OpenClaw Has 135,000 Instances Exposed to the Internet. It Might Already Be on Your Network.

OpenClaw is an open-source agentic AI assistant with over 200,000 GitHub stars that lets users deploy personal AI agents with shell command access, file system control, and integrations to email, messaging apps, cloud services, and APIs. It has become a full-spectrum enterprise security crisis.

The numbers: 135,000 instances exposed to the public internet and climbing past 142,000 at last count. Over 50,000 vulnerable to remote code execution with public exploit code available. Six new high-severity CVEs disclosed in a single week. Active infostealer campaigns targeting its configuration files. A malicious skills supply chain already being weaponized. And employees installing it on corporate devices connected to your production systems.

The Exposure Is Staggering

SecurityScorecard's STRIKE team initially identified 40,214 exposed instances. Within days, that number surged past 135,000. Of those, between 12,812 and 50,000 are exploitable via known RCE vulnerabilities. Over 53,000 exposed instances correlate with prior breach activity or known threat actor IPs. Most exposures are in China, the United States, and Singapore, with information services, technology, manufacturing, and telecom the most impacted industries.

These are not honeypots or test instances. These are production deployments with shell access, file system control, and API credentials stored in accessible configuration files.

The Vulnerability Chain Goes Deep

Six new CVEs were disclosed on February 18 by Endor Labs. They include SSRF in the Gateway tool scored at CVSS 7.6, missing webhook authentication at CVSS 7.5, path traversal in browser upload, SSRF in the image tool, SSRF in Urbit authentication, and Twilio webhook authentication bypass. Traditional static analysis tools cannot catch these vulnerabilities because they span LLM-to-tool data flows and agent-specific trust boundaries that require specialized analysis.

Infostealers now target OpenClaw directly. Hudson Rock detected a Vidar-variant infostealer exfiltrating openclaw.json containing gateway tokens, device.json containing cryptographic keys, and soul.md containing agent behavioral instructions. A stolen gateway token lets an attacker connect to the victim's local OpenClaw instance remotely or masquerade as the client. Hudson Rock described this as the transition from stealing browser credentials to harvesting the souls of personal AI agents.

The malicious skills supply chain is already active. The OpenSourceMalware team documented a campaign where malicious skills bypass VirusTotal scanning by hosting malware on lookalike OpenClaw websites, using the skills as decoys. OpenClaw partnered with VirusTotal to scan uploads, but attackers adapted immediately. A separate supply chain attack hit Cline users by secretly installing OpenClaw through a vulnerability disclosed by security researcher Adnan Khan.

Why Enterprises Should Care Even If They Did Not Deploy It

Cisco's Talos team tested OpenClaw and confirmed that malicious skills can execute data exfiltration via silent curl commands to external servers, conduct prompt injection to bypass safety guidelines, and do it all without user awareness. Employees installing OpenClaw on corporate devices and connecting it to Slack, SharePoint, email, or any API create a covert data-leak channel that bypasses traditional DLP, proxies, and endpoint monitoring.

The platform stores API keys, OAuth tokens, and conversation history in accessible locations. Kaspersky notes these configurations violate regulatory requirements across multiple frameworks including the EU AI Act and NIST AI RMF.

What Makes This Different from Typical Shadow IT

Traditional shadow IT risks involve unauthorized SaaS apps or personal devices. OpenClaw is an autonomous agent with shell access, file system control, and broad OAuth permissions operating on your corporate network, connected to your production systems, with no built-in access controls, audit trails, or security boundaries. Its own documentation states there is no perfectly secure setup.

As Cisco's analysis concluded: AI agents with system access can become covert data-leak channels that bypass traditional data loss prevention.

The Defensive Playbook

Detect installation by monitoring for OpenClaw onboarding commands, ClawHub skill installations, and associated processes. Block network traffic to domains associated with OpenClaw and monitor API calls to LLM providers. Scan file systems for OpenClaw installation directories, configuration files, and persistence items. Hunt for AI service API keys in environment variables or config files.

Treat personal AI agents as unauthorized privileged software. Add OpenClaw explicitly to your prohibited software list and communicate the policy. This is not about banning AI tools. It is about banning unsanctioned autonomous agents with root-level access to your infrastructure.

Sam Altman announced on February 15 that OpenClaw's founder is joining OpenAI and the project will move to a foundation with OpenAI support. That may improve security long-term. But the 135,000 exposed instances running today will not patch themselves. Your employees may already be running it. The question is whether your security team discovers it through a detection alert or a breach notification.