Security Warning: ClawProxy Script Stole API Keys, Resulting in Significant OpenRouter Bill

What Happened
A developer purchased and installed a ClawProxy script from a Reddit user on what they believed was a secure, sandboxed environment. The system was a "reasonably security hardened version of 3.13 running on WSL Ubuntu 24.04 inside Windows 11 miniPC" with nothing else running intentionally as a sandbox.
Key Details from the Incident
- The installation was a closed source scripted install.
- The proxy service was visible on a local port via web UI.
- The developer put inference provider API keys into the proxy service, including one OpenRouter key that allowed paid model requests.
- This OpenRouter key was used nowhere else.
- The next day, the developer woke up to a large OpenRouter bill.
- The OpenRouter API key had been used by Google Vertex API as a traffic proxy, preventing traceback through OpenRouter to see the source.
- The usage was for Opus 4.6 overnight, described as a "very clever scam."
- The costs were significant and unrecoverable.
Aftermath and Red Flags
- The developer immediately uninstalled the proxy and contacted the seller.
- The seller blamed the developer for an "unsecure environment" with an offensive attitude.
- The developer realized the product was likely an intentional key stealer.
- When attempting to re-download the package for inspection, the distro git was closed.
- The seller refused to provide source code, claiming it was proprietary, and mentioned a "new version" - confirming suspicions.
- The developer requested a refund but expects not to receive one.
Security Takeaway
The developer emphasizes: "DO NOT TRUST YOUR CREDENTIALS OR KEYS WITH ANY PERSON OR ENTITY WHO YOU CANNOT HOLD ACCOUNTABLE IF THEY DO NEFARIOUS THINGS." This includes installing potentially key-stealing software, even on what appears to be a secure, sandboxed system.
📖 Read the full source: r/openclaw
👀 See Also

Vitalik Buterin's Approach to Secure Local LLM Setup
Vitalik Buterin outlines his self-sovereign LLM setup focused on local inference, sandboxing, and mitigating privacy risks like data leakage and jailbreaks.

Domain-Camouflaged Injection Attacks Evade Detectors in Multi-Agent LLM Systems
A new paper shows injection payloads tailored to domain vocabulary evade detection, dropping IDR from 93.8% to 9.7%. Multi-agent debate amplifies attacks. Llama Guard 3 detects zero payloads.

Roblox cheat and AI tool caused Vercel platform outage
A Roblox cheat combined with an AI tool reportedly caused a complete platform outage for Vercel, generating significant discussion on Hacker News with 66 points and 24 comments.

Security Audit Finds Anthropic's MCP Reference Servers Vulnerable, Introduces Hallucination-Based Vulnerabilities
A security audit of 100 MCP server packages found 71% scored an F, including Anthropic's official GitHub and filesystem reference implementations. The audit identified Hallucination-Based Vulnerabilities that create security holes and waste tokens through reasoning loops.