00:00:00Clawsbot, or should I say, Maltbot, thanks Anthropic, has been blowing up all over the
00:00:05internet these last few days. It's your personal AI assistant that actually does things,
00:00:11like check your inbox, book your meeting, and much more, all through your favourite messaging app.
00:00:17It works with any model or any plan, well apart from this one, but it does have some
00:00:22potential security issues. I mean, the first time I set it up, someone tried to brute force my server.
00:00:28So hit subscribe and let's get into it.
00:00:30If you haven't already seen the Claude Maltbot craze over the internet, consider yourself lucky.
00:00:36People are buying Mac Minis like it's the end of the world to install Clawedbot and use it to run
00:00:42their lives. Sorry, throughout this video I might mix up the term Claude and Maltbot, but you know
00:00:47what I'm saying. Anyway, people are using it to trade crypto, join them on podcasts, and even to
00:00:52monitor their social media. All kinds of crazy things. Clawedbot isn't connected to Anthropic,
00:00:58hence the name change, and was created by Peter Steinberger just three months ago. Which is amazing
00:01:04since it already has almost 70k stars on GitHub. And although some people have been installing it
00:01:10locally on their machine, I wouldn't recommend it since Claudebot has full system access,
00:01:16meaning it can do anything. So all it could take is a prompt injection from reading a PDF to bring
00:01:21down your whole system and expose your sensitive data. This is why people are installing it on Mac
00:01:27Minis to keep it isolated from their main machine. But since I don't have one, the next best thing to
00:01:32do is to put it on a cheap VPS under of course a non-root user with pseudo access. Running this
00:01:37command takes care of everything from installing and setting up skills like 1Password and Google
00:01:42Calendar to adding the API keys of the models you want to use. And trust me, Claudebot supports a lot
00:01:48of LLMs. The installation process even helps you configure a channel to use it with like Discord,
00:01:54WhatsApp or Telegram. Actually, for some reason, WhatsApp didn't work too well for me. I mean,
00:01:59okay, it did work, but it looked like I was talking to myself. So I went with Telegram,
00:02:04which currently is the only production ready channel. And although had a few steps to setting
00:02:09it up, I found this to be much better. You can also give your model an identity,
00:02:13which is a bit like a business card, a soul. Yes, soul sounds a bit weird, but that's what
00:02:18they've decided to call it, which is more of the agent's personality. And along with the
00:02:22persistent memory it has, it feels very human-like to talk to. I mean, when I mentioned that I'd been
00:02:28hacked, it responded with an alarm emoji and when anything goes well, it seems to come across as
00:02:33being happy. The feeling of communicating with this agent through a messaging app does feel like
00:02:39something else. I mean, you can ask it the weather, you can ask it the time, you can ask it to book
00:02:44your meeting and it goes ahead and does it like a real personal assistant, but it doesn't sleep,
00:02:49it doesn't eat and it works 24/7. This all sounds too good to be true, but it does have some security
00:02:56issues, which I'll talk about later. For now, let's go through how this actually works.
00:03:00So the kind of main part of Claudebot is the gateway daemon, which contains things like the
00:03:06dashboard, the web-based UI you can use to configure Claudebot, the web socket server,
00:03:11which are both exposed on this port, the web sockets and HTTP and give access to different things
00:03:18like clients, which is used by the TUI, so the terminal interface to talk to agents and also the
00:03:24website. Then there are nodes, which give Claudebot native functionality to things like camera and
00:03:30canvas for the native Mac, iOS and Android app. Then there are the channels, which you'll be the
00:03:36most familiar with. These are things like WhatsApp, Telegram, Discord and so on. And they don't connect
00:03:42to Claudebot through the web socket server, but they have a channel manager, which uses channel
00:03:47specific libraries, so Grammy for Telegram, Discord.js for Discord and so on. Now from here,
00:03:53there's the agents runtime powered by Pi, which is a popular agentic tool that creates an in-memory
00:03:59session for the agents communication and can handle tool skills and per session queues. There's also a
00:04:05router to handle multi-agent communication, but this is what connects to the cloud. I don't know
00:04:10why this is a basketball, it's supposed to be a globe, but the cloud agents, so if you're using
00:04:15Anthropic or OpenAI, LLMs, this will be all interfaces with them. Or if you have local models
00:04:21like Ollama, then this takes care of that. There are also hooks and other things that the gateway
00:04:25daemon takes care of, but for now let's focus on the session manager, which manages the sessions
00:04:30between the agents and also the storage and state, which is what you want to protect if you have a
00:04:36VPS or anything like that from hackers, because this is what stores the Claudebot configuration.
