Recent security analysis uncovers over 40,000 OpenClaw AI agent deployments exposed directly to the internet, putting more than 28,000 unique systems at high risk of compromise.
Massive Exposure of Vulnerable AI Instances
Security experts identified 40,214 internet-accessible OpenClaw instances, including 28,663 unique IP addresses with open control panels. Approximately 63% of these deployments suffer from remote code execution vulnerabilities, enabling attackers to seize control of host machines without user intervention.
Three high-severity vulnerabilities, scored between 7.8 and 8.8 on the CVSS scale, affect most observed setups. Public exploit code for all three is readily available, lowering the barrier for hackers to target these systems.
Compounding Risks and Breach Links
Among the exposed instances, 549 link to previous data breaches, while 1,493 harbor additional known flaws that amplify dangers. Deployments cluster heavily on major cloud and hosting platforms, highlighting widespread insecure configurations.
OpenClaw, previously called Moltbot and Clawdbot, functions as a personal AI agent for tasks like scheduling meetings, sending emails, and managing workflows. However, these agents often receive excessive permissions without adequate safeguards.
Expert Warnings on AI Permissions
“The math is simple: when you give an AI agent full access to your computer, you give that same access to anyone who can compromise it,” stated Jeremy Turner, VP of Threat Intelligence at SecurityScorecard.
Many users personalize bots with names and company details, turning them into prime targets. Connecting agents to platforms grants them identities capable of posting content, accessing emails, reading files, or interacting with other systems.
“The risk isn’t that these systems are thinking for themselves,” Turner explained. “It’s that we’re giving them access to everything.” A breached agent could transfer funds, delete files, or dispatch malicious messages, mimicking normal activity.
Turner added, “In practice, because it was written by AI, security wasn’t a dominating feature in the development process. For the folks that want to use the more agentic AI systems, you really need to take careful consideration in what integrations you support and what permissions you actually give.”
Broader Implications and Restrictions
Microsoft recommends against running OpenClaw on standard personal or enterprise devices due to risks of unintended actions and data exposure. Chinese officials have banned its use in office settings over similar concerns.
Some flaws enable access to sensitive data, and instances have spread malware via GitHub. Turner advises, “Don’t just blindly download one of these things and start using it on a system that has access to your whole personal life. Build in some separation and run some experiments of your own before you really trust the new technology.”
