TL;DR: Julius v1.2.0 nearly doubles probe coverage from 17 to 33, adding detection for self-hosted inference servers, AI gateways, and RAG/orchestration platforms like Dify, Flowise, and KoboldCpp. The headline addition is OpenClaw, a fast-growing AI agent gateway where exposed instances leak API keys, grant filesystem access, and allow full user impersonation. Update Julius and run it against your network to find AI infrastructure you didn’t know was exposed.
When we first open-sourced Julius, it shipped with 17 probes covering the most common LLM services we encountered during security assessments: Ollama, vLLM, LiteLLM, and the usual suspects. That was a solid starting point, but the AI infrastructure landscape moves fast, and our probe coverage needed to keep up.
Over the past few weeks, we’ve (nearly) doubled that number. Julius now ships with 33 probes, each QA’d against live instances and tested for false positives.
What's new in v1.2.0
This release adds 16 new probes, covering popular self-hosted inference servers, gateways, and RAG/orchestration platforms:
- Self-hosted: Aphrodite Engine, FastChat Controller, GPT4All, Jan, KoboldCpp, TabbyAPI, Text Generation WebUI
- Gateway: Envoy AI Gateway
- RAG/Orchestration: AstrBot, Dify, Flowise, HuggingFace Chat UI, LobeHub, NextChat, Onyx, OpenClaw
These fill gaps we were running into during engagements. Clients spinning up Dify or Flowise for internal RAG pipelines, LobeHub as a chat frontend, KoboldCpp for local inference. If it’s exposed, Julius should find it.
Why OpenClaw Matters
OpenClaw (also known by its earlier names, Clawdbot & Moltbot) has quickly become one of the more popular AI agent gateways and control planes. It gives teams a dashboard for managing agent workflows, routing, and orchestration. It’s showing up on more and more networks, and it’s a security problem.
What an attacker can do
An exposed OpenClaw instance, especially an outdated one, proves itself to be a very nice target. OpenClaw trusts localhost by default with no authentication, and older versions lacked proper proxy header handling, meaning instances behind a reverse proxy treated all proxied traffic as local and skipped authentication entirely (fixed in PR 1795).
Credential and secret theft: OpenClaw stores API keys, OAuth tokens, and service passwords locally, sometimes in plaintext. Researchers examining exposed instances found Anthropic API keys, Telegram bot tokens, Slack OAuth credentials, and complete conversation histories sitting in the open.
Filesystem access: The exposed gateway lets an attacker read files from the local filesystem, such as SSH keys or browser profiles. This turns an exposed dashboard into a potential pivot point for internal access.
Full impersonation of the user: Because OpenClaw agents are designed to operate on behalf of users, an attacker inheriting the agent’s session can send messages on platforms like Telegram, Discord, and Slack, access email, and trigger additional agent actions. Researchers demonstrated sending messages as the victim and executing commands with system administrator privileges.
This is why discovery matters. You can’t secure what you don’t know about.
What this means for your assessments
Julius now detects all three OpenClaw branding variants: OpenClaw Control, Moltbot Control, and Clawdbot Control. This covers both current deployments and legacy instances that were stood up before the rebrand.
If you’re running Julius as part of your attack surface discovery workflow, just update to the latest release. All 33 probes are embedded in the binary, no external config needed.
$ go install github.com/praetorian-inc/julius/cmd/julius@latest
$ julius probe <target> 
We’re continuing to add probes as new LLM infrastructure tools hit the market. If there’s a service you’re seeing in the wild that Julius doesn’t cover yet, open an issue or submit a PR. The probe format is a plug-n-play YAML file, and we’d be happy to increase our coverage!
FAQ
What’s the difference between Julius and model fingerprinting tools? Model fingerprinting identifies which LLM generated a piece of text. Julius identifies the server infrastructure: what software is running on the endpoint. Think of it as service detection for AI, similar to what Nmap does for traditional services.
Does Julius send anything malicious? No. Julius sends standard HTTP requests (GET to known paths) and analyzes the responses. It doesn’t exploit vulnerabilities, submit prompts, or modify anything on the target. It’s passive fingerprinting.
How do probes get validated before release? Every probe is tested against live instances of the target service and cross-tested against other LLM services to confirm zero false positives.
Can I add detection for a service Julius doesn’t support yet? Yes. Probes are defined in simple YAML files. The contributing guide walks through the format, and you can test locally with julius validate ./probes before submitting a PR.
How does Julius handle services that rebrand or fork? We build probes that detect all known variants. The OpenClaw probe, for example, matches three distinct branding variants (OpenClaw, Moltbot, Clawdbot) so that legacy installations are still identified even if they were deployed under a previous name.
