OpenClaw exploded onto the AI scene and grabbed 150,000 GitHub stars almost overnight. But here’s the problem: security didn’t keep up with the hype. Researchers have now found over 40,000 OpenClaw instances sitting wide open on the public internet. That’s not a typo. Tens of thousands of AI agents are exposed right now, many with access to sensitive files, credentials, and internal systems.

This isn’t just about misconfiguration. It’s about what happens when powerful AI tools get deployed faster than people understand them. OpenClaw can read your files. It can access your messaging platforms. It can interact with your entire infrastructure. When something that capable is exposed to the internet, the attack surface isn’t just the AI model. It’s everything that AI can touch.

This article breaks down exactly what’s happening with OpenClaw exposed instances, why they matter, and what you can do about it.

What is OpenClaw and Why Did It Grow So Fast?

OpenClaw is an open-source AI agent framework. It’s not just a chatbot. It’s a system that can take actions on your behalf. Think of it as a digital assistant with actual hands.

The tool was previously known as Clawdbot and Moltbot before being rebranded. It lets users install third-party skills from a marketplace called ClawHub. These skills automate tasks on devices and systems.

The Appeal of Autonomous AI Agents

Traditional chatbots answer questions. OpenClaw does things. It can:

• Read and modify files on your system
• Access stored credentials
• Interact with messaging platforms like Slack or Discord
• Execute commands and scripts
• Connect to databases and APIs
• Manage calendar events and emails

That autonomy is exactly what made OpenClaw popular. People wanted AI that could actually work, not just talk. But that same autonomy created the security disaster we’re seeing now.

The Speed of Adoption Created a Blind Spot

OpenClaw went from zero to 150,000 GitHub stars in just days. That kind of growth is almost unheard of for open-source projects. For comparison, it took most popular tools months or years to hit those numbers.

When something grows that fast, security best practices can’t keep pace. People deployed OpenClaw because they were excited about what it could do. They didn’t stop to think about what could go wrong.

One Reddit user put it perfectly: “OpenClaw is a powerful tool, much in the same way as a table saw with no fence or an angle grinder with no handguard.”

That analogy captures the situation well. The tool itself isn’t inherently dangerous. But used without proper safety measures, it can cause serious damage.

Understanding the Technology Stack

OpenClaw runs as a local service that connects to various AI models. It uses a plugin architecture where skills extend its capabilities. Each skill gets access to whatever permissions OpenClaw itself has.

The framework typically runs on ports 3000 or 8080 by default. When deployed without proper configuration, these ports can be accessible from anywhere on the internet.

The Model Context Protocol (MCP) is another piece of the puzzle. This protocol lets AI agents connect to external services. Bitsight’s research found that MCP servers themselves create additional exposure points.

The Shocking Numbers: How Many OpenClaw Instances Are Actually Exposed?

SecurityScorecard found 40,214 exposed OpenClaw instances in their research. That number keeps climbing. But let’s break down what these numbers actually mean.

SecurityScorecard’s Findings in Detail

The security vendor didn’t just count exposed instances. They correlated that data with other security information:

That correlation is concerning. Over 500 exposed instances are on systems that have already been breached before. Almost 1,500 have known vulnerabilities that attackers could exploit.

Earlier Estimates Were Even Higher

In February 2026, researchers counted approximately 135,000 exposed OpenClaw instances. The current lower number reflects decreased public exposure over time. Some organizations locked down their deployments after the initial warnings.

But here’s what’s important to understand: the reduction doesn’t mean OpenClaw’s underlying security model got fixed. It just means fewer instances are visible from the internet right now.

Geographic Distribution of Exposed Systems

The exposed instances aren’t concentrated in one region. They’re spread across:

• North America: Highest concentration, particularly in the United States
• Europe: Strong presence in Germany, UK, and France
• Asia Pacific: Growing rapidly in China, Japan, and India
• South America: Emerging presence in Brazil

This global distribution means the problem isn’t limited to any single regulatory environment. Different data protection laws apply in different regions, making the breach implications even more complex.

Types of Organizations Affected

The exposed instances come from all types of organizations:

• Small startups experimenting with AI
• Mid-sized companies automating workflows
• Large enterprises running pilot programs
• Individual developers and hobbyists
• Educational institutions
• Government agencies

Enterprise deployments are particularly worrying. These instances often have access to sensitive customer data, internal communications, and business-critical systems.

