Secure Your Moltbot in 15 Minutes: 8 Essential Steps

Why This Guide Exists

When a Moltbot gateway is bound to 0.0.0.0 without authentication, anyone who discovers the IP can send messages that the bot will execute—running commands, reading files, or opening browsers. Public scans have found hundreds of such exposed instances, and even trusted inputs can carry malicious prompts (prompt injection) that cause the bot to leak secrets.

Quick 8‑Item Checklist

Gateway bind : set gateway.bind: "loopback" and avoid 0.0.0.0 or LAN bindings.

Gateway authentication : use gateway.auth.mode: "token" or "password" with rotatable credentials.

No public ports for remote access : use Tailnet or SSH tunnels to bring remote users back into the internal network.

Run regular security audits : moltbot security audit --deep --fix after any configuration change.

DM default pairing/allowlist : strangers cannot trigger the bot.

Group chats require @ mention : only mentioned users can trigger actions, and only allowed groups are accepted.

Tool permissions by blast radius : restrict exec, browser, and file‑write tools to the personal agent.

Protect local directory : tighten permissions on ~/.moltbot, mask logs, and scrub sensitive data before sharing.

Moltbot Is Not Just a Chat Tool

Unlike ordinary chatbots that only “say the wrong thing,” Moltbot can execute commands, read/write files, control a browser, and integrate with messaging platforms, meaning any message source can become an attack vector. Security therefore starts with controlling who can trigger the bot, then limiting what the bot can do, and finally hardening the model.

Risk‑Chain Diagram

We need to protect the chain at points B and D, treating all external content as untrusted input.

15‑Minute Lock‑down Process

1. Run a security audit

Before changing anything, run: moltbot security audit and moltbot security audit --deep Focus on three categories:

Network exposure : loopback binding, authentication, no unnecessary public ports.

DM/group policy : open vs. pairing vs. allowlist.

Browser control : token protection, HTTP exposure, network trust.

If you just want to “stop the bleeding,” let the audit fix issues automatically: moltbot security audit --deep --fix The --fix flag tightens open policies, restores redacted logs, and restricts sensitive directories.

2. Bind the gateway to loopback

Replace the insecure configuration with three lines:

{
  "gateway": {
    "bind": "loopback",
    "port": 18789,
    "auth": { "mode": "token", "token": "your-long-random-token" }
  }
}

Never expose the gateway to 0.0.0.0 without strong authentication.

3. Strong, rotatable authentication

Choose token or password with a long random secret and a process to rotate it when compromised:

Generate a new secret.

Restart the gateway.

Update client configurations.

Verify the old secret no longer works.

Do not reuse the browser‑control token with the gateway token.

4. Remote access via tunnels

Do not open public ports. Use Tailnet (e.g., Tailscale Serve) or SSH tunnels to bring remote users back into the internal network. If you must run on a VPS, treat it as production: firewall whitelist, strong auth, minimal permissions, monitoring, and incident response.

5. Disable mDNS broadcasting

Even without a public port, mDNS can leak CLI paths, SSH ports, and hostnames. Disable it with:

{
  "discovery": {
    "mdns": { "mode": "minimal" } // or "off"
  }
}

or set the environment variable:

MOLTBOT_DISABLE_BONJOUR=1

6. Lock down who can DM the bot

Use one of the four DM policies: pairing: strangers must provide a pairing code (recommended default). allowlist: only whitelisted users can DM. open: anyone can DM (avoid unless you fully understand the risk). disabled: completely reject DMs.

Manage pairings via CLI:

moltbot pairing list <channel>
moltbot pairing approve <channel> <code>

For multi‑user DMs, enable session isolation:

{
  "session": { "dmScope": "per-channel-peer" }
}

7. Group‑chat policies

Require an @ mention and restrict allowed groups:

{
  "channels": {
    "whatsapp": {
      "groups": { "*": { "requireMention": true } }
    },
    "telegram": {
      "groups": { "*": { "requireMention": true } }
    }
  }
}

This reduces the attack surface from “anyone who can speak” to “only mentioned users in approved groups.”

8. Tool permissions by blast radius

Classify tools into high, medium, and low risk:

High risk : exec, browser, file‑write tools.

Medium risk : read (may expose keys), web_fetch/web_search.

Low risk : pure summarisation or retrieval.

Apply a simple policy:

Personal agent gets high‑risk tools (with sandbox or approval).

“Reader” agent only fetches web content and never runs exec or browser.

Public/team agents are read‑only, with high‑risk tools blocked via allow/deny lists.

Sandboxing tools

Run tools inside Docker sandboxes. Example configuration starts with mode: "non-main" and can be upgraded later:

{
  "agents": {
    "defaults": {
      "sandbox": {
        "mode": "non-main",
        "scope": "session",
        "workspaceAccess": "none"
      }
    }
  }
}

Avoid the escape hatch tools.elevated unless absolutely necessary, and keep its allowlist extremely narrow.

Browser control as a remote admin API

If you must enable browser control, follow these safeguards:

Use an isolated profile, not your daily browsing profile.

Require token authentication for the control endpoint.

Expose the endpoint only on trusted networks (e.g., Tailnet).

Inject the token via environment variables, never store it on disk.

Protect local data

The ~/.moltbot directory stores configs, credentials, session transcripts, plugins, and sandbox residues. Tighten its permissions so only the current user can read/write, mask sensitive logs, and scrub transcripts before sharing.

Verify the lock‑down

Security audit reports clean: moltbot security audit --deep shows no high‑severity items.

Gateway not reachable from the internet.

Entry policies effective: strangers cannot DM, groups require @, high‑risk tools unavailable to non‑personal agents.

The goal is that even if prompt injection occurs, the damage is bounded.

If an incident occurs

Stop the gateway or disable high‑risk tools ( exec, browser).

Temporarily set DM policy to disabled or allowlist.

Re‑bind the gateway to loopback.

Then rotate gateway tokens, browser tokens, API keys, and OAuth credentials. Review recent session transcripts for suspicious tool calls, check extensions/ for untrusted plugins, and run another deep audit.

Minimal Reproducible Baseline

The following configuration balances security and usability. Use environment variables for tokens to avoid plaintext storage.

{
  "gateway": {
    "bind": "loopback",
    "port": 18789,
    "auth": { "mode": "token", "token": "${MOLTBOT_GATEWAY_TOKEN}" }
  },
  "discovery": { "mdns": { "mode": "minimal" } },
  "session": { "dmScope": "per-channel-peer" },
  "agents": { "defaults": { "sandbox": { "mode": "non-main", "scope": "session", "workspaceAccess": "none" } } },
  "channels": {
    "whatsapp": { "dmPolicy": "pairing", "groups": { "*": { "requireMention": true } } },
    "telegram": { "dmPolicy": "pairing", "groups": { "*": { "requireMention": true } } }
  }
}

Key points: inject tokens via environment, enable per‑channel DM isolation if needed, start sandboxing with non-main, and upgrade later as required.