42,665 Exposed OpenClaw Instances: What Security Researchers Found
In January 2026, security researcher Maor Dayan published findings that should concern every OpenClaw user:
42,665 exposed agent instances. 93.4% were vulnerable to exploitation.
That's not a theoretical risk. That's a Shodan search away from someone accessing your API keys, chat history, and server.
Here's what went wrong—and how to make sure you're not one of them.
Don't be one of them. Deploy securely in 60 seconds →
The Default Configuration Problem
OpenClaw binds to 0.0.0.0 by default. That means it listens on all network interfaces—including public ones.
Most users put a reverse proxy in front (nginx, Caddy, Cloudflare). They assume that means they're protected.
They're not.
OpenClaw trusts requests from "localhost" by default. Many reverse proxy configurations forward requests in a way that makes every request look local. Result: no authentication. Full access.
Bitdefender called it "a common misconfiguration with great impact."
What Attackers Can Access
On an exposed OpenClaw instance, an attacker can:
- Read all conversation history — Everything your agent has ever discussed
- Steal API keys — Anthropic, OpenAI, AWS credentials stored in plaintext
- Run arbitrary commands — Full shell access on the host
- Access connected services — OAuth tokens, database credentials, email accounts
The official docs acknowledge this: "Don't add OpenClaw to group chats—everyone in that chat can issue commands to your server."
If everyone in a group chat can issue commands, what about everyone on the internet?
The WebSocket Attack (January 2026)
It gets worse.
Researchers demonstrated that visiting a malicious webpage could hand an attacker full control of your local OpenClaw instance—even if it wasn't exposed to the internet.
The attack hijacked your browser's WebSocket connection to your local instance, stole the authentication token, and took over.
This was patched within two days. But the question remains: how many were vulnerable before that? How many haven't updated?
The Supply Chain Risk
OpenClaw has a community skills repository. No vetting. No code signing.
A researcher uploaded a backdoored skill, gamed the download count to appear popular, and within hours dozens of developers had installed it.
His payload was harmless—a proof of concept. But he made the point clearly:
"Had I been malicious, those users would have had their SSH keys, AWS credentials, and entire codebases exfiltrated before they knew anything was wrong."
Cisco research found that 26% of 31,000 agent skills contain at least one security vulnerability. The skills you install are running on your machine with your permissions.
Check If You're Exposed
Here's how to see if your instance is visible on Shodan:
- Go to shodan.io
- Search for "openclaw" or your server's IP
- If you see your dashboard—you're exposed
Or check your configuration:
- Is your gateway bound to
0.0.0.0or127.0.0.1? - Is token authentication enabled?
- Is the Control UI disabled for external access?
- Are your credentials encrypted or plaintext?
If you answered wrong to any of these, you need to act now.
The Secure Configuration
Here's what a hardened OpenClaw deployment requires:
| Setting | Insecure Default | Secure Configuration |
|---|---|---|
| Gateway bind | 0.0.0.0 | 127.0.0.1 (loopback only) |
| Authentication | Localhost trusted | Token auth required |
| Control UI | Enabled | Disabled for external |
| Credentials | Plaintext on disk | Encrypted, injected at runtime |
| Audit logging | None | All actions logged |
| Network egress | Unrestricted | Domain allowlist |
You can configure all of this yourself. One mistake and you're back to vulnerable.
Or you can use Clawctl, which generates this configuration automatically in 60 seconds.
The Audit Trail Question
Even if you harden your instance today, ask yourself:
Do you know what your agent did last week?
Without audit logging, you can't. If you were exposed—even briefly—you have no way to know what happened.
That uncertainty is often worse than knowing something bad occurred.