identified 512 findings. These 8 critical vulnerabilities enable full system compromise from the network without authentication:

Gateway Auth BypassCVE-2025-49596

CVSS 9.8

Reverse proxy makes all connections appear as localhost

mcp-remote RCECVE-2025-6514

CVSS 9.6

Command injection via OAuth endpoint in MCP servers

Plaintext OAuth Storage

CVSS 9.1

Tokens stored unencrypted at ~/.openclaw/credentials/

Webhook Signature Bypass

CVSS 8.8

skipVerification option allows complete bypass

Hardcoded OAuth Secrets

CVSS 8.6

Base64-encoded client secrets in source code

Path Traversal

CVSS 8.4

Agent directory paths not validated

CSRF in OAuth Flows

CVSS 8.1

State validation uses flawed nullish coalescing

Token Refresh Race

CVSS 7.5

File-based locking fails causing race conditions

CVE-2025-49596: The Localhost Trust Assumption

The root cause remains the same flawed assumption: "If you can reach localhost, you're already on the machine." In reality, Docker networks, reverse proxies, and cloud deployments routinely expose localhost to the internet.

message-handler.js - Still vulnerable in OpenClaw

// The vulnerability that exposed everything - STILL PRESENT

const isLocalClient = !hasUntrustedProxyHeaders && isLocalGatewayAddress(clientIp);

const nonceRequired = !isLocalClient;// localhost = no auth required

// Attack flow - unchanged in OpenClaw

┌──────────────┐     ┌─────────────────┐     ┌─────────────────┐
│   Attacker   │ ──► │ nginx/Caddy     │ ──► │ OpenClaw Gateway│
│  (Internet)  │     │ (Reverse Proxy) │     │  (Port 8080)    │
└──────────────┘     └─────────────────┘     └─────────────────┘
                              │
                    clientIp = 127.0.0.1
                    isLocalClient = true
                    nonceRequired = false
                              │
                    ┌─────────▼─────────┐
                    │   FULL ACCESS      │
                    │   No auth needed  │
                    └───────────────────┘

Exposed API Endpoints in OpenClaw Instances

When authentication is bypassed, these endpoints become accessible to any attacker:

Endpoint	Risk	Exposed Data
/api/config	CRITICAL	Full configuration with API keys, tokens, secrets
/api/agents	CRITICAL	Agent list, settings, and auth profiles
/api/tools	HIGH	Available tools and execution permissions
/gateway/status	HIGH	Gateway status and authentication tokens
/api/sessions	HIGH	Session transcripts and conversation logs

Plaintext Credential Storage Locations

OpenClaw stores all credentials in plaintext JSON files. 181 unique secrets have leaked to public repositories, with 65 still valid at time of detection:

~/.openclaw/clawdbot.json

Gateway tokens

CRITICAL

~/.openclaw/credentials/oauth.json

OAuth access/refresh tokens

CRITICAL

~/.openclaw/identity/device-auth.json

Device authentication

HIGH

~/.openclaw/credentials/whatsapp/*/creds.json

WhatsApp credentials

CRITICAL

~/.openclaw/agents/*/agent/auth-profiles.json

Model provider auth

CRITICAL

~/.openclaw/agents/*/sessions/*.jsonl

Conversation transcripts

HIGH

Infostealers Now Targeting OpenClaw Installations

Major malware families updated their targeting within 24 hours of OpenClaw's release:

RedLine

Added OpenClaw directory enumeration

Black market: $50-200

Lumma

Targeting credential JSON files

Black market: $30-150

Vidar

Harvesting conversation logs

Black market: $20-50

MITRE ATT&CK Mapping

Technique	Name	OpenClaw Relevance
T1133	External Remote Services	Exposed gateway instances
T1210	Exploitation of Remote Services	CVE-2025-49596 auth bypass
T1552.001	Credentials In Files	Plaintext credential storage
T1574	Hijack Execution Flow	Skill/plugin poisoning
T1659	Content Injection	Prompt injection attacks
T1195.002	Supply Chain Compromise	ClawdHub malicious skills

Minimum Secure Configuration for OpenClaw

If you must run OpenClaw, this is the minimum configuration to prevent unauthenticated access:

openclaw.yaml - Hardened configuration

gateway:
  bind: "127.0.0.1:8080"
  auth:
    token: "${OPENCLAW_AUTH_TOKEN}"
  trustedProxies:
    - "10.0.0.0/8"

agents:
  defaults:
    sandbox:
      enabled: true
      scope: "session"
    dm:
      policy: "pairing"

tools:
  elevated:
    allowFrom: []

Immediate Remediation Steps

If you run OpenClaw, Moltbot, or Clawdbot, take these steps immediately:

1Rotate ALL exposed secrets

# 181 secrets leaked - 65 still valid
# Rotate immediately:
- LLM API keys (OpenAI, Anthropic)
- OAuth tokens (Google, Slack, Discord)
- Bot tokens (Telegram, WhatsApp)
- SSH keys if exposed

2Enable gateway authentication

gateway:
  auth:
    token: "$(openssl rand -hex 32)"

3Configure trustedProxies

gateway:
  trustedProxies:
    - "10.0.0.0/8"
    - "172.16.0.0/12"
    - "192.168.0.0/16"

4Update mcp-remote to 0.1.16+

npm update mcp-remote@latest
# Fixes CVE-2025-6514 (CVSS 9.6)

5Update Node.js to 22.12.0+

# Fixes:
# CVE-2025-59466 (async_hooks DoS)
# CVE-2026-21636 (permission bypass)

Related Research

Moltbot Security Research: 1,673 Exposed Servers

Our original research on Moltbot/Clawdbot that documented the same vulnerabilities before the OpenClaw rebrand.

vLLM RCE: Send a Malicious Video, Take Over AI Servers

CVE-2026-22778 (CVSS 9.8). 175,000+ exposed servers across 130 countries. Heap overflow via malicious video enables RCE.

Is Your AI Infrastructure Secure?

OpenClaw is just one of many AI tools with security issues. We audit AI agent deployments, LLM integrations, and agentic infrastructure before attackers find your vulnerabilities.

AI Infrastructure Audit - $199 Follow @SableOffensive

This research was conducted following responsible disclosure practices. All testing was limited to benign enumeration. No user data was accessed or stored.

OpenClaw Security Analysis: Same Vulnerabilities, Third Name

TL;DR: OpenClaw = Moltbot = Clawdbot (Same Vulnerabilities)

The Rebrand Timeline: Clawdbot to Moltbot to OpenClaw

Industry Expert Warnings About OpenClaw/Moltbot

8 Critical Vulnerabilities in OpenClaw (Unchanged from Moltbot)

CVE-2025-49596: The Localhost Trust Assumption

Exposed API Endpoints in OpenClaw Instances

Plaintext Credential Storage Locations

Infostealers Now Targeting OpenClaw Installations

MITRE ATT&CK Mapping

Minimum Secure Configuration for OpenClaw

Immediate Remediation Steps

Related Research

Is Your AI Infrastructure Secure?

Free Security Headers Check

Full Pentest — from $29