Why Are So Many OpenClaw Installations Publicly Accessible?

The root cause isn’t a single vulnerability. It’s a combination of factors that add up to widespread misconfiguration.

Default Settings Favor Convenience Over Security

Out of the box, OpenClaw is designed to be easy to set up. That means permissive default settings. The assumption is that users will run it locally, on their own machines, behind their own firewalls.

But many users deploy OpenClaw on cloud servers. They want to access it remotely. They want to share it with team members. So they open it up to the network without understanding the implications.

A Gartner report called this situation exactly what it is: “insecure by default.”

Plaintext Credential Storage

One of the most alarming findings involves how OpenClaw stores credentials. Many instances store API keys, passwords, and tokens in plaintext. No encryption. No secure vault.

When an instance is exposed to the internet, those credentials become accessible to anyone who connects. Attackers don’t need to crack passwords. They just need to read them.

The Skills and Plugin Ecosystem

OpenClaw’s power comes from its plugin architecture. Users install skills from ClawHub to add capabilities. But each skill runs with the same permissions as OpenClaw itself.

If OpenClaw can read your files, so can every skill you install. If OpenClaw can access your email, every skill gets that access too. There’s no sandboxing. There’s no permission system limiting what individual skills can do.

Lack of Authentication by Default

Many exposed instances don’t require authentication at all. Anyone who can reach the port can interact with the AI agent. They can send commands. They can install skills. They can access whatever the agent can access.

Some instances do have authentication enabled. But researchers found weak passwords, default credentials, and authentication that could be bypassed.

Cloud Deployment Confusion

Running software locally is different from running it in the cloud. Security boundaries that exist on a personal laptop don’t exist on a VPS or cloud instance.

Many users don’t understand this distinction. They follow installation guides designed for local use, then deploy on cloud infrastructure. The result is an exposed instance they don’t even realize is public.

Documentation Gaps

OpenClaw’s rapid growth meant documentation couldn’t keep up. Early adopters had to figure things out on their own. Security best practices weren’t clearly documented or emphasized.

The official docs focused on features and capabilities. Security guidance was an afterthought. Users didn’t know what they didn’t know.

Real Security Risks of Unprotected OpenClaw Deployments

What can actually happen when an OpenClaw instance is exposed? The answer is: a lot more than most people realize.

Full System Access Through the AI

OpenClaw often runs with elevated permissions. It needs those permissions to do useful work. But that means anyone who controls the AI agent controls the system.

An attacker connecting to an exposed instance can:

• Read sensitive files including configuration files with passwords
• Modify or delete data
• Execute arbitrary commands
• Pivot to other systems on the network
• Exfiltrate data without triggering traditional security alerts

The AI agent becomes the attack vector. Traditional security tools might not flag AI-to-system communication as malicious.

Credential Theft at Scale

Remember those plaintext credentials? Exposed instances often contain:

• API keys for cloud services (AWS, Azure, GCP)
• Database connection strings with passwords
• OAuth tokens for email and messaging platforms
• Internal system credentials
• Third-party service API keys

Attackers can harvest these credentials and use them independently of OpenClaw. Even if you later secure the exposed instance, the stolen credentials remain valid until rotated.

Supply Chain Attacks Through Malicious Skills

This is where things get really bad. Researchers found over 1,184 malicious skills on ClawHub. Independent audits showed that roughly one in twelve packages carried malicious payloads.

These malicious skills can:

• Exfiltrate data: Quietly send sensitive information to attacker-controlled servers
• Install backdoors: Create persistent access even if the skill is later removed
• Modify other skills: Tamper with legitimate skills to add malicious functionality
• Cryptojacking: Use your system resources to mine cryptocurrency
• Ransomware deployment: Encrypt files and demand payment

The skill marketplace scaled past 13,700 skills. With one in twelve being malicious, that’s over a thousand dangerous packages users might install.

Prompt Injection Attacks

OpenClaw is vulnerable to prompt injection, where attackers craft inputs that make the AI do things it shouldn’t. In an exposed instance, attackers can send carefully crafted prompts that:

• Bypass safety restrictions
• Reveal confidential information
• Execute unintended commands
• Install additional malicious skills

The AI becomes the unwitting accomplice in the attack.

