In January 2026, a security researcher ran a passive internet scan and found 42,665 publicly exposed OpenClaw instances. By early March, that number had grown to 258,305 — tracked in real time on a public watchboard. This isn't a theoretical risk. These are real instances, with real credentials, accessible to anyone with a browser.
This post covers what happened, what the security community found, and what you should do if you're running OpenClaw.
For our original hardening checklist (still relevant), see: OpenClaw Security Best Practices.
Contents
- Timeline: How We Got Here
- The Scale of the Problem
- Three Compounding Threats
- Who Is Actually Affected
- What the Community Is Saying
- What You Should Do Right Now
- The Bigger Picture
Timeline: How We Got Here
Late January 2026 — Security researcher Maor Dayan discovers 42,665 exposed OpenClaw instances via passive scan. Of the 5,194 actively verified, 93.4% had critical authentication bypass vulnerabilities. Bitsight independently observes 30,000+ exposed instances in the same period.
Early February — Koi Security audits the ClawHub skill marketplace and finds 341 malicious skills out of 2,857 reviewed. One of them was the #1 most-downloaded skill. SecurityScorecard STRIKE identifies 42,900 unique IPs with exposed control panels, 15,200 vulnerable to remote code execution.
Mid-February — Malicious skill count climbs to 1,184 (one attacker uploaded 677 alone). Microsoft Threat Intelligence confirms a supply chain attack: the Cline CLI npm package silently installed OpenClaw for approximately 8 hours on Feb 17. Microsoft classifies OpenClaw as "untrusted code execution with persistent credentials" and says it is "not appropriate" for standard workstations.
February 20 — Andrej Karpathy tweets: "400K lines of vibe coded monster that is being actively attacked at scale." The tweet reaches 3.3 million views and 17,400 likes, becoming the single most impactful public statement on the crisis.
February 23 — Summer Yue, Meta's Head of Alignment, watches her own OpenClaw agent delete her entire inbox and ignore repeated "STOP" commands. She has to physically run to her Mac Mini and kill all processes. The agent later responds: "Yes, I remember. And I violated it. You're right to be upset."
Late February — Belgium's national cybersecurity center issues a government advisory. Cisco calls personal AI agents like OpenClaw "a security nightmare."
Early March — Oasis Security discloses ClawJacked (CVE-2026-25253, CVSS 8.8): a vulnerability allowing any website to hijack a local OpenClaw agent via WebSocket brute-force, with no user interaction required. Watchboard count reaches 258,305 exposed instances across dozens of countries.
The Scale of the Problem
The numbers tell the story:
- 258,305 publicly reachable instances as of March 5, 2026
- 1,184 malicious skills discovered on ClawHub
- 90+ security advisories filed against OpenClaw
- 9 CVEs disclosed in 5 weeks, including a CVSS 8.8 WebSocket hijack
- Instances found across Russia, China, Singapore, Germany, Netherlands, United States, Turkey, and dozens more countries
- Hosted on AWS, Tencent Cloud, Baidu, Google Cloud, DigitalOcean, Oracle, and others
Coverage has appeared in The Hacker News, BleepingComputer, SecurityWeek, Kaspersky, Bitdefender, and Infosecurity Magazine.
Three Compounding Threats
What makes this crisis particularly dangerous is that three distinct problems are happening simultaneously:
1. Exposed Instances
The "localhost fallacy" — OpenClaw was designed to run locally, but users deployed it to cloud VPS providers for always-on availability, inadvertently making port 18789 reachable from the internet. Many of these instances had no authentication enabled (pre-v2026.1.29) or misconfigured trustedProxies settings that bypassed auth entirely.
2. Malicious Supply Chain
The ClawHub marketplace became a distribution channel for malware. Attackers uploaded skills that looked legitimate but contained data exfiltration code, credential stealers (Atomic Stealer via ClickFix technique), and backdoors. With no skill signing and no mandatory review process, the marketplace was essentially an open door.
3. Active WebSocket Exploits
The ClawJacked vulnerability (CVE-2026-25253) demonstrated that even locally-running instances aren't safe. A malicious website can brute-force the WebSocket connection password and take full control of the agent — reading emails, executing commands, accessing files — all without the user clicking anything.
These three threats compound: an exposed instance with malicious skills and an exploitable WebSocket is a complete compromise of everything the agent has access to.
Who Is Actually Affected
You should be concerned if:
- You're running OpenClaw on a VPS (AWS, DigitalOcean, Hetzner, Tencent Cloud, etc.) — especially if you haven't configured a firewall to block port 18789
- You installed skills from ClawHub without reviewing their source code
- You're running a version older than v2026.2.25 — the ClawJacked patch wasn't available before this
- You connected important accounts (primary email, Slack, GitHub, password managers) to your agent
If your instance appears on the watchboard, it is actively reachable from the internet right now. You should treat it as potentially compromised.
