Claw Hunter is an open-source security tool (MDM) by Backslash Security, designed to detect, audit & secure OpenClaw/Moltbot shadow AI agents across macOS, Linux & Windows endpoints.
</h1>
<p align="center">
<strong> Let us guess, your developers are not running OpenClaw, are they? ๐ </strong>
</p>
<p align="center">
<b>Claw Hunter</b> is a discovery and risk-assessment tool for <b>OpenClaw</b> (formerly known as Clawdbot and Moltbot) instances. It identifies "Shadow AI", audits agent privileges. It let's you (the user) ensure that your user endpoints, data and network are not compromised by unauthorized access.
</p>
<p align="center">
<a href="https://backslash.security/">
<picture>
<source media="(prefers-color-scheme: light)" srcset="./icon-white.png" width="300">
<img width="300" alt="Backslash Security" src="./icon-black.png" >
</picture>
</a>
</p>
๐ก๏ธ Why it matters for Security Teams
In the 2026 landscape, autonomous agents like OpenClaw operate as high-privilege service accounts. While they boost productivity, they often bypass standard IAM policies, creating "Shadow AI" instances that can execute shell commands and move data across your network.
Claw Hunter is purpose-built for ITSec teams to detect:
# Download and run
curl -O https://raw.githubusercontent.com/backslash-security/Claw-Hunter/main/claw-hunter.sh
chmod +x claw-hunter.sh
./claw-hunter.sh
Windows:
# Download and run
Invoke-WebRequest -Uri https://raw.githubusercontent.com/backslash-security/Claw-Hunter/main/claw-hunter.ps1 -OutFile claw-hunter.ps1
.\claw-hunter.ps1
./claw-hunter.sh [OPTIONS]
Options:
--json Print JSON output to terminal (stdout)
--json-path <file> Save JSON results to this file path
--mdm MDM mode: silent execution with JSON output
--upload-url <url> Upload JSON results to this URL
--api-key-file <file> File containing API key for authentication
--log-file <file> Write logs to this file
-h, --help Show help message
MDM Mode:
Silent execution designed for automated deployment via MDM platforms.
- Suppresses terminal output (errors go to stderr)
- Writes JSON to /var/log/claw-hunter.json (Unix) or C:\ProgramData\claw-hunter.json (Windows)
- Logs to corresponding .log file
- Returns proper exit codes for automation
Examples
# Interactive mode with terminal output
./claw-hunter.sh
# Save results to JSON file
./claw-hunter.sh --json-path /tmp/audit-results.json
# Print JSON to stdout
./claw-hunter.sh --json
# MDM deployment with upload
sudo ./claw-hunter.sh --mdm --upload-url https://api.example.com/audits --api-key-file /etc/audit-key
# MDM with custom paths
sudo ./claw-hunter.sh --mdm --json-path /custom/audit.json --log-file /var/log/custom.log
Distributed under the MIT License. see the LICENSE file for details.
โ๏ธ Legal Disclaimer
Claw Hunter is an independent security research tool. We are not affiliated, associated, authorized, endorsed by, or in any way officially connected with OpenClaw (formerly Moltbot) or any of its subsidiaries or its affiliates. The name OpenClaw as well as related names, marks, emblems, and images are registered trademarks of their respective owners.
โ ๏ธ Disclaimer
This tool performs read-only security audits and does not modify system configurations. Always test in a non-production environment first. The tool detects potential security issues but does not make judgments about your specific security requirements. <br/>
Security Considerations - What the audit detects and why
๐ค Contact & Support
For security disclosures, enterprise support, or general inquiries, please reach out to the team.
