Tens of thousands of OpenClaw AI assistants exposed, researchers warn

Censys has identified more than 21,000 publicly exposed instances as of 31 January 2026, and SecurityScorecard’s STRIKE team reported 40,214 exposed OpenClaw deployments tied to 28,663 unique IP addresses, creating a widespread security risk around an action-capable AI assistant, researchers said. The tool, called OpenClaw and created by Austrian developer Peter Steinberger, is designed to execute actions on a user’s behalf — from running shell commands and reading and writing files to managing calendars, email, messaging platforms, smart-home services and third-party workflows through downloadable community “skills.”

The scale and speed of exposure are striking. Censys observed adoption leap from roughly 1,000 active instances to more than 21,000 in under a week during the last week of January 2026, and eSecurity Planet reported the project “surged in popularity after endorsements from notable AI researchers.” That viral growth, combined with default deployment behaviors, has left many instances reachable from the public Internet.

Researchers say the danger is not just connectivity but capability. OpenClaw agents maintain persistent memory across sessions and can be extended with community skills that run with host privileges. eSecurity Planet noted, “OpenClaw stands apart from traditional chatbots because it is built to execute actions directly on a user’s behalf, not just generate responses.” Because of those privileges, malicious or poorly reviewed skills can execute commands, access or exfiltrate files, modify system state or change networking configuration.

Multiple technical factors have increased exposure. Censys located instances by searching web interfaces with HTML titles such as “Moltbot Control” and “clawdbot Control” on the default TCP/18789 port, and warned that many deployments may be hidden behind reverse proxies, tunnels or managed access layers. Cisco security researchers, cited by eSecurity Planet, reported that instances have already leaked plaintext API keys and credentials, creating additional paths for attackers: “It … has already been reported to have leaked plaintext API keys and credentials, which can be stolen by threat actors via prompt injection or unsecured endpoints.”

SecurityScorecard’s STRIKE research emphasized both misconfiguration and software defects. The team described exposures as “tens of thousands” and said many instances are vulnerable to remote code execution and prompt injection. SecurityScorecard also reported discovery of three high-severity CVEs in OpenClaw with public exploit code available for each, and warned of imminent exploitation: “Some of those vulnerabilities may have even been introduced by the agents actually deploying things, installing services, taking certain actions, changing firewall rules. It really depends on how much permissions those users gave the system. It’s only a matter of time before we see threat actors actively exploiting these exposures,” said Jeremy Turner, VP of Threat Intelligence & Research at SecurityScorecard.

Geographic and sector patterns differ by scanner. Censys found the largest concentration in the United States, followed by China and Singapore, while SecurityScorecard reported the greatest exposure in China, then the United States and Singapore. Infosecurity reporting of SecurityScorecard’s data identified information services, technology, manufacturing and telecommunications among the most affected industries.

Researchers and vendors urge immediate mitigations: do not expose instances directly to the public Internet; for remote access use SSH tunnels or services such as Cloudflare Tunnel; apply network segmentation and role-based access controls; treat agents as identities with authority and restrict privileges accordingly. “The safeguards that are universally applicable are the standard go-tos for good information security hygiene. It’s network segmentation, role-based access. Keep it on a separate network. And if you do introduce data, understand that that data could be exposed,” Turner said.

Key follow-ups include obtaining CVE identifiers and exploit details from SecurityScorecard, and responses from OpenClaw maintainer Peter Steinberger on hardening guidance and disclosure. In the meantime, organizations running OpenClaw should immediately audit deployments, revoke exposed keys, and limit agent privileges to reduce the chance that a public-facing assistant becomes a full system compromise.