Clawdbot Gateway No-Auth Scanner

Scan a list of targets for Clawdbot gateways that allow unauthenticated access to /tools/invoke. The script posts a gateway tool request and classifies each target based on the HTTP response and payload.

Requirements

• Bun (the script uses the Bun runtime and fetch)

Usage

bun ./scan-unauth-gateways.ts <targets-file> [--concurrency=N]

Examples:

bun ./scan-unauth-gateways.ts ./clawdbot-targets.txt
bun ./scan-unauth-gateways.ts ./shodan.ndjson --concurrency=50

Input formats

The script supports two formats in the same file, one per line:

1. Plain text ip:port
2. Line-delimited JSON (Shodan-style)

Supported JSON shapes:

• Standard Shodan entries with ip_str and port
• mDNS discovery entries with mdns.services that include a key containing clawdbot

Output

Results are written to a JSON file next to the input:

• If the input ends with .json, the suffix is stripped.
• Otherwise the full name is kept.

Examples:

• targets.json -> targets-scan-results.json
• clawdbot-targets.txt -> clawdbot-targets.txt-scan-results.json

The output includes:

• summary totals by status
• vulnerable list (status no_auth)
• allResults full scan results with ip, port, status, optional details, and responseTime

Status codes

• no_auth: Gateway accessible without authentication (vulnerable)
• auth_required: 401 response, appears correctly protected
• not_clawdbot: Target does not look like a Clawdbot gateway
• error: Unexpected response or fetch error
• timeout: Request exceeded the 5000ms timeout

How it detects unauthenticated access

The scanner sends:

POST http://<ip>:<port>/tools/invoke
{"tool":"gateway"}

It flags no_auth if it sees:

• 200 with { "ok": true }
• 404 with a tool not found error
• 400 with error.type of tool_error

Notes and safety

• Only scan systems you own or have explicit permission to test.
• Concurrency defaults to 20; increase carefully to avoid rate limits or network noise.