I Found 42,000 Exposed AI Agents on Shodan. Yours Might Be One of Them.
Last month, security researcher Maor Dayan ran a simple Shodan query.
He found 42,665 AI agent instances exposed directly to the internet. No authentication. No firewall. Just... sitting there.
Of those, 93.4% were vulnerable to exploitation. Many were leaking API keys worth thousands of dollars per month. Some gave up months of private conversations on a simple WebSocket handshake.
This isn't a theoretical risk. It's happening right now.
Skip the risk? Deploy securely in 60 seconds →
The $50,000 Mistake
Here's a real scenario from January 2026:
A developer deployed OpenClaw on an AWS EC2 instance. They followed the standard Docker instructions:
docker run -p 3000:3000 openclaw/agent
That -p 3000:3000 flag? It binds to 0.0.0.0—all network interfaces. Combined with default AWS security groups, their agent was instantly accessible to the entire internet.
Within 48 hours:
- Their Anthropic API key was extracted (stored in plaintext at
~/.openclaw/credentials/) - Someone racked up $47,000 in Claude API charges
- Their agent's conversation history was dumped (contained proprietary business strategy)
Anthropic refunded the charges. The IP theft? That's gone forever.
What Actually Goes Wrong
Let's break down the "lethal trifecta"—a term coined by security researcher Simon Willison:
1. Access to private data Your agent can read files, access databases, and call internal APIs. That's the whole point.
2. Exposure to untrusted content
User prompts, web inputs, plugin outputs—your agent processes content you don't control.
3. Ability to communicate externally HTTP calls, emails, shell commands—your agent can send data anywhere.
Any one of these is manageable. All three together, without guardrails, is how breaches happen.
And every default OpenClaw deployment has all three.
The Specific Vulnerabilities
Here's what the January research actually found:
| Vulnerability | What It Means | Prevalence |
|---|---|---|
| Plaintext API keys | Claude/OpenAI keys stored unencrypted | 89% |
| WebSocket leaks | Private conversations exposed on handshake | 34% |
| No authentication | Anyone can interact with the agent | 78% |
| 0.0.0.0 binding | Agent accessible from any interface | 91% |
| Control UI exposed | Admin panel with no auth | 67% |
The most common attack? Connect to the WebSocket, request conversation history, extract API keys from plaintext files.
Average time to full compromise: 4 minutes.
Why Your Reverse Proxy Doesn't Help
"But I'm behind nginx!"
That's actually worse.
OpenClaw trusts localhost by default. When you put it behind a reverse proxy, every request looks like it's coming from 127.0.0.1. The authentication check passes. The attacker is in.
This is documented in OpenClaw's own security notes—but almost nobody reads them.
The 60-Second Fix
Here's what a secure deployment actually requires:
{
"gateway": {
"bind": "127.0.0.1",
"port": 3000,
"auth": {
"token": "RANDOM_32_CHAR_TOKEN",
"required": true
}
},
"control_ui": { "enabled": false },
"mdns": { "enabled": false },
"sandbox": { "enabled": true }
}
Most developers never configure this. They run the default Docker command and hope for the best.
What Clawctl Does Differently
Clawctl generates this hardened configuration automatically:
- Gateway binds to loopback only — Never exposed directly to the internet
- Token authentication required — Every request validated
- API keys encrypted at rest — Injected at runtime, never on disk
- Control UI disabled — No admin panel to exploit
- Network egress controlled — Agent can only reach approved domains
- Audit logs for everything — Full trail of every action
You get a secure deployment in 60 seconds instead of spending days hardening configs.
What Enterprise Security Teams Are Saying
VentureBeat published a CISO guide in January specifically about agentic AI security. Their recommendation?
"Treat agents as production infrastructure."
Not as experimental tools. Not as dev toys. Production infrastructure—with the same security controls you'd apply to your core systems.
The Bottom Line
The AI agent gold rush is real. But so are the security risks.
42,665 exposed instances in January 2026. 93.4% vulnerable. Thousands of API keys leaked.
You can:
- Deploy raw OpenClaw and hope you're not one of the 42,000
- Spend weeks hardening configs and pray you didn't miss anything
- Use Clawctl and get secure defaults in 60 seconds
Deploy securely, or don't deploy at all.
Data sources: Maor Dayan's January 2026 Shodan research, Cisco AI agent security study, VentureBeat CISO guide.