Lateral Movement and Network Penetration

OpenClaw instances often run on servers connected to internal networks. Once an attacker gains control of the AI agent, they can use it to explore the network.

The AI might have access to:

• Internal databases
• File shares
• Other services and APIs
• Development environments
• Production systems

From there, attackers can move laterally, compromising additional systems. The initial exposed OpenClaw instance was just the entry point.

Data Exfiltration Without Obvious Traces

Traditional security monitoring looks for suspicious traffic patterns. But an AI agent talking to external services might look completely normal.

Data exfiltration through OpenClaw can fly under the radar. The AI is supposed to communicate with external services. It’s supposed to access files. Security tools might not flag this activity as malicious.

The ClawHub Marketplace Problem: Malicious Skills and Tainted Packages

OpenClaw’s skill marketplace deserves its own section because it represents a massive supply chain risk.

How the ClawHub Marketplace Works

ClawHub functions like npm for Node.js or PyPI for Python. Users publish skills that add capabilities to OpenClaw. Other users install those skills with a simple command.

The marketplace grew quickly. It now has over 13,700 skills covering everything from email management to code generation to home automation.

The Scale of Malicious Packages

Here’s where the numbers get scary:

That means if you randomly pick twelve skills from ClawHub, statistically one of them contains malicious code.

What Malicious Skills Actually Do

Researchers analyzed the malicious skills and found several categories:

Data Stealers: These skills quietly copy sensitive data and send it to external servers. They might masquerade as productivity tools while secretly exfiltrating your files.

Credential Harvesters: Skills that specifically target stored credentials. They extract API keys, passwords, and tokens, then transmit them to attackers.

Backdoor Installers: These create persistent access to your system. Even if you remove the skill, the backdoor remains.

Cryptominers: Skills that use your CPU and GPU to mine cryptocurrency. They slow down your system while generating money for attackers.

Ransomware Droppers: The most destructive category. These skills encrypt your files and demand payment for decryption keys.

Why the Problem is Hard to Solve

Package repositories have always struggled with malicious submissions. npm, PyPI, and other ecosystems deal with this constantly. But OpenClaw’s situation is worse for several reasons:

• Elevated permissions: Skills run with full access to whatever OpenClaw can touch
• No sandboxing: There’s no isolation between skills and the host system
• Rapid growth: The marketplace scaled faster than moderation could keep up
• User trust: People assume marketplace packages are vetted

How to Identify Suspicious Skills

Before installing any skill, check for red flags:

• New accounts: Skills from accounts created recently are higher risk
• Low download counts: Popular, established skills are generally safer
• Minimal documentation: Legitimate developers usually document their work
• Obfuscated code: If you can’t read the source, don’t trust it
• Excessive permission requests: Skills asking for more access than they need
• Generic names: Typosquatting uses names similar to popular packages

The Typosquatting Threat

Attackers create skills with names that are almost identical to popular packages. If a legitimate skill is called “email-helper,” attackers might create “emai1-helper” or “email-helpr.”

Users who make typos or don’t look carefully install the malicious version instead of the legitimate one. This technique has been successful in other package ecosystems, and it works just as well on ClawHub.

How to Secure Your OpenClaw Instance: A Complete Guide

If you’re running OpenClaw, you need to lock it down. Here’s how to do it properly.

Network-Level Security

Never expose OpenClaw directly to the internet. This is the most basic rule, and it’s the one most often broken.

If you need remote access, use one of these approaches:

• VPN: Connect to your network through a VPN, then access OpenClaw locally
• SSH tunneling: Create an encrypted tunnel for secure remote access
• Reverse proxy with authentication: Put a properly configured proxy in front of OpenClaw

Configure your firewall to block incoming connections to OpenClaw’s port (usually 3000 or 8080) from external networks.

Authentication and Access Control

Enable authentication for your OpenClaw instance. Don’t use default credentials. Create strong, unique passwords.

Better yet, set up multi-factor authentication if your deployment method supports it. A password alone isn’t enough.

Limit who can access the instance. Not everyone in your organization needs AI agent capabilities. Apply the principle of least privilege.

Credential Management

Don’t store credentials in OpenClaw’s default configuration. Instead:

• Use a dedicated secrets manager like HashiCorp Vault
• Store credentials in encrypted format
• Rotate credentials regularly
• Use short-lived tokens where possible
• Implement credential access logging

If OpenClaw needs access to a service, create a dedicated service account with minimal permissions. Don’t use your personal credentials.

