Over 21,000 OpenClaw AI Instances Exposed Online, Raising Security Concerns
In a recent development, over 21,000 instances of OpenClaw, an open-source personal AI assistant, have been found publicly accessible online, exposing sensitive user configurations and personal data. This significant exposure has raised alarms within the cybersecurity community regarding the protection of user information.
Rapid Growth and Rebranding
OpenClaw, developed by Austrian programmer Peter Steinberger, has seen a meteoric rise since its inception in late January 2026. The project underwent several rebranding phases, initially launching as Clawdbot, then changing to Moltbot due to trademark issues with Anthropic, before finally settling on the name OpenClaw. Within a week, the platform’s deployments surged from approximately 1,000 to over 21,000 instances.
Advanced Capabilities and Integration
Distinguishing itself from traditional chatbots, OpenClaw offers advanced functionalities by integrating seamlessly with various services such as email, calendar systems, smart-home devices, and food delivery platforms. This integration enables the AI assistant to make autonomous decisions and perform tasks on behalf of users, enhancing operational efficiency.
Security Implications of Public Exposure
Despite its robust capabilities, the widespread public exposure of OpenClaw instances introduces significant security risks. By default, OpenClaw operates locally on TCP port 18789, accessible through a browser-based interface bound to localhost. The project’s documentation advises using SSH tunneling for remote access to prevent direct public exposure. However, many deployments have deviated from these security best practices.
As of January 31, 2026, security firm Censys identified 21,639 exposed instances by searching for HTML titles Moltbot Control and clawdbot Control. While most of these instances require authentication tokens for full access, the mere identification and enumeration of these deployments can provide valuable reconnaissance information for potential attackers.
Geographic Distribution and Deployment Practices
Geographical analysis indicates that the United States hosts the largest number of exposed OpenClaw instances, followed by China and Singapore. This distribution reflects the footprint of cloud service providers, regional adoption rates, and varying security practices across different regions.
Some operators reportedly utilize Cloudflare Tunnels to facilitate remote access without exposing systems directly to the public internet. However, reliable statistics on the prevalence of this setup are not available.
Operational Risks and Recommendations
The rapid proliferation of internet-facing OpenClaw instances presents multiple security challenges. Censys’s analysis reveals concentrated deployment patterns across major cloud providers, with at least 30% of observed instances running on Alibaba Cloud infrastructure. This concentration may reflect visibility bias rather than actual market dominance.
Exposed instances could provide attackers with access to sensitive user configurations, authentication credentials, and integration settings for connected services. The expansion of autonomous agent platforms, especially following the launch of Moltbook as a social network for AI agents, underscores the need for robust security measures early in the deployment lifecycle.
The scale and speed of OpenClaw’s adoption highlight a critical gap between development velocity and security maturity. Organizations deploying these AI assistants must prioritize implementing access controls, network segmentation, and continuous monitoring to mitigate the risks associated with this emerging technology.
