Clawdbot, Business Logic and Coffee

Aituglo public
4 min read
Clawdbot, Business Logic and Coffee

Table of contents

I've always dreamt about having my personal assistant. Back in 2014, I developed my assistant called Onyx, AI wasn't a hype, and it was impossible to have something reliable.

It was quite simple, a bunch of Python files and a nice dashboard to help me manage my tasks, turn off my lights and basic stuff. I even had a chatbot that was looking for specific words to do tasks. It was bad, but back at that time, it was normal.

I tried to build this project each year since then, and now, it's very different with all the LLM, claude and stuff. So I decided to take a look at what is currently possible. And I tried the recent hype about Clawdbot, and here is my review of it.

Clawdbot

There is a huge hype about this project: https://clawd.bot/

I'm sure your TL on X is full of that, but is it worth the hype? Let's first talk about security. It's basically an RCE as a service. It's so simple to get a prompt injection on it and get pwned. But now there are more and more settings to avoid that, but still.

Considering the security, I was like, Why install it ? But I have a useless minipc, so I can just install it on it without any access and see if it can be worth the hype. And that's what I did. I installed the latest Ubuntu and set up the project.

I did it the best way to avoid doing mistake, and as this is a brand new computer without any access or personal data, in my opinion, it's good.

It's very easy to install it, and I took a phone number to install WhatsApp for it and have a proper setup. And damn, it's quite amazing.

I used Claude Code a lot this past week, and it was amazing, but here it's quite different. The main difference is that the bot can talk to you without you asking anything. This way, you can launch scans, or tasks and do anything else, and it will come back when it's done.

Another difference is that you can create different agents with different capabilities to do different tasks, and spawn them easily, simply from WhatsApp.

I know that all of that was already possible using a bunch of Python tools and stuff, but here it's so easy to use.

So I wanted to try something quite boring for me, build a recon framework, without touching my computer. So, from WhatsApp, going to the gym, I asked him to set up a bunch of different agents and create the best possible framework to do bug bounty recon.

During my reps at the gym, I got messages telling me or asking me questions about the setup. And in the background, on this computer, it installed a bunch of tools, Docker and so on, and built a framework for recon, with a database and a dashboard to view the results. At the end of my sport sessions, I was able to ask directly "Launch a scan for hostinger.com", and before being at home, I got a message telling me it was done, and I got a bunch of subdomains, alive hosts and stuff that I asked.

I was totally amazed by that. It took less than an hour to do all of that. And to be honest, I already built a lot of recon framework, but it was way longer than that.

It's great, but there are a lot of caveats as well:

  • You give total access to your machine, with so many permissions
  • You will never take a look at the generated code, as you are lazy
  • You rely on stuff you don't really understand
  • It's fucking insecure from a cyber perspective
  • It can cost a lot, in only a morning, I finished all my codex credits and Claude credit ( I'm on the basic $20 plan )

But, on the other side, it's really fun and useful. And taking it differently and putting it on a machine only for that, without any other access or stuff reduce the risk of being pwned.

So using it for fun, and doing boring tasks without connecting it to your real data can be really helpful. I think I will continue digging it and use it as an assistant from now on. I will tell you if it's really helpful.

Business Logic

I always struggle to define myself in bug hunting and finding my specialisation. During this month, I did a bunch of pentests and dig big programs.

And what I've found really fun doing is just digging into functionalities, and really understanding how it should work at first and how I can change the behaviour. Using different gadgets, building a chain and having a big, interesting bug is what I enjoy the most.

But this is not a specific type of vulnerability. Using a bunch of gadgets is not really only client-side or server-side, but it's mostly about really understanding the target and getting the most out of it. And I think that's where I can focus more, especially on bigger targets.

Coffee

It's now been 1 or 2 years since I've been a huge fan of coffee and especially lattes. I love travelling and discovering new coffee shops, and working there.

Since I live in Paris, I bought a nice DeLonghi Specialista Arte to make my own latte and train my latte art. It's been a year since I got it, and I think I'm getting better and better at it.

I'm watching a lot of different videos to understand how to make the best expression, you need a specific 1:2 ratio, and use a bunch of geek tools. I love digging this kind of subjects and be a beast at it.

And recently, I think I found something new to make a really good espresso and a really good latte art, and I'm pretty proud of that. Here is one I love :

My favourite latte art I made

In a few years, I will probably open my own coffee shop on the side, just for fun. But before that, I still need to master bug hunting!

Linkedin A solid styled icon from Orion Icon Library.
Aituglo

Aituglo

Paris
The author of this blog, a bug bounty hunter and security researcher that shares his thoughts about the art of hacking.

Recommendations