Widespread misconfiguration of popular AI assistant OpenClaw means many instances are exposed to the public-facing internet, SecurityScorecard has warned.
The security vendor said it found 40,214 such instances of the tool, formerly known as Clawdbot and Moltbot, although the figure is still rising. They are associated with 28,663 unique IP addresses.
The exposed AI agents could enable threat actors to gain full access to potentially sensitive systems the OpenClaw instance is able to interact with.
SecurityScorecard found that type of activity is already occurring. The firm correlated 549 exposed instances with prior breach activity, and 1493 with known vulnerabilities.
In total, 63% of observed deployments are vulnerable, with 12,812 exposed instances exploitable via remote code execution (RCE) attacks. This could allow threat actors to completely take over the host machine.
“The more centralized the access, the more damage a single compromise can cause. What looks like convenience is actually a concentration of risk,” warned SecurityScorecard. “This is the same pattern security teams have seen with cloud tools, third-party software, and shadow IT for years.”
Read more on OpenClaw: Hundreds of Malicious Crypto Trading Add-Ons Found in Moltbot/OpenClaw.
Vulnerability exploitation appears likely. SecurityScorecard has already discovered three high-severity CVEs in OpenClaw, with public exploit code available for each.
Most exposures appear to be located in China, followed by the US and Singapore. Information services is the most impacted industry, followed by technology, manufacturing and telecommunications.
As well as RCE, OpenClaw instances are at risk of indirect prompt injection, whereby an attacker sends a target a message or places hidden text on a website containing malicious instructions. When the agent reads the message, it will faithfully follow these instructions – often without its owner being aware.
Some OpenClaw users have also been leaking API keys linked to third-party services via their control panels, further amplifying the impact of instances’ internet exposure.
How to Secure OpenClaw AI Deployments
SecurityScorecard urged OpenClaw users to take the following steps to secure their instances – which are applicable to all agentic AI:
- Aggressively limit access by granting only what is needed, reviewing often, and avoiding long-lived permissions
- Adopt a zero trust mindset predicated on the “never trust, always verify” mantra for any agents, tools or integrations
- Pay attention to the logic, instructions, and components an agent relies on
- Be aware of prompt injection and manipulation risks. Agents do exactly what context allows them to do. Treat every agent like a privileged identity that can cause damage if misused
“Don’t just blindly download one of these things and start using it on a system that has access to your whole personal life,” argued SecurityScorecard VP of threat intelligence and research, Jeremy Turner. “Build in some separation and run some experiments of your own before you really trust the new technology to do what you want it to do.”