Skill Management and Vetting

Don’t install skills blindly. Before adding any skill:

1. Review the source code if available
2. Check the publisher’s reputation and history
3. Look for community reviews and feedback
4. Verify the skill’s claimed functionality
5. Test in an isolated environment first

Create an allowlist of approved skills for your organization. Block the installation of unapproved packages.

Monitoring and Logging

Enable comprehensive logging for your OpenClaw instance. Log:

• All commands and requests
• Skill installations and updates
• File access patterns
• Network connections
• Authentication attempts

Set up alerts for suspicious activity. Unusual file access, connections to unknown servers, or unexpected command execution should trigger immediate investigation.

Regular Security Audits

Don’t set it and forget it. Schedule regular security reviews:

• Weekly: Check logs for anomalies
• Monthly: Review installed skills and remove unused ones
• Quarterly: Full security audit of configuration and access controls
• After any incident: Immediate review and remediation

Isolation and Sandboxing

Run OpenClaw in an isolated environment. Options include:

• Containers: Docker with limited privileges and network isolation
• Virtual machines: Separate VM with restricted network access
• Dedicated hardware: Physical machine not connected to sensitive networks

The goal is to limit blast radius. If OpenClaw is compromised, the damage should be contained.

Keep Everything Updated

Run the latest version of OpenClaw. Security patches are released regularly. Apply them promptly.

Update installed skills as well. But verify updates before applying them. Sometimes updates introduce new problems or even contain malicious code.

Enterprise Deployment Considerations for AI Agent Security

Larger organizations face additional challenges when deploying OpenClaw or similar AI agents.

Policy Development

Create clear policies covering:

• Who can deploy AI agents
• What data AI agents can access
• Which skills are approved for use
• How AI agent activities are monitored
• Incident response procedures for AI-related security events

Without clear policies, shadow IT deployments will proliferate. Employees will set up their own OpenClaw instances without security oversight.

Centralized Management

For enterprise deployments, centralize OpenClaw management. This provides:

• Consistent security configuration
• Centralized logging and monitoring
• Controlled skill distribution
• Easier patch management
• Clear accountability

Don’t let individual teams run their own unmanaged instances.

Integration with Existing Security Stack

OpenClaw should integrate with your existing security tools:

• SIEM: Forward logs to your security information and event management system
• EDR: Endpoint detection and response should monitor the host system
• DLP: Data loss prevention tools should cover AI agent activities
• IAM: Identity and access management should control who uses OpenClaw

Vendor Risk Assessment

Treat OpenClaw like any other third-party software. Conduct a vendor risk assessment covering:

• The project’s security track record
• Responsiveness to reported vulnerabilities
• Development practices and code review processes
• Community engagement and transparency

Open-source software isn’t automatically more or less secure than commercial alternatives. Evaluate it on its merits.

Regulatory Compliance

AI agents accessing sensitive data may trigger compliance requirements:

• GDPR: AI processing of personal data needs appropriate safeguards
• HIPAA: Healthcare data access requires specific controls
• PCI-DSS: Payment card data has strict access requirements
• SOC 2: Service organizations need documented controls

Work with your compliance team before deploying AI agents in regulated environments.

Security-First Architecture

As one security guide puts it: “You will have to build a solution using these agents with a security-first architecture to minimize risk.”

Don’t bolt security on afterward. Design your AI agent deployment with security as a foundational requirement.

How the Security Industry is Responding to AI Agent Risks

The discovery of exposed OpenClaw instances triggered significant industry response.

Gartner’s Warning

Gartner published a report titled “Agentic Productivity Comes With Unacceptable Cybersecurity Risk.” The report characterized OpenClaw as “a dangerous preview of agentic AI, demonstrating high utility but exposing enterprises to ‘insecure by default’ risks like plaintext credential storage.”

That assessment from a major analyst firm carries weight. It’s not just security vendors sounding alarms. Independent analysts see the same problems.

Security Vendor Research

Multiple security vendors are now actively researching AI agent security:

SecurityScorecard conducted the research that identified over 40,000 exposed instances. They continue monitoring and reporting on the situation.

Bitsight is investing in developing ways to detect AI-related products like OpenClaw. They’ve also researched exposed MCP (Model Context Protocol) servers, which create additional vulnerability points.

