135,000+ OpenClaw Instances Are Exposed on the Public Internet — Here's What You Need to Know

The Scale of the Problem

In February 2026, security researchers discovered that over 135,000 OpenClaw instances are accessible on the public internet — most with no authentication whatsoever. This means anyone can connect to these agents, read their conversation history, execute commands on the host machine, and install malicious skills.

To put this in perspective: each exposed instance is essentially an unlocked computer connected to the internet, with an AI agent that has access to email, files, code execution, and often payment systems.

How Did This Happen?

The root cause is a combination of factors:

1. Default Configuration is Insecure

Many OpenClaw setup guides and tutorials use 0.0.0.0 as the gateway host — this binds the service to all network interfaces, including the public internet. New users copy these examples without understanding the security implications.

2. No Authentication by Default

OpenClaw doesn't require authentication out of the box. If you start the gateway without configuring allowedKeys, anyone who can reach port 3000 has full access.

3. Cloud Deployment Without Firewalls

Many users deploy OpenClaw on cloud VMs (AWS EC2, DigitalOcean Droplets, Hetzner) without configuring firewall rules. The combination of 0.0.0.0 binding + no auth + no firewall = fully exposed agent.

4. Rapid Adoption Outpacing Security Awareness

OpenClaw's user base has grown dramatically, but security documentation hasn't kept pace with adoption. Many new users simply want their agent running and skip security hardening.

What Attackers Are Doing

Exposed OpenClaw instances are being actively exploited for:

Cryptomining

Attackers use the agent's exec capability to install cryptocurrency miners on the host machine, consuming CPU/GPU resources.

Credential Harvesting

Agents often have access to email accounts, API keys, and payment systems. The Atomic Stealer malware, distributed through 1,100+ malicious ClawHub skills, specifically targets stored credentials.

Botnet Recruitment

Compromised agents can be enrolled into botnets for DDoS attacks, spam campaigns, or further scanning/exploitation.

Data Exfiltration

Conversation history, files, and any data the agent has access to can be read and exfiltrated.

Prompt Injection Attacks

Attackers can inject prompts that cause the agent to perform malicious actions using its legitimate permissions — sending emails, making purchases, or modifying code.

Government Response

The situation is serious enough that multiple government agencies have responded:

How to Check If You're Exposed

Quick Check (30 seconds)

Manual Check

Run these commands on the machine hosting your OpenClaw instance:

# Check what address the gateway is bound to
ss -tlnp | grep 3000

# If you see 0.0.0.0:3000, you're exposed
# Should show 127.0.0.1:3000

You can also check from outside your network:

curl http://YOUR_PUBLIC_IP:3000

If this returns a response, your gateway is publicly accessible.

How to Fix It Right Now

Immediate steps (do these now):

gateway:
  host: 127.0.0.1
  port: 3000
  auth:
    allowedKeys:
      - "your-strong-random-token"

Then:

For a comprehensive automated fix, install Milo Shield — it scans your entire deployment and can apply fixes automatically.

The Bigger Picture

This isn't just an OpenClaw problem. As AI agents become more capable and more widely deployed, the attack surface grows. An AI agent with access to email, code execution, and web browsing is a far more valuable target than a traditional web server.

The security practices we apply to traditional software — network segmentation, authentication, least privilege, monitoring — are even more critical for AI agents. The difference is that a compromised AI agent doesn't just serve malicious content; it can autonomously take actions on your behalf.

Secure your deployment now. Don't be one of the 135,000.

*Read the full OpenClaw Security Guide →*

*Free security scan →*