I Scanned the Internet and Found 8,600+ Exposed AI Agent Servers

OpenClaw is the hottest open-source AI agent platform on the planet. People are deploying it everywhere — personal assistants, business automation, coding copilots, customer service bots. There's just one problem: most of them forgot to lock the front door.

I built a scanning pipeline, pointed it at the internet, and found 8,600+ OpenClaw instances sitting wide open on port 18789. No authentication. No encryption. Full access to API keys, chat histories, custom configurations, and whatever models are running behind them.

Here's what I found.

What Is OpenClaw?

OpenClaw is an open-source platform for building and running AI agents. Think of it as a self-hosted framework that connects language models (Claude, GPT, Llama, etc.) to tools — web browsing, file management, code execution, API calls. It turns a language model into an autonomous agent that can actually do things.

It's powerful. It's popular. And its default configuration ships with no authentication and no SSL/TLS encryption.

The default setup binds to 0.0.0.0:18789 — meaning it listens on all network interfaces. If you deploy this on a cloud server without a firewall, you've just put your AI agent on the public internet with no password.

Methodology

I used Shodan, the search engine for internet-connected devices, to find OpenClaw instances. The query is simple:

product:"OpenClaw" port:18789

That returned 8,600+ results at the time of scanning. I pulled a sample of 1,200 instances for deeper analysis and built a scoring pipeline that evaluates each one across three dimensions:

1. Vulnerability — How exposed is it? (auth, SSL, software version, default config)
2. Business signal — Is this a real organization or a throwaway VPS? (domain, org name, cloud provider)
3. Reachability — Can we actually identify and contact whoever runs it? (reverse DNS, WHOIS, domain)

Every instance was scored automatically. No manual exploitation, no accessing private data, no interacting with the systems beyond what Shodan already indexes publicly.

The Findings

Zero Security Across the Board

Out of 1,200 sampled instances:

Not a single instance in our sample had basic authentication or encryption enabled. Every one of them was transmitting data — including API keys, chat histories, and model configurations — in plaintext over the open internet.

75% hadn't even been configured beyond the default install. They were running the exact same software, with the exact same settings, as the moment they first booted up.

Where They're Hosted

The geographic distribution tells an interesting story. While our scan was filtered to US-based IPs, the organizations behind those IPs reveal something worth noting:

Top hosting providers:

Over 40% of instances with US IP addresses are actually hosted on foreign cloud infrastructure — primarily Alibaba Cloud and Tencent. These are Chinese cloud providers operating in US data center regions. The instances have American IPs but are managed through foreign cloud platforms.

This doesn't necessarily mean anything malicious. Alibaba Cloud's US regions are popular because they're cheap. But it does mean that a significant chunk of exposed AI agent infrastructure is sitting on cloud platforms operated by foreign entities — running with zero authentication and zero encryption.

Concentrated in Data Centers

The physical locations cluster exactly where you'd expect: cloud provider data centers.

Silicon Valley and Northern Virginia — the two biggest cloud infrastructure corridors in the US — account for the majority of exposed instances.

What's Actually Exposed

When an OpenClaw instance runs without authentication, anyone who finds it can:

Access the full API. OpenClaw exposes a REST API on port 18789. Without auth, every endpoint is open. An attacker can list available models, start conversations, create agents, and access any tool the instance has configured.

Read chat histories. Conversations between users and their AI agents are accessible. For business deployments, this could include internal discussions, customer data, proprietary information, strategic planning — anything someone discussed with their AI assistant.

Extract API keys. OpenClaw connects to upstream model providers (Anthropic, OpenAI, etc.) using API keys stored in its configuration. An exposed instance leaks those keys. An attacker can use them to run up your API bill or access your account on those platforms.

Discover custom configurations. Many instances have custom assistant names and personas — we found agents named things like "Winston" and "Ryan." These reveal how people are using the platform and what tools they've connected. For a business, this could expose internal workflows, connected databases, and integration points.

Inject prompts. An attacker can modify system prompts, inject instructions, or manipulate the agent's behavior. If the agent has access to tools (email, file systems, APIs), prompt injection becomes a vector for lateral movement into other systems.

