People rush to AI bots for their most sensitive tasks these days without security leading the way. The Moltbot frenzy reminds us we just wrote about this recently – the difference between AI security noise and high-impact threats. 

AI Security Lessons from the MoltBot Incident

For folks who jumped in early and got the Github project Moltbot to tie their whole userland experience together on their laptop, they just got a rude awakening. An attacker could feed it malicious prompts and it would slurp up emails you gave it access to, and send them off to an attacker – all automatically.

The appeal is to not enter your personal information on one of the big LLMs on the web, thereby controlling more sensitive information by keeping it on your computer, rather than in someone else’s cloud. But when the app could be co-opted to do an attacker’s bidding, security is actually worse.

By installing Moltbot (formerly Clawdbot, a subject of a name dispute) on your laptop, it aspired to create a useable, but local LLM that could do your bidding – basically optimizing a bunch of low-level, daily tasks, and just sort of “make them work together”. To do this, a user had to grant access to all the resources, like email, documents, and the like (WhatsApp, Telegram, Slack, Discord, Google Chat, Signal, etc.). But since it had access, it also had the ability to go off the rails, if maliciously directed.

MoltBot’s vulnerability is not that it “went rogue,” but that it operated as a privileged agent without robust trust boundaries. In effect, prompt injection became a command-and-control channel.

The bigger question: is this just training for future attacks? MoltBot may not be the real story. It may be a rehearsal.

Attackers are experimenting with how AI agents behave under manipulation, mapping permission boundaries, and learning how users configure automation tools. Today it’s prompt injection. Tomorrow it’s autonomous AI malware with persistence, lateral movement, and stealthy exfiltration.

The prompt injection hijinx is part of the noise – but portends more serious attacks to come which may seem trivial today but could evolve into far more serious attacks.

Attack sophistication seems to be on the rise, and this is just one attempt by aspiring attackers to craft the “killer (malicious) app” to suit the new ecosystem, and socially engineer enough users to make it seem worthwhile.

And it worked. Not because MoltBot was malicious—but because our current AI tooling model assumes trust where none should exist.

*** This is a Security Bloggers Network syndicated blog from SecureIQ Lab authored by Cameron Camp. Read the original post at: https://secureiqlab.com/ai-security-chatbots-going-rogue/