SecurityScorecard’s STRIKE threat intelligence team is sounding the alarm over the sheer volume of internet-exposed OpenClaw instances it discovered, which numbers more than 135,000 as of this writing. When combined with previously known vulnerabilities in the vibe-coded AI assistant platform and links to prior breaches, STRIKE warns that there’s a systemic security failure in the open-source AI agent space.
“Our findings reveal a massive access and identity problem created by poorly secured automation at scale,” the STRIKE team wrote in a report released Monday. “Convenience-driven deployment, default settings, and weak access controls have turned powerful AI agents into high-value targets for attackers.”
[…]
That’s not to say users aren’t at least partially to blame for the issue. Take the way OpenClaw’s default network connection is configured.
“Out of the box, OpenClaw binds to `0.0.0.0:18789`, meaning it listens on all network interfaces, including the public internet,” STRIKE noted. “For a tool this powerful, the default should be `127.0.0.1` (localhost only). It isn’t.”
STRIKE recommends all OpenClaw users, at the very least, immediately change that binding to point it to localhost. Outside of that, however, SecurityScorecard’s VP of threat intelligence and research Jeremy Turner wants users to know that most of the flaws in the system aren’t due to user inattention to defaults. He told The Register in an email that many of OpenClaw’s problems are there by design because it’s built to make system changes and expose additional services to the web by its nature.
“It’s like giving some random person access to your computer to help do tasks,” Turner said. “If you supervise and verify, it’s a huge help. If you just walk away and tell them all future instructions will come via email or text message, they might follow instructions from anyone.”
As STRIKE pointed out, compromising an OpenClaw instance means gaining access to everything the agent can access, be that a credential store, filesystem, messaging platform, web browser, or just its cache of personal details gathered about its user.
And with many of the exposed OpenClaw instances coming from organizational IP addresses and not just home systems, it’s worth pointing out that this isn’t just a problem for individuals mucking around with AI.
[…]
“Consider carefully how you integrate this, and test in a virtual machine or separate system where you limit the data and access with careful consideration,” Turner explained. “Think of it like hiring a worker with a criminal history of identity theft who knows how to code well and might take instructions from anyone.”
That said, Turner isn’t advocating for individuals and organizations to completely abandon agentic AI like OpenClaw – he simply wants potential users to be wary and consider the risks when deploying a potentially revolutionary new tech product that’s rife with vulnerabilities.
“All these new capabilities are incredible, and the researchers deserve a lot of credit for democratizing access to these new technologies,” Turner told us. “Learn to swim before jumping in the ocean.”
[…]
Source: OpenClaw instances open to the internet present ripe targets • The Register
Robin Edgar
Organisational Structures | Technology and Science | Military, IT and Lifestyle consultancy | Social, Broadcast & Cross Media | Flying aircraft