40,000+ AI Agents Exposed to the Internet with Full System Access

40,000+ AI Agents Running Exposed with No Authentication

SecurityScorecard's STRIKE team scanned the public internet and found 40,214 OpenClaw (formerly Moltbot) AI agent instances exposed with no authentication—many running with full admin access, and many already compromised.

The Numbers

• 12,812 instances vulnerable to Remote Code Execution
• 549 instances correlated with prior breaches
• 1,493 instances with known CVEs and public exploits available
• 78% running outdated versions (pre-patch Clawdbot/Moltbot branding)
• 45% hosted on Alibaba Cloud; 37% concentrated in China

The Root Cause: Insecure Defaults

OpenClaw binds to 0.0.0.0:18789 by default—listening on ALL network interfaces, including the public internet. For a tool with filesystem access, command execution, credential storage, and messaging capabilities, the default should be localhost-only. It isn't. The combination of insecure defaults and rapid AI agent adoption has produced a systemic security failure.

Why Agent Compromise Is Different

Compromising an OpenClaw instance doesn't just expose data—attackers inherit everything the agent can do: SSH keys, browser sessions, API tokens, filesystem access, and the ability to impersonate the user through messaging apps. It's like finding someone's unlocked phone with root access to their entire digital life.

Immediate Actions

If you're running OpenClaw: patch to v2026.2.1+, set gateway.bind: "127.0.0.1" in config, rotate all API keys and tokens, and run openclaw security audit deep. SecurityScorecard maintains a live dashboard at declawed.io tracking exposures every 15 minutes. Treat AI agents as privileged identities, not toys.