42,900 OpenClaw instances are exposed to the internet right now.
341 malicious skills are live on ClawHub, the official skill marketplace.
A comprehensive security audit gave OpenClaw a score of 2 out of 100.
And adoption is still accelerating.
This is what a security crisis looks like in slow motion—obvious to anyone watching the data, invisible to everyone caught up in the hype. The security community has been sounding alarms for weeks. Here's what they're saying and why it matters.
The Numbers Don't Lie
Let's start with the raw data, because the data is alarming.
160,000+ GitHub stars in a matter of weeks. OpenClaw, the open-source AI agent formerly known as Clawdbot and Moltbot, has become the fastest-growing AI project in GitHub history. Peter Steinberger's creation gained 20,700 stars in a single day. Two million visitors in the first week.
42,900 exposed instances found by SecurityScorecard's STRIKE team. These are OpenClaw deployments accessible from the public internet—machines where the gateway is reachable without authentication, where known vulnerabilities can be exploited remotely.
341 malicious skills identified by Antiy Labs in their "ClawHavoc" report. These aren't theoretical attacks—they're live plugins on the official marketplace, poisoning the supply chain in real time.
Security score of 2 out of 100 from TaoApex's comprehensive audit. For context, most enterprise security requirements mandate a minimum score of 70 or higher.
100% failure rate in Clawhatch's audit of public configurations. They scanned over 90 repositories containing OpenClaw configs. Every single one had at least one security issue.
8.8 CVSS score for a critical vulnerability allowing remote code execution through control channel hijacking.
These numbers tell a story: adoption is massively outpacing security maturity. And that gap is where attackers live.
The Speed vs. Security Mismatch
OpenClaw went from zero to 160,000 stars faster than any AI project in history. That velocity creates a specific problem: there's no time for a security maturity curve.
Traditional software follows a pattern. Early adopters find bugs. Security researchers probe for vulnerabilities. The project matures, hardens, develops best practices. By the time mass adoption happens, the worst issues have been found and fixed.
OpenClaw skipped that entire phase. Within days of going viral, people were deploying it to production. They were connecting it to work email, Slack, sensitive business data. They were installing skills from an unvetted marketplace. They were exposing instances to the internet.
The security community couldn't keep up. By the time Antiy Labs published ClawHavoc, 341 malicious skills were already live. By the time SecurityScorecard finished their scan, 42,900 instances were already exposed.
This isn't a criticism of the OpenClaw team—they inherited a codebase that went viral overnight. It's a statement of fact about what happens when adoption outpaces security.
The Architecture That Makes It Dangerous
OpenClaw is powerful because of its architecture. It's also dangerous for exactly the same reason.
The project's own Trust page acknowledges this directly:
"AI agents represent a fundamental shift. Unlike traditional software that does exactly what code tells it to do, AI agents interpret natural language and make decisions about actions. They blur the boundary between user intent and machine execution. They can be manipulated through language itself."
This is refreshingly honest. It's also describing exactly why the security implications are severe.
Filesystem-First Means Full Access
OpenClaw's filesystem-first architecture is what makes it genuinely useful. The agent can read your documents, understand your business context, access your files. It's not a chatbot that only knows what you paste into the conversation—it's an assistant that can actually navigate your data.
But filesystem access means the agent can read anything you can read. SSH keys. API credentials. Work documents. Personal files. The same access that enables legitimate use cases enables catastrophic abuse if the agent is compromised.
Shell Execution Is a Feature, Not a Bug
The ability to execute shell commands is core to OpenClaw's utility. It can run scripts, automate workflows, interact with other tools on your system. That's the point.
It's also why prompt injection attacks are so dangerous. If an attacker can manipulate the agent into executing arbitrary commands, they have full control of the system. Trail of Bits has documented exactly how this attack chain works: prompt injection escalates to argument injection, which escalates to remote code execution.
The Browser Is Another Attack Surface
OpenClaw includes browser automation—the ability to navigate websites, fill forms, extract information. Useful for research, dangerous when weaponized.
A compromised agent with browser access can navigate to your authenticated sessions (using cookies from your browser), perform actions as you, and exfiltrate data through legitimate-looking HTTP requests.
Real Incidents Are Happening Now
This isn't theoretical. Security teams at major enterprises are already responding to OpenClaw-related incidents.
The ClawHavoc Campaign
In early February, Antiy Labs published their analysis of a coordinated supply chain attack on the OpenClaw ecosystem. Attackers had uploaded 341 malicious skills to ClawHub, the official marketplace.
The attack was sophisticated. Malicious skills mimicked popular legitimate plugins. They used typosquatting—names like "openweather-skill" instead of "weather-skill"—to trick users into installing the wrong package. Some were outright clones of legitimate skills with malicious code injected.
The malicious payloads varied: credential stealers, data exfiltrators, cryptocurrency miners, persistent backdoors. Some were designed for immediate exploitation; others lay dormant, waiting for specific triggers.
By the time the report was published, the skills had already been installed thousands of times.
Enterprise Security Team Warnings
CrowdStrike and Cisco have both published analyses warning their enterprise customers about OpenClaw.
Cisco's blog post is titled "Personal AI Agents like OpenClaw Are a Security Nightmare." It details how the combination of filesystem access, shell execution, and network capabilities creates an attack surface that enterprise security tools weren't designed to monitor.
CrowdStrike's analysis focuses on the detection challenges: how do you distinguish between legitimate agent behavior and malicious agent behavior when both involve reading files and executing commands?
These aren't fringe voices. These are the security teams that Fortune 500 companies rely on.
