⚠ Active exploits targeting Moltbot users — Feb 2026
Your AI agent is running naked. Give it armor.
BlastCage isolates your AI agent's execution from your credentials, memory, and files
using hardware-separated Clean/Dirty zone architecture. Open source core.
Full shell access, browser credentials, API keys stored in plaintext, persistent memory
that can be poisoned — and hundreds of admin panels exposed to the internet without authentication.
CVE-2026-25253 / CVE-2026-25157
Remote Code Execution
Chained vulnerabilities allow attackers to execute arbitrary commands on the host with user-level permissions.
CREDENTIAL EXPOSURE
Plaintext Secrets
API keys, OAuth tokens, and user profiles stored in plaintext Markdown and JSON files under ~/.clawdbot/
PERSISTENT MEMORY
Delayed Poison Attacks
Malicious instructions hidden in a forwarded WhatsApp message persist in memory for weeks, enabling delayed multi-turn attack chains.
SUPPLY CHAIN
Malicious Skills
Hundreds of backdoored skills on ClawHub. One proof-of-concept was downloaded by 16 developers in 7 countries within 8 hours.
The Solution
Separate what's dangerous from what's valuable.
BlastCage splits your agent into isolated zones. Even if the execution environment is fully
compromised, your credentials, memory, and completed work remain untouched.
Server B — Clean Zone
No external network interface. All data encrypted at rest. Credentials managed by Vault with HSM keys.
⚠️ Assumed compromised at all times. No persistent state. No long-lived credentials. Destroyed after each task.
🤖 Agent Runtime🌐 Web/API Access📝 Temp Workspace
Attack Coverage
What we stop — and what we can't.
We're transparent about our coverage. No security product stops everything.
Our goal is reducing the blast radius from total system compromise to a single ephemeral session.
Attack Vector
Default Moltbot
With BlastCage
How
Exposed admin panels
VULNERABLE
BLOCKED
B has no external ports. A has no persistent admin UI.
Plaintext credential theft
VULNERABLE
BLOCKED
Credentials in encrypted Vault on B. A only gets short-lived tokens.
Auth bypass via reverse proxy
VULNERABLE
BLOCKED
B exposes zero network ports. No auth to bypass.
Persistent memory poisoning
VULNERABLE
BLOCKED
A has no persistent memory. Memory lives in B, unreachable from A.
Info-stealer malware
VULNERABLE
BLOCKED
Nothing to steal on A. No credentials, no history, VM destroyed after task.
RCE (CVE-2026-25253)
FULL COMPROMISE
CONTAINED
RCE lands in ephemeral sandbox with no credentials and allowlist egress.
Malicious skills/plugins
FULL COMPROMISE
CONTAINED
Malicious code runs in sandbox. Cannot reach B's data or exfiltrate to non-allowlisted hosts.
Indirect prompt injection
FULL COMPROMISE
MITIGATED
Cannot prevent injection, but blast radius limited to single session with no credentials.
⚡ Honest disclaimer
No architecture can fully prevent indirect prompt injection — it's a fundamental limitation of current LLM technology.
What we do is reduce the blast radius: a successful attack on a default Moltbot gives the attacker everything.
A successful attack through BlastCage gives them access to one ephemeral container with no credentials,
no memory, no files, and an egress allowlist — for the duration of a single task.
Pricing
Open source core. Managed option for everyone else.
The isolation architecture is fully open source. The managed service handles deployment,
updates, monitoring, and key management so you don't have to.