21,000+ publicly exposed instances of an open-source personal AI assistant, raising significant concerns about unprotected access to sensitive user configurations and personal data.
OpenClaw, a rapidly emerging personal AI assistant created by Austrian developer Peter Steinberger, has experienced explosive growth since late January 2026.
The project, which underwent multiple branding iterations, initially launched as Clawdbot before rebranding to Moltbot following trademark concerns from Anthropic.
Finally settling on OpenClaw, expanded from approximately 1,000 deployments to over 21,000 instances in less than one week.
The platform’s defining characteristic is its ability to execute actions beyond traditional chatbot limitations.
Exposure Scope and Configuration
OpenClaw integrates natively with email, calendar systems, smart-home services, and food delivery platforms, enabling autonomous decision-making and task execution.
This expanded capability, while operationally robust, introduces significant security implications when instances are inadequately protected.
By design, OpenClaw operates locally on TCP/18789, accessible through a browser-based interface bound to localhost.
The project documentation explicitly recommends using SSH tunneling for remote access rather than exposing the system directly to the public.
However, organizational adoption patterns suggest widespread deviation from security best practices.
As of January 31, 2026, Censys identified 21,639 exposed instances using HTML title matching queries for “Moltbot Control” and “clawdbot Control.”
While most instances require authentication tokens for full interaction access, merely identifying and enumerating deployments can yield significant reconnaissance value for potential adversaries.
Geographic mapping indicates the United States hosts the largest share of visible deployments, followed by China and Singapore
This distribution reflects cloud provider footprint, regional adoption velocity, and varying deployment security practices across regions.
Many operators reportedly use Cloudflare Tunnels to allow remote access without exposing systems publicly, but there are no reliable statistics on how many deployments use this setup.
Operational Risk Assessment
The rapid proliferation of internet-facing OpenClaw instances presents multifaceted security concerns. Censys analysis reveals concentrated deployment patterns across major cloud providers.
At least 30% of observed instances run on Alibaba Cloud infrastructure. However, this concentration likely reflects visibility bias rather than absolute market dominance.
Instances provide potential attackers with access points to sensitive user configurations, authentication credentials, and integration settings for connected services.
The expansion of autonomous agent platforms, particularly following Moltbook’s launch as a social network for AI agents, amplifies the importance of a robust security posture early in the deployment lifecycle.
The scale and speed of OpenClaw adoption underscore a critical gap between development velocity and security maturity.
Organizations deploying these assistants must prioritize access controls, network segmentation, and continuous monitoring to mitigate exposure risks associated with this emerging technology category.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