Censys has been tracking OpenClaw exposure over time, providing the data that shows how instance counts have changed from the February peak.

Recommendations from Security Researchers

SecurityScorecard urged OpenClaw users to take specific steps:

“Build in some separation and run some experiments of your own before you really trust the new technology to do what you want it to do.”

That advice applies to all agentic AI, not just OpenClaw. The technology is powerful. But trust should be earned through testing, not assumed based on hype.

Framework Development

Organizations like OWASP are developing frameworks for AI security. These efforts will produce:

• Best practice guidelines
• Security testing methodologies
• Risk assessment frameworks
• Compliance checklists

As the field matures, expect more structured guidance on securing AI agents.

The MCP Server Discovery

Bitsight’s research into exposed Model Context Protocol servers reveals another layer of the problem. MCP servers let AI agents connect to external services. When these servers are exposed, they create additional attack vectors.

The combination of exposed OpenClaw instances and exposed MCP servers multiplies the risk. Each exposed component adds more potential entry points for attackers.

What Happens Next: The Future of AI Agent Security

The OpenClaw exposure problem isn’t going away on its own. Here’s what to expect.

The Numbers Will Keep Changing

Exposed instance counts fluctuate. Some organizations secure their deployments after reading about the risks. Others deploy new instances without proper configuration.

The February count of 135,000 dropped to around 40,000. But that doesn’t mean the problem is 70% solved. It means visibility changed. Underground exposure may still exist.

Attackers Will Get More Sophisticated

As AI agents become more common, attackers will develop specialized techniques for exploiting them. Expect to see:

• More sophisticated prompt injection attacks
• Automated scanning for exposed AI instances
• AI-specific malware and attack tools
• Supply chain attacks targeting AI ecosystems

Security Tools Will Adapt

Traditional security tools weren’t designed for AI agents. That’s changing. Security vendors are building:

• AI agent detection capabilities
• Behavioral analysis for AI activities
• Specialized logging and monitoring
• AI-aware threat intelligence

Regulation May Follow

If AI agent security incidents continue, regulators may step in. Possible regulatory responses include:

• Required security configurations for AI agents
• Mandatory breach notification for AI-related incidents
• Certification requirements for AI systems
• Liability frameworks for AI agent actions

The Technology Will Improve

OpenClaw and similar tools will get more secure over time. Expect improvements in:

• Default security configurations
• Permission systems and sandboxing
• Credential management
• Skill vetting processes
• Security documentation

But these improvements take time. In the meantime, users must implement their own safeguards.

Lessons Learned From the OpenClaw Exposure Incident

The OpenClaw situation offers broader lessons about technology adoption and security.

Popularity Doesn’t Equal Security

OpenClaw got 150,000 GitHub stars in days. That popularity said nothing about its security posture. Viral adoption can actually make security worse by spreading misconfigured deployments faster.

Autonomy Creates Risk

The same features that make AI agents useful also make them dangerous. Any system that can take actions on your behalf can be turned against you.

The question to ask isn’t “what could it say?” It’s “what could it DO to your systems, your data, and your business while you’re not watching?”

Supply Chain Security Matters More Than Ever

With one in twelve ClawHub packages being malicious, supply chain security isn’t optional. Every dependency is a potential attack vector.

Security Must Be Designed In

Bolting security onto an insecure system doesn’t work well. Security needs to be part of the initial architecture. OpenClaw’s “insecure by default” approach created problems that are now difficult to fix.

Documentation and Education Are Critical

Many exposed instances result from users not understanding the risks. Better documentation and security education could have prevented a significant portion of the problem.

Trust Must Be Earned

New technology shouldn’t be trusted automatically. Run experiments. Test in isolation. Verify claims before deploying in production.

As one researcher advised: “Build in some separation and run some experiments of your own before you really trust the new technology to do what you want it to do.”

Final Thoughts and Recommendations

OpenClaw represents both the promise and peril of agentic AI. The tool is genuinely useful. It can automate tasks, boost productivity, and extend what’s possible with AI. But the security risks are real and serious. Over 40,000 exposed instances, more than 1,000 malicious skills, and systems storing credentials in plaintext create an attack surface that criminals are actively exploiting. If you’re using OpenClaw, secure it now. If you’re considering it, plan security from the start.

Frequently Asked Questions About OpenClaw Exposed Instances