AWS launches one-click OpenClaw deployment on Lightsail while the viral AI agent faces widespread CVE-2026-25253 vulnerabilities affecting 17,500+ exposed instances and 42,900 public deployments.
AWS has launched a managed OpenClaw deployment on Amazon Lightsail, offering one-click provisioning for the viral AI agent that has reached 250,000 GitHub stars while facing critical security flaws affecting tens of thousands of exposed instances.
The managed service addresses complaints about complex self-hosted setups and security configuration challenges that made manual OpenClaw deployment on EC2 difficult for non-DevOps users. The Lightsail blueprint ships with Amazon Bedrock preconfigured (using Claude Sonnet 4.6 by default) and automates IAM role creation via CloudShell script. Users pick the OpenClaw blueprint, pair their browser through SSH credentials, then interact with the assistant via WhatsApp, Telegram, Slack, Discord, or web chat.
OpenClaw's Explosive Growth and Security Crisis
OpenClaw's growth has been substantial as the project hit 100,000 stars within weeks of going viral in early 2026 and now ranks as GitHub's most-starred non-aggregator software project, ahead of Linux and React. Wikipedia notes the platform pulled 2 million visitors in one week. Created by Peter Steinberger as Clawdbot in November 2025, it rebranded twice (Moltbot, then OpenClaw) before settling on the current name in late January.
The AWS launch comes as serious security problems with OpenClaw surface. CVE-2026-25253, disclosed February 1, affects all versions before 2026.1.29 and enables one-click remote code execution via WebSocket token theft. The vulnerability allows attackers to craft malicious URLs that, when clicked, automatically send a victim's authentication token to attacker-controlled servers without prompting.
Hunt.io researchers found over 17,500 internet-exposed instances vulnerable to the flaw. Once attackers obtain tokens, they can connect to victims' OpenClaw gateways, modify security configurations, and execute privileged operations on the host system.
Widespread Exposure Across Cloud Platforms
Multiple security firms scanned the internet and found alarming numbers. Bitsight identified 30,000+ exposed instances between January and February. SecurityScorecard's STRIKE team reported 42,900 public-facing instances across 82 countries. Of those, 15,200 are confirmed vulnerable to remote code execution. Many of them (98.6%) run on cloud platforms such as DigitalOcean, Alibaba Cloud, Tencent, and AWS rather than on home networks, indicating widespread adoption among enterprises and developers.
Every instance stores credentials for Claude, OpenAI, Google AI, and similar services, making them valuable targets for credential theft. The supply chain is also compromised. Bitdefender discovered roughly 900 malicious packages in ClawHub, OpenClaw's skill registry. That's 20% of all published skills. Some are obvious: credential stealers posing as utilities, backdoors that offer persistent access. Others are sophisticated, using obfuscated payloads that slip through code review.
This mirrors the npm and PyPI supply chain attacks, yet the stakes are higher. OpenClaw skills run with system-level permissions and touch messages, API keys, and files directly.
Government Responses and Enterprise Bans
The security situation triggered government responses. China's Ministry of Industry and Information Technology issued warnings. South Korean tech companies have banned the use of OpenClaw internally. A Token Security study found 22% of organizations have employees running OpenClaw without IT approval, creating shadow AI deployments that bypass traditional security controls and corporate governance frameworks.
AWS documentation acknowledges risk, noting that running OpenClaw "may cause a security threat if you are careless." The deployment guide recommends never exposing the gateway publicly, rotating tokens frequently, and storing credentials in environment files rather than config files. However, it doesn't detail the full scope of security implications.
Corporate Acquisition and Foundation Structure
Steinberger joined OpenAI in mid-February after CEO Sam Altman announced the hire on February 15, describing Steinberger as a "genius" who will "drive the next generation of personal agents." OpenClaw transitioned to an independent open-source foundation that OpenAI will contribute to and help fund. The foundation structure provides more sustainable governance, reduces single-maintainer risk, and enables corporate backing without corporate control. Community maintainers continue driving development under the MIT license.
Persistent Architectural Vulnerabilities
The Lightsail blueprint provides some hardening: sandboxed execution, device-pairing authentication, and HTTPS dashboard access without manual TLS setup. However, it can't fix architectural problems. OpenClaw remains vulnerable to prompt injection, in which malicious instructions in data are interpreted as legitimate commands. Giskard research showed that carefully crafted prompts can extract API keys, environment variables, and secrets from running agents.
OpenClaw's design gives agents system-level permissions: file access, script execution, and browser control via Playwright. However, security researchers, for instance, from Microsoft, warn that these broad permissions create a major attack surface when misconfigured. The platform integrates with email, calendars, messaging, and other sensitive services, enabling powerful automation yet also introducing substantial privacy and security risks.
Pricing and Availability
AWS pricing includes Lightsail instance costs (4GB memory plan recommended), Bedrock token charges per message, and potential Marketplace fees for third-party models. Data transfer overages and snapshot storage incur extra costs. The service is available across all AWS commercial regions where Lightsail operates.
About the Author
Steef-Jan Wiggers is one of InfoQ's senior cloud editors and works as a Domain Architect at VGZ in the Netherlands. His current technical expertise focuses on implementing integration platforms, Azure DevOps, AI, and Azure Platform Solution Architectures. Steef-Jan is a regular speaker at conferences and user groups and writes for InfoQ. Furthermore, Microsoft has recognized him as a Microsoft Azure MVP for the past sixteen years.
Comments
Please log in or register to join the discussion