What happened

Security researchers and threat intelligence teams discovered that around 42,000+ instances of the OpenClaw AI agent were directly exposed on the open internet in at least 80+ countries. 

Many of these instances were configured with no authentication and vulnerable to remote code execution, meaning unauthorised users could control the systems they ran on and access stored API keys, chat histories, and credentials. 

OpenClaw is an open-source, agentic AI framework (originally Clawdbot then Moltbot) used by developers for automating tasks like managing emails, files, and messages. Its control panels, when exposed, acted as gateways for attackers. 

Security reports also flagged hundreds of malicious third-party “skills” in the ecosystem that could steal data or deliver malware. 

Why it happened

The incident stems from near non-existent security protection.

Many OpenClaw installs bound administrative interfaces to all network interfaces by default, making them reachable from the public internet without authentication.

Default settings and protocols (like the control panel and Model Context Protocol) lacked mandatory authentication or least-privilege checks.

The third-party “skill” marketplace (ClawHub) had no robust review or security sandboxing, allowing malware and credential-stealing code to proliferate.

Together, these factors created an enormous, unmanaged attack surface, akin to poorly secured legacy services suddenly exposed to internet-wide scanning tools.