If your development team has been experimenting with OpenClaw — and statistically, there is a good chance they have, given its 346,000 GitHub stars — you need to stop what you are doing and check your deployment. Right now.
Over the past fortnight, security researchers have uncovered what can only be described as a rolling catastrophe: more than 135,000 OpenClaw instances sitting on the public internet, many with default credentials, leaking API keys, OAuth tokens, and plaintext secrets to anyone who cares to look.
This is not a theoretical risk. This is happening today.
TL;DR
- Over 135,000 OpenClaw instances are publicly exposed on the internet due to insecure default configurations — up from roughly 1,000 just weeks earlier
- The ClawJacked vulnerability allows malicious websites to silently hijack locally running OpenClaw agents via WebSocket brute-forcing
- 1,184 malicious skills have been confirmed on ClawHub, OpenClaw’s marketplace — a full-blown supply chain attack surface
- Most real-world risk comes from insecure deployment, not zero-day exploits: binding to all interfaces, running as root, weak authentication
- Development teams need to audit their OpenClaw deployments immediately and implement network isolation, least-privilege access, and skill vetting
What Is OpenClaw and Why Does It Matter?
OpenClaw is an open-source framework for running agentic AI — AI systems that can take autonomous actions using tools — on local machines with access to files, browsers, APIs, and connected services. Think of it as giving an LLM hands: it can read your codebase, execute terminal commands, browse the web, and interact with any API you connect to it.
The appeal is obvious. Developers love it because it collapses entire workflows into natural language instructions. But that same power — the ability to act with real authority over files, credentials, and workflows — is precisely what makes a misconfigured instance so dangerous.
The Scale of the Exposure
In early April 2026, Censys identified 21,639 exposed OpenClaw instances publicly accessible on the internet. By mid-April, that number had ballooned past 135,000. The growth curve is staggering and shows no sign of levelling off.
The root cause is depressingly familiar to anyone who has watched Docker, Redis, or Elasticsearch go through the same cycle: insecure defaults meeting rapid adoption.
Most exposed instances share the same configuration sins:
- Binding to 0.0.0.0 instead of localhost, exposing the agent to the entire network
- Running with root privileges, giving the agent unrestricted access to the host system
- Weak or default authentication, often just a short API key or no authentication at all
- No network segmentation, allowing the agent to reach internal services, databases, and cloud metadata endpoints
The result? Misconfigured instances are leaking API keys, OAuth tokens, and plaintext credentials. GreyNoise’s honeypot infrastructure captured over 91,000 attack sessions targeting exposed LLM endpoints between October 2025 and January 2026 — and that was before the OpenClaw explosion.
ClawJacked: The Vulnerability That Should Keep You Awake
Even if your OpenClaw instance is running locally and not exposed to the internet, you are not necessarily safe. The ClawJacked vulnerability (CVE-2026-25253) demonstrated that a malicious website could silently hijack a locally running OpenClaw agent.
The attack exploits trust assumptions around localhost WebSocket connections. An attacker’s website can brute-force the gateway credentials directly from the victim’s browser, take control of the agent, and issue commands with administrative privileges. One click. No user interaction beyond visiting a webpage.
OpenClaw patched this in version 2026.1.29, but the attack highlighted a fundamental architectural concern: agentic AI frameworks are building complex permission models on top of assumptions that were never designed for adversarial environments.
The Supply Chain Is Already Compromised
ClawHub, the marketplace where developers share and install OpenClaw skills (essentially plugins that extend the agent’s capabilities), has become a prime target. Antiy CERT confirmed 1,184 malicious skills across the platform.
This mirrors what happened with npm, PyPI, and the VS Code extension marketplace — but with a critical difference. When a malicious npm package executes code, it runs with the permissions of the Node.js process. When a malicious OpenClaw skill executes, it runs with the full authority of an autonomous AI agent that likely has access to your filesystem, your API keys, your cloud credentials, and your browser sessions.
Meanwhile, Moltbook — a social network built for OpenClaw agents — was found to have an unsecured database exposing 35,000 email addresses and 1.5 million agent API tokens. The agent ecosystem is moving so fast that basic security hygiene is being treated as an afterthought.
Why This Keeps Happening
This is not unique to OpenClaw. It is the same pattern we have seen with every developer tool that prioritises ease of adoption over secure defaults:
- Rapid adoption — developers grab the tool because it solves a real problem
- Default configurations optimise for local development — “just works” out of the box
- Deployment without hardening — the dev config gets pushed to staging, then production
- Attackers notice — automated scanning finds exposed instances within hours
We saw it with MongoDB in 2017. We saw it with Elasticsearch. We saw it with Docker daemon sockets. The difference now is that the exposed service is not just a database — it is an autonomous agent with the ability to take actions on your behalf.
What Your Team Needs to Do Right Now
1. Audit Your Deployments
Search your infrastructure for any OpenClaw instances. Check cloud environments, developer workstations, CI/CD runners, and staging servers. If you find instances binding to anything other than 127.0.0.1, fix them immediately.
2. Network Isolation
OpenClaw should never be directly accessible from the internet. Place it behind a VPN or zero-trust network access layer. Segment it from production databases and cloud metadata services.
3. Least-Privilege Access
Never run OpenClaw as root. Create a dedicated service account with the minimum permissions the agent actually needs. Rotate credentials regularly and use short-lived tokens where possible.
4. Vet Every Skill
Treat ClawHub skills like you would any third-party dependency. Review the source code before installation. Pin versions. Monitor for known vulnerabilities. Better yet, maintain an internal allowlist of approved skills.
5. Update Immediately
Ensure you are running OpenClaw 2026.1.29 or later to patch the ClawJacked vulnerability. Subscribe to security advisories and have a process for rapid patching.
6. Monitor Agent Behaviour
Implement logging and alerting for your AI agents. Track what commands they execute, what files they access, and what external services they call. Nearly half of organisations (48.9%) are entirely blind to machine-to-machine traffic — do not be one of them.
The Bigger Picture
The OpenClaw crisis is a preview of what happens when powerful agentic AI tools meet the messy reality of enterprise infrastructure. As AI agents become more capable — and more deeply integrated into development workflows — the attack surface grows exponentially.
At REPTILEHAUS, we have been helping teams navigate exactly this challenge: integrating AI agents into development and DevOps workflows without creating new attack vectors. Whether it is locking down agent infrastructure, building secure deployment pipelines, or auditing your AI toolchain, our team specialises in making powerful tools safe for production.
The companies that get agentic AI security right will have a genuine competitive advantage. The ones that do not will be reading about themselves in the next breach report.
Need help securing your AI agent infrastructure? Get in touch — we would love to help.
📷 Photo by Markus Stickling on Unsplash
