135,000+ OpenClaw AI agents exposed online as misconfiguration fuels takeover risk

Internet-exposed OpenClaw deployments are scaling faster than basic security controls, putting users at severe risk.

Internet-wide OpenClaw exposure

Security researchers identified more than 135,000 internet-facing OpenClaw instances – a sharp jump from earlier counts reported the same day. This surge indicates that the platform’s footprint is expanding at an alarming rate.

SecurityScorecard’s STRIKE threat intelligence team frames the issue as an access-and-identity failure at scale. Powerful, always-on AI agents are being deployed with convenience-first defaults and insufficient controls, creating high-value targets for attackers.

Remote code execution among detected vulnerabilities

OpenClaw has already faced scrutiny over multiple high-risk vulnerabilities, including remote code execution (RCE) flaws and weaknesses within its extension ecosystem. Thousands of instances remain unpatched even though fixes are available, worsening the exposure.

Researchers also observed tens of thousands of deployments linked to previously breached infrastructure or known malicious IP addresses. In practical terms, compromising a single exposed agent could grant attackers access to anything the system can reach. Just one agent could allow threat actors to access credential stores, local files, browser sessions, messaging platforms or cached sensitive data.

Default network binding puts OpenClaw on the public internet

A key concern lies in OpeClaw’s default network behavior. Out of the box, OpenClaw binds by default to 0.0.0.0:18789, meaning it listens on all interfaces unless an operator explicitly restricts it. To word it differently, by default, OpenClaw’s listener extends past local connections to public ones.

Such a default is fundamentally flawed under secure-by-design principles. For a tool designed to perform advanced operations such as modifying systems, automating tasks and interacting broadly with connected devices, unrestricted exposure could spell disaster by dramatically increasing the blast radius of any exploit.

Organizational risks and cautious adoption

Several reports note that many exposed instances appear to originate from corporate IP space rather than individual hobbyists, shifting the risk profile from isolated experimentation to potential enterprise-level compromise.

While ditching agentic AI altogether is an effective, albeit radical, solution to prevent catastrophic exposure, controlled testing environments, privilege limitation and strict access segmentation could bring better results.

Mitigation and monitoring

Mitigation should include restricting network binding, aggressive patching, enforcing strong authentication and isolating deployments in controlled environments.

Additionally, tools like Bitdefender’s AI Skills Checker, which analyzes OpenClaw skills for malicious or unsafe behavior before deployment, can add a practical validation layer in environments experimenting with agentic AI.