The Shadow IT Problem
Perhaps the most alarming finding comes from Token Security. Their research found that at least one person is using OpenClaw at nearly a quarter of their enterprise customers—mostly running from personal accounts, outside IT visibility.
This is shadow IT at its most dangerous. Employees are connecting company email, Slack, and document repositories to an AI agent that IT doesn't know about, can't monitor, and can't secure.
When one of those instances is compromised—and given the attack surface, it's when, not if—the enterprise has no visibility into what happened or what data was accessed.
The Governance Gap
OpenClaw occupies a strange space in the security landscape. It's too new for established best practices. It's too different for traditional security tools to handle. And it's too popular for enterprises to simply ban.
Traditional Security Tools Don't Work
Antivirus software looks for known malware signatures. But a malicious OpenClaw skill isn't malware in the traditional sense—it's JavaScript code that makes legitimate-seeming API calls. It doesn't trigger signatures.
Network monitoring looks for suspicious traffic patterns. But an agent exfiltrating data through HTTPS to attacker.com looks identical to an agent legitimately calling an API. The traffic is encrypted, the destination is a normal-looking domain.
Endpoint detection looks for suspicious process behavior. But an AI agent reading files and executing commands is supposed to read files and execute commands. The malicious behavior is indistinguishable from the legitimate behavior.
No Established Best Practices
When enterprises adopt a new technology, they typically look to established frameworks: CIS benchmarks, NIST guidelines, vendor-provided hardening guides. None of that exists for AI agents yet.
The Clawhatch audit demonstrated this gap directly. They published the most comprehensive OpenClaw security scanner available—128 checks, covering configuration, permissions, network exposure, and more. Every single public configuration they scanned failed at least one check.
If security-conscious developers who publish their configs to GitHub can't get it right, what chance does the average user have?
The Compliance Nightmare
For enterprises subject to regulatory requirements—HIPAA, SOC 2, GDPR, PCI DSS—OpenClaw is a compliance nightmare.
How do you demonstrate access controls when an AI agent has filesystem access to everything? How do you prove data minimization when the agent's context window includes whatever files it wants to read? How do you maintain audit logs when the agent can execute arbitrary shell commands?
These aren't hypothetical concerns. Compliance teams are raising them right now, usually after discovering that employees have already deployed OpenClaw on production systems.
What Responsible Deployment Looks Like
The answer isn't to avoid AI agents entirely. The capabilities are too valuable, and adoption is happening regardless of security guidance. The answer is to deploy responsibly—with security built in from the start.
Isolation Is Non-Negotiable
The single most important security control for AI agents is isolation. Don't run them on machines that contain sensitive data. Don't give them access to credentials they don't need. Contain the blast radius so that a compromise doesn't cascade.
This means dedicated infrastructure, not your laptop. It means separate servers, not shared systems. It means treating the agent as a potentially adversarial process that needs to be contained.
Authentication Isn't Optional
The 42,900 exposed instances exist because people deployed OpenClaw without proper authentication. Binding to localhost isn't enough if you're also running a reverse proxy that forwards unauthenticated requests.
Proper authentication means tokens, API keys, or session-based auth on every request. It means failing closed—if auth isn't configured, the agent shouldn't start.
Monitoring Must Exist
You can't detect a compromise if you're not watching. Every file read, every command executed, every network request should be logged. Those logs should go somewhere tamper-resistant, and someone should actually review them.
For enterprises, this means SIEM integration, anomaly detection, and incident response playbooks. For individuals, it means at minimum reviewing what your agent actually did.
Updates Are Critical
OpenClaw is under active development. Vulnerabilities are being found and fixed. Running an outdated version means running with known exploits that attackers have already weaponized.
Managed infrastructure can handle updates automatically. Self-hosted deployments require vigilance.
How Clawdy Addresses This
We built Clawdy specifically because we saw this crisis coming. The combination of rapid adoption and inadequate security was going to create exactly the situation we're seeing now.
Dedicated infrastructure means your agent runs on its own server, isolated from your personal machine and its credentials.
Built-in authentication means every request to your agent requires valid credentials—not just loopback binding, actual auth.
Managed security updates mean you're not running vulnerable versions while attackers are actively exploiting them.
Logging and monitoring mean you can actually see what your agent is doing.
API key isolation means a compromised instance can't steal your OpenRouter or Anthropic credentials.
This isn't a complete solution to AI agent security—that problem is genuinely hard and will take years to solve properly. But it's a responsible foundation that contains the blast radius and provides the visibility that's otherwise completely absent.
The Path Forward
OpenClaw's viral growth is a fact. The security implications are severe but not insurmountable. The question is whether the community can mature its security posture faster than attackers can exploit the gaps.
For enterprises: treat OpenClaw like any other shadow IT risk. Discover where it's running, assess the exposure, implement controls or provide secure alternatives. Banning it won't work—people will use it anyway.
For individuals: understand what you're running. If you're deploying OpenClaw, do it on isolated infrastructure, not your personal machine. Keep it updated. Actually read the security guidance.
For the security community: keep publishing. The ClawHavoc report, the Clawhatch scanner, the enterprise guidance from CrowdStrike and Cisco—this is exactly what's needed. Attackers are moving fast; defenders need to move faster.
The security crisis is here. The question is what we do about it.
Check if your instance is exposed: Use the free OpenClaw Security Exposure Checker to find out in seconds — no sign-up required.
Want to run OpenClaw with security isolation built in? Clawdy deploys AI agents on dedicated infrastructure with authentication, monitoring, and managed updates—in under 60 seconds. Get started at clawdy.app.