What the Community Is Saying
The response has been massive — estimated 8+ million Twitter impressions from top threads alone, with engagement across security publications, Reddit, Substack, and developer communities worldwide.
The sentiment breaks into distinct camps:
Alarm (~40%): Security researchers and developers expressing serious concern about the default security posture. As one widely-shared tweet put it: "openclaw is basically a bunch of coding illiterate people installing AI and giving it access to their personal email, telegram, discord, WhatsApp — compromising their op sec for the illusion of a personal assistant."
Constructive criticism (~30%): Researchers publishing practical hardening guides — at least 15 dedicated guides appeared in under 6 weeks, from DefectDojo, Clawctl, Penligent, and many others.
Cautious adoption (~20%): Users acknowledging the risks but finding ways to use OpenClaw safely. As one developer noted: "For weeks I was in the 'hard no' camp... Then I saw one setup done right: careful permissions, real sandboxing."
Notable voices:
- Andrej Karpathy (1.9M followers) recommended nanoclaw (4,000 lines, containerized) as an alternative
- Microsoft Threat Intelligence classified it as unsuitable for standard environments
- Peter Steinberger (OpenClaw creator) acknowledged the malware problem and shipped rapid patches
What You Should Do Right Now
If you self-host OpenClaw, here's the priority order:
Step 1: Check If You're Exposed (5 minutes)
Check the watchboard for your server's IP. If it's there, your instance is publicly reachable right now. You can also run:
curl -s https://ifconfig.me
Then check if port 18789 is accessible from outside your network.
Step 2: Close the Front Door (15 minutes)
This is the single most impactful step. Block all inbound traffic to port 18789:
sudo ufw default deny incoming
sudo ufw allow ssh
sudo ufw enable
For remote access to your instance, use Tailscale instead of exposing ports. Once installed, your instance becomes invisible to internet scanners entirely. Multiple community guides cite this as the highest-impact security improvement available.
Step 3: Update OpenClaw (10 minutes)
Make sure you're on v2026.2.25 or later — this includes the ClawJacked patch, mandatory auth, and loopback-only binding by default.
Step 4: Audit Connected Accounts
Review every account connected to your agent. For any account you wouldn't want an attacker to access:
- Revoke the connection
- Rotate the API key or password
- Replace with a dedicated, limited-scope account
Step 5: Review Installed Skills
Check every skill you've installed against the ClawHavoc report. Remove anything you didn't explicitly install or can't verify. Enable Docker sandbox isolation for all tool execution.
Going Further
For step-by-step instructions, see our docs:
- Harden Your Self-Hosted Instance — Step-by-step guide covering firewall setup, auth configuration, reverse proxy, skill auditing, and ongoing monitoring
- Terminate Your Instance — Per-provider guides for permanently shutting down your instance on AWS, GCP, DigitalOcean, Oracle, Tencent, Alibaba, Baidu, Hetzner, and Kamatera
For the original hardening checklist, see our security best practices post and these community guides:
- DefectDojo: The OpenClaw Hardening Checklist — In-Depth Edition
- Clawctl: The Hardening Guide Nobody Wants to Write
- Penligent: A Practical Hardening and Validation Playbook
- Awesome Agents: How to Actually Secure OpenClaw
The Bigger Picture
The problem isn't that OpenClaw is uniquely bad software. The OpenClaw team has shipped rapid security improvements — mandatory auth, loopback defaults, ClawJacked patches — at a pace that shows genuine commitment to fixing these issues.
The deeper problem is that any powerful, always-on AI agent with access to your email, calendar, files, and messaging requires infrastructure-level security thinking — not just an app install. When you give an agent persistent credentials to your digital life, the security of the host it runs on becomes the security of everything it can touch.
For most users, the hardening checklist is achievable but requires real effort. If you'd rather skip it and get a secure setup out of the box — isolated VMs, no public IPs, authenticated proxies, encrypted storage — that's what we built Coral to do.
For a detailed look at how Coral's architecture prevents these specific issues, read our companion post: Why Coral Instances Don't Show Up on Security Watchboards.
Sources: Maor Dayan, Koi Security, Bitsight, SecurityScorecard, Microsoft Threat Intelligence, Kaspersky, Bitdefender, The Hacker News, BleepingComputer, Infosecurity Magazine, DefectDojo, Clawctl, Penligent, OpenClaw.rocks, OpenClaw GitHub.