24.6% Running Outdated Software

Nearly a quarter of instances are running an older Moltbot-based version of OpenClaw. These older versions have known vulnerabilities and haven't received security patches. Combined with zero authentication, they represent the highest-risk targets in the scan.

What an Attacker Could Actually Do

This isn't theoretical. With zero authentication on 8,600+ instances, the attack surface is straightforward:

1. Credential theft. Extract API keys for Anthropic, OpenAI, or other services. Use them or sell them.
2. Data exfiltration. Read chat histories for sensitive business information, personal data, or proprietary content.
3. Model abuse. Use someone else's compute and API credits to run your own workloads. Free GPU time.
4. Lateral movement. If the OpenClaw instance has tools connected to internal systems (databases, file servers, email), prompt injection can be used to pivot into those systems.
5. Supply chain attacks. Modify the agent's behavior to produce subtly wrong outputs, inject malicious links, or manipulate business processes that depend on the agent.

Are You Exposed?

If you're running OpenClaw, check right now. Open a terminal and run:

# Check if your instance is accessible from the internet
curl -s http://YOUR_SERVER_IP:18789 | head -20
 
# Search Shodan for your IP
# (requires a Shodan account)
shodan host YOUR_SERVER_IP

Or just search Shodan directly:

product:"OpenClaw" port:18789

If your IP shows up, you're exposed. Fix it today.

How to Fix It

The good news: securing an OpenClaw instance is not hard. The bad news: almost nobody is doing it.

Immediate fixes (do these now):

1. Enable authentication. Configure basic auth or token-based authentication in your OpenClaw config. Don't leave the API open.

2. Put it behind a reverse proxy. Use Nginx or Caddy as a front door. Terminate SSL there, enforce authentication, and proxy requests to OpenClaw on localhost.

3. Firewall port 18789. If OpenClaw only needs to be accessed from your local network, block 18789 from the public internet entirely.

# UFW example — allow only from your IP
sudo ufw deny 18789
sudo ufw allow from YOUR_IP to any port 18789

1. Enable SSL/TLS. Use Let's Encrypt with your reverse proxy. There's no reason to transmit AI agent traffic in plaintext.

2. Bind to localhost. If you only access OpenClaw from the same machine, configure it to listen on 127.0.0.1 instead of 0.0.0.0.

Longer-term hardening:

• Rotate any API keys that may have been exposed
• Audit your chat histories for sensitive data that may have been accessed
• Set up monitoring for unusual API access patterns
• Keep OpenClaw updated — patch when new versions drop
• Review what tools and integrations your agent has access to and apply least-privilege

Limitations

This research has boundaries worth acknowledging:

• We sampled 1,200 of 8,600+ instances. The full population may have different characteristics.
• Shodan indexes what's publicly visible. Instances behind VPNs, on non-standard ports, or with custom configurations may not appear.
• No active exploitation. We didn't interact with any instance beyond analyzing publicly indexed Shodan data. We don't know what specific data is stored on any given server.
• Point-in-time snapshot. The scan was conducted in March 2026. The landscape changes as people deploy and decommission instances.
• US-focused. Our primary scan targeted US-based IPs. The global picture is likely larger.

The Bigger Picture

OpenClaw isn't unique here. The same pattern plays out across the self-hosted AI infrastructure space. Ollama had a similar exposure study by Cisco that found 1,139 vulnerable instances. The AI agent ecosystem is moving faster than its security practices.

People are deploying AI agents that have access to their email, their files, their APIs, their business data — and leaving the front door wide open. The tooling makes it easy to get a powerful agent running in minutes. Nobody's stopping to configure authentication because it's not required by default.

This is a solvable problem. It just requires the same basic security hygiene we've applied to every other piece of internet-facing software for the past 30 years: authentication, encryption, firewalls, least-privilege access.

The 8,600+ exposed instances suggest we're not there yet.

I'm building tools to help organizations secure their AI agent deployments. If you're running OpenClaw (or any self-hosted AI infrastructure) and want to know if you're exposed, I'll check for free. Reach out at haunlab.com/free-audit.

— Taylor Haun, Haun Labs