Over 135,000 OpenClaw AI Agents Left Wide Open to Hackers

AI's Hottest Tool Becomes Its Biggest Security Crisis

OpenClaw, the viral open-source AI assistant platform that rocketed to popularity in recent weeks, is now at the centre of a massive security crisis. SecurityScorecard's STRIKE threat intelligence team has identified more than one hundred and thirty five thousand internet-exposed OpenClaw instances across eighty two countries, with the number climbing rapidly.

Default Settings Create a Digital Open Door

The root cause is alarmingly simple. OpenClaw binds to all network interfaces by default on port eighteen thousand seven hundred and eighty nine, meaning any instance is publicly accessible unless users manually change the configuration. Of the exposed instances, more than twelve thousand eight hundred are vulnerable to remote code execution attacks that could allow hackers to completely take over host machines.

Three Critical Vulnerabilities With Public Exploits

Three high-severity vulnerabilities have been identified, all with public exploit code available. The most serious, CVE-2026-25253, enables one-click remote code execution through WebSocket authentication token theft. A second allows operating system command injection through SSH functions, while a third enables container escape via PATH environment variable manipulation. Patches were released on January twenty ninth, but the majority of exposed instances are running older, vulnerable versions.

Marketplace Poisoned With Malware

The platform's ClawHub skills marketplace has been compromised on a shocking scale. Security firm Koi Security audited all two thousand eight hundred and fifty seven skills on the platform and found three hundred and forty one were malicious, roughly twelve percent of the entire registry. These fake extensions masquerade as cryptocurrency tools and productivity apps but deliver malware designed to steal API keys, wallet credentials, and passwords.

VirusTotal Partnership Offers Limited Relief

OpenClaw has partnered with Google-owned VirusTotal to scan all marketplace skills, but the platform's maintainers acknowledge this is not a complete solution. Former Tesla AI chief Andrej Karpathy has described the situation as a security nightmare, warning users not to run these agents on personal computers without proper isolation.