A study has identified tens of thousands of exposed Moltbot (OpenClaw) instances, putting users at risk of account takeover.
The rapid emergence of an artificial intelligence (AI) assistant, Moltbot, later rebranded as OpenClaw, raised hopes that we’re getting close to artificial general intelligence (AGI), which were soon replaced by concerns about cybersecurity risks.
The SecurityScorecard STRIKE Threat Intelligence Team’s study, released on February 9th, identified over 42,000 unique IP addresses hosting exposed OpenClaw control panels with full system access across 82 countries.
As many as 49,584 exposed instances appear vulnerable to Remote Code Execution (RCE), meaning attackers can take over the host machine, according to the data on the interactive, real-time dashboard.
Over 8,500 exposed instances simultaneously have four risk factors, including being previously affected by a data breach and having leaked domain-level credentials, making them most likely to be actively compromised or targeted.
The research suggests that exposed OpenClaw deployments are heavily concentrated in major cloud and hosting providers. For example, 45% are hosted on Alibaba Cloud, with 37% of instances in China.
The report also highlights issues with deployment hygiene. A significant portion of enumerated instances use default configurations, which increases predictability and the success rates of attackers.
The researchers identified these exposures through internet-wide scanning using favicon hash fingerprinting, SecurityScorecard proprietary breach and threat actor correlation, the GitHub API, and direct enumeration.
What are the risks of Moltbot exposure?
OpenClaw is an agentic AI framework that runs on a user’s hardware and can execute tasks on their behalf. It can connect to third-party services, such as email, calendars, chat apps, and browsers.
The SecurityScorecard researchers note that installing OpenClaw is associated with the following risks:
- Internet-facing management interfaces
- Privileged identities, such as computer admin access, tied to automation
- Weak or missing authentication controls
- Exposed tokens, API keys, and configuration secrets
- Vulnerable software versions running by default
A cybersecurity firm’s Wiz investigation on Moltbook, the network for Moltbot agents, found a misconfigured database exposing 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents.
Multiple experts have voiced concerns about OpenClaw, warning that it is a step away from a massive breach that could allow attackers to access the entire digital lives of its users.
Peter Steinberger, the creator of OpenClaw, has acknowledged the security risks posed by the AI assistant, which he called “a free, open source hobby project,” and warned non-technical users against using it.
Uninstalling may not reduce the risks
Growing awareness of OpenClaw’s risks prompted some users to uninstall it. However, a recent report from OX Security suggests that common removal methods leave credentials and configuration files behind.
For instance, if a user removes secret keys in the Web UI, the data can still remain on the machine.
Uninstalling OpenClaw via Node Package Manager (npm) may remove the assistant’s binary but leave the local directory behind. In this case, secrets and configurations can remain on the machine.
The report reads, “And because the OpenClaw binary is now gone, users can’t run the official OpenClaw uninstall command afterward, which makes a complete cleanup more difficult.”
When uninstalling OpenClaw, experts recommend inspecting third-party accounts connected to the tool and looking for any potential changes, such as changed billing details or purchased services.
Unlock more exclusive Cybernews content on YouTube
Your email address will not be published. Required fields are markedmarked