Over 135,000 OpenClaw AI assistant instances are exposed to the internet, creating a systemic security failure that allows attackers to access sensitive data, credentials, and organizational systems through vulnerable automation tools.
More than 135,000 OpenClaw instances are exposed to the internet, creating what security researchers are calling a "systemic security failure" in the open-source AI agent space. The scale of this vulnerability has exploded from just over 40,000 instances reported earlier today to more than 135,000 as of publication, according to SecurityScorecard's STRIKE threat intelligence team.
The rapid growth of exposed instances highlights the dangerous combination of convenience-driven deployment, default settings, and weak access controls that have turned powerful AI agents into high-value targets for attackers. Security researchers warn that this isn't just another vulnerability - it represents a fundamental design flaw in how these automation tools are being deployed at scale.
The OpenClaw Security Disaster
OpenClaw, formerly known by several other names including Clawdbot and Moltbot, is an open-source, vibe-coded agentic AI platform that has become an unmitigated disaster for security-conscious users. The platform's skill store, where users find extensions for the bot, is riddled with malicious software, and three high-risk CVEs have been attributed to it in recent weeks.
What makes this situation particularly dangerous is that OpenClaw's various skills can be easily cracked and forced to spill API keys, credit card numbers, personally identifiable information (PII), and other data valuable to cybercriminals. When these already vulnerable instances are given free rein to access the internet, the problems are quickly magnified.
The numbers tell a grim story. Beyond the 135,000+ internet-facing instances, researchers have identified:
- Over 50,000 instances vulnerable to an established and already patched remote code execution bug
- More than 53,000 instances linked to previously reported breaches
- Thousands of instances associated with known threat actor IP addresses
Default Settings Create Open Door
A critical design flaw in OpenClaw's architecture is its default network configuration. "Out of the box, OpenClaw binds to 0.0.0.0:18789, meaning it listens on all network interfaces, including the public internet," STRIKE noted. "For a tool this powerful, the default should be 127.0.0.1 (localhost only). It isn't."
This default configuration means that anyone deploying OpenClaw without changing the settings immediately exposes their system to the internet. SecurityScorecard's VP of threat intelligence and research Jeremy Turner emphasized that many of OpenClaw's problems are there by design because it's built to make system changes and expose additional services to the web by its nature.
"It's like giving some random person access to your computer to help do tasks," Turner explained. "If you supervise and verify, it's a huge help. If you just walk away and tell them all future instructions will come via email or text message, they might follow instructions from anyone."
The Scope of the Threat
Compromising an OpenClaw instance means gaining access to everything the agent can access - credential stores, filesystems, messaging platforms, web browsers, or just its cache of personal details gathered about its user. The threat extends far beyond individual hobbyists experimenting with AI tools.
Many of the exposed OpenClaw instances are coming from organizational IP addresses, not just home systems. This means businesses and institutions are potentially exposing their entire infrastructure to attackers through these vulnerable automation tools.
Turner warns that OpenClaw isn't to be trusted, especially in organizational contexts. "Consider carefully how you integrate this, and test in a virtual machine or separate system where you limit the data and access with careful consideration," he advised. "Think of it like hiring a worker with a criminal history of identity theft who knows how to code well and might take instructions from anyone."
Recommendations for Users
The immediate recommendation from STRIKE is for all OpenClaw users to change the default binding to point it to localhost. However, this is just the first step in securing these systems.
For organizations and individuals using OpenClaw or similar AI agent platforms, security experts recommend:
- Immediately changing default network bindings to localhost
- Running these tools in isolated environments or virtual machines
- Limiting the data and access these agents have to sensitive systems
- Carefully supervising and verifying the actions of AI agents
- Considering the risks before deploying powerful automation tools in production environments
The Broader Implications
This incident highlights the growing security challenges in the open-source AI agent space. As these tools become more powerful and widely adopted, the potential attack surface expands dramatically. The OpenClaw situation demonstrates how convenience-driven deployment and poor security defaults can create systemic vulnerabilities that affect thousands of users simultaneously.
The rapid escalation of exposed instances - from 40,000 to over 135,000 in a matter of hours - shows how quickly these security issues can spiral out of control once they're discovered and publicized. It also raises questions about the responsibility of developers and platforms in ensuring their tools are secure by default.
While Turner acknowledges the incredible capabilities these new AI technologies offer and credits researchers for democratizing access to these technologies, he emphasizes the need for caution. "Learn to swim before jumping in the ocean," he advised, suggesting that users should understand the risks and limitations of these tools before deploying them in sensitive environments.
The OpenClaw disaster serves as a wake-up call for the entire AI agent ecosystem. As these tools become more integrated into business operations and personal workflows, the security implications become increasingly critical. The convenience of powerful automation must be balanced against the very real risks of exposing sensitive systems and data to potential attackers.
For now, the best advice for OpenClaw users is simple: secure your instances immediately, understand the risks, and consider whether the convenience is worth the potential security nightmare. The ocean of AI capabilities is indeed tempting, but as this incident shows, it can be terrifyingly dangerous without proper precautions.
Comments
Please log in or register to join the discussion