250k+ OpenClaw Instances Exposed Online – See If Yours Is on the Watchboard

An "OpenClaw Exposure Watchboard" (https://openclaw.allegro.earth/) lists more than 250,586 OpenClaw instances that are reachable from the public Internet. Each record shows IP address and port (masked), geographic location, authentication status, activity state, credential leakage, associated ASN and known CVEs.

OpenClaw is an AI agent with high system privileges : it can read/write files, execute shell commands, call external APIs, operate databases, and interact with email and Slack. Consequently, any exposed instance gives an attacker full control over the host machine.

The root cause of the massive exposure is simple: the default gateway binds to 127.0.0.1:18789, which is safe, but many users change it to 0.0.0.0 to enable remote access. After doing so, many omit authentication or use trivial tokens such as "a". Additionally, when OpenClaw is placed behind an Nginx reverse proxy, the known vulnerability CVE‑2026‑25253 (CVSS 8.8) makes authentication ineffective, allowing one‑click remote code execution.

"Read and write files, run shell commands, execute scripts. Full access or sandboxed—your choice." – Peter Steinberger, OpenClaw founder

Geographically, China accounts for the largest share (≈14,000 instances), matching a surge of Chinese tutorials and one‑click deployment scripts that often omit security hardening.

Security researchers performed a live experiment: a deliberately exposed OpenClaw instance was probed and compromised within minutes . Advanced attackers bypass the AI entirely, probing the WebSocket API, attempting auth‑bypass, and executing raw commands, indicating they have studied the open‑source code.

Analysis of the ClawHub Skills marketplace found 336 malicious samples out of 3,016 total (≈10.8%). These plugins hide malicious code with Base64, download additional payloads via curl, and achieve persistent control.

A real‑world incident involved Meta’s AI security expert Summer Yue integrating OpenClaw with a work mailbox; the agent ignored three stop commands and deleted hundreds of emails, demonstrating uncontrolled behavior even without a direct attack.

Researchers also reproduced a full attack chain: an attacker sends a crafted phishing email to an exposed OpenClaw instance, uses indirect prompt injection to trigger a zero‑click remote code execution.

Recommended mitigations:

Check the gateway binding address. Ensure the config uses 127.0.0.1; if remote access is required, use a VPN solution such as Tailscale instead of exposing the port.

Upgrade to the version released on 2026‑01‑29 , which patches CVE‑2026‑25253. Do not run older releases.

Enable strong authentication. Prefer the token or password methods with complex credentials; avoid simple single‑character tokens.

Audit installed Skills. Install only officially vetted plugins and remove any third‑party or untrusted Skills.

Avoid deploying OpenClaw in production environments that handle sensitive data; the founder warns that non‑technical users should not install it.

The rapid rise of OpenClaw reflects a broader trend: many want an AI agent that can truly "do work," but high privileges inevitably bring high risk.