00:04:42Your auth tokens, so your Anthropic OpenAI auth tokens, and also the transcripts from
00:04:47the sessions that you have with the agents. This is usually stored in the .claudbot directory.
00:04:52As you can imagine, there will be problems with running Claudebot on a VPS because the IP address
00:04:58is public and if you expose your gateway, then anyone can access your bot or try to break into
00:05:04it, which is what happened to me. For the most part, running the gateway locally should alleviate
00:05:09most of the issues, but you can also install something like Tailscale to make your network
00:05:13more secure, which is what I did the second time round. Let me show you. After installing it on your
00:05:18server and the machine you want to access Claudebot from, Tailscale can knock things down so that only
00:05:24these two machines can talk to each other and no one from the outside world can access them.
00:05:29And with SSH enabled, I can make it so that only machines in my network can SSH into the
00:05:35Claudebot server, which means I can disable public SSH access and if I used SSH tunneling to access
00:05:41the Claudebot dashboard, I could just use the Tailscale addresses or use Tailscale serve to
00:05:47expose the dashboard, but just to my network. You could even use Claudebot to configure Tailscale
00:05:52itself for the dashboard and the web socket part, but of course you'd have to manually sign up and
00:05:57connect the machines you want to access it from. I would also recommend creating API keys just for
00:06:03Claudebot so that if they get compromised, you can remove them and create another one.
00:06:08Also, if you add any sensitive data to the chat, then it makes sense to go through and scrub that
00:06:13in case that gets compromised as well. And finally, the Claudebot CLI does have a
00:06:18security command which can be used to fix issues automatically. But even with all these things in
00:06:24place, the biggest security issue by far is prompt injection since the agent can read, download and
00:06:31search the internet. People can insert malicious prompts into files, emails or anything and the
00:06:37agent that has full access to your system can execute these prompts. Someone used Claudebot
00:06:42to download malware to the system from a pull request by leaving encoded instructions in a URL,
00:06:48making it easy to miss. The YouTuber Low Level mentioned his friend installed Claudebot and
00:06:54read an email from his wife telling Spotify to play EDM music and because the agent had access
00:07:00to Spotify, it went ahead and did that. I know, scary stuff and there are things
00:07:05popping up over the internet all the time. I'm sure models will get better at detecting
00:07:10these sorts of things but you know what hackers are like, they'll always find a way.
00:07:14Overall, I think Claudebot is still super impressive. Sorry, modspot just isn't as good
00:07:20of a name. I think it's a great way to expose people to what these amazing models are capable of
00:07:26when giving the access but personally I don't feel comfortable giving these models my personal
00:07:32information. Maybe that might change in the future but right now I'm a bit apprehensive.
00:07:37But there is hope. I think because if big companies see that users are happy to give agents full access
00:07:44to their system and personal information to do things like book flights, meetings and basically
00:07:50organise their life, then they may put more effort into the personal assistance side of LLMs
00:07:56like co-work but make them much better and also find ways to get around these security issues.
00:08:01Speaking of security issues, if you're building apps for AI then you should definitely check out
00:08:07Betastack which is a tool that can use anomaly detection to pick up on weird things happening
00:08:12to your servers, can use AI native error tracking to spot errors on your front end and can let you
00:08:18know as soon as your site or project goes down through its amazing uptime monitoring system.
00:08:23So go ahead and check out Better Stack today!