135,000 Exposed Autonomous Agents and No One in the Crisis Room
In late January 2026, a security researcher used Shodan, a standard reconnaissance tool, to scour the internet and discovered almost 1,000 publicly accessible installations of OpenClaw, with no passwords, no authentication, and no containment mechanisms in place. There was no need to exploit a sophisticated vulnerability; it sufficed to know where to look. From these open doors, another researcher accessed API keys from Anthropic, Telegram bot tokens, Slack accounts, conversation histories, and executed commands with administrative privileges. Weeks later, SecurityScorecard published the full extent of the disaster: over 135,000 instances of OpenClaw exposed in 82 countries, of which more than 50,000 were vulnerable to remote code execution and over 53,000 were linked to previous breaches.
This is not merely a story about software failure. It is an exposé of a business model that structured its growth on a dangerous premise: that mass adoption and security could be sequential issues. First, grow; then, protect. The market showed, with relentless precision, that this sequence comes at a cost that the developer does not bear.
When the Star Product Is the Key to Your Home
OpenClaw, renamed from Clawdbot in the months leading up to its release, captivated the market with a concrete proposition: an autonomous agent capable of executing commands on the operating system, managing files, connecting to messaging applications, and operating through an open marketplace of skills called ClawHub. Its differentiator was not the interface or the underlying language model, but the level of privileges it obtained over the user’s system. Native access to the shell. Direct integration with stored credentials. Seamless connectivity with external services.
This architecture of maximum privileges, combined with default configurations that blindly trusted connections from localhost without authentication, created an unprecedented attack surface. When those installations were behind poorly-configured reverse proxies, the administration interface was exposed to any external connection. This was not a user error; it was the expected behavior of the system by default.
An audit conducted in late January 2026, while the platform still operated as Clawdbot, identified 512 vulnerabilities, eight of them critical. Among the documented vectors were: prompt injections via link previews in messages, allowing data to be exfiltrated to domains controlled by attackers without the user clicking on anything; chains of vulnerabilities that allowed complete takeover of the agent from a webpage, without needing to install any add-ons; and lack of limits on authentication attempts, facilitating brute-force access.
Between January 27 and February 1, 2026, a period internally dubbed “ClawHavoc,” over 230 malicious extensions were published on ClawHub and GitHub, downloaded thousands of times. Reco.ai confirmed that 341 out of 2,857 skills registered in the repository were malicious, making up 12% of the total catalog, designed to mimic trading and financial tools while stealthily installing programs to steal credentials, crypto wallet seed phrases, and browser session data.
The Open Marketplace as a Vector for Systemic Risk
ClawHub was, on paper, OpenClaw’s competitive advantage. An open repository where any developer could publish skills that other users would install with a click. The model replicates the logic of mobile application marketplaces, with a structural difference making it incomparable in terms of risk: OpenClaw skills do not operate in an isolated environment. They execute commands directly on the user's operating system.
When Cisco applied its analysis tool to several of these skills, it found two of maximum criticality and five of high severity. Some executed `curl` commands to exfiltrate data to external servers during seemingly routine operations. Others employed prompt injection to circumvent the agent’s internal security mechanisms. Kaspersky was blunt in its assessment: OpenClaw was, in that state, unsafe for any use.
The closest analogy is not that of a browser with malicious extensions. It is that of an employee with total access to all systems in a company, who can take written instructions from anyone off the street, and will follow those instructions because their internal rules do not distinguish legitimate orders from manipulated ones. Prompt injection turns natural language, OpenClaw’s interface, into a vector for attack. And a marketplace lacking effective moderation converts that vector into criminal infrastructure ready to scale.
The CEO of Archestra.AI demonstrated in controlled conditions how an email could cause the agent to extract private keys. A Reddit user replicated the result without needing any specific prompt. Oasis Security documented a complete chain of vulnerabilities allowing stealthy takeover of the agent from any website, classified as high severity, which was patched within 24 hours of disclosure in version 2026.2.25. CNCERT, China's emergency response organization, issued formal alerts. Chinese authorities banned OpenClaw on government computers, state-owned enterprises, and military family devices.
The Economy of Outsourced Risk
This is where the business model analysis becomes uncomfortable. OpenClaw did not design its insecure default configurations out of aesthetic negligence. It designed them to minimize installation friction and maximize adoption speed. Each additional configuration step in the onboarding process reduces the conversion rate. Any decision the user has to make before starting to use the product is an opportunity for them to abandon it. That logic, perfectly rational from a user growth perspective, transfers the risk cost to those least capable of managing it: the end user.
The more than 50,000 instances vulnerable to remote code execution do not represent user failures. They represent the predictable outcome of a model that optimized for just one variable—adoption—and left all others as ecosystem problems. The companies in the financial and energy sectors that CNCERT highlighted as particularly exposed did not consciously choose to accept that risk. They inherited it from an architecture that never asked them if they wanted to assume it.
The real cost of this outsourced risk does not show up on OpenClaw’s balance sheet. It appears in the security teams of the companies that deployed the agent, in incident response budgets, in compromised customer data, in revoked and regenerated API keys, and in forensic audit hours. OpenClaw’s speed of adoption was, in part, involuntarily financed by its own users.
This is not exclusive to OpenClaw. It is the structural pattern of any platform that monetizes distribution without internalizing the cost of reliability. Open repositories’ marketplaces, from browser extensions to code packages, have repeatedly shown that moderation does not scale for free. The 12% of malicious skills in ClawHub is not a statistical anomaly; it is the expected result of a system without aligned economic incentives to detect and remove them before they accumulate thousands of downloads.
Maximum Privileges, Minimal Responsibility
AI autonomous agents represent a qualitative leap from conversational language models. A chatbot that responds incorrectly generates an incorrect response. An autonomous agent with operating system access that operates under manipulated instructions can exfiltrate files, execute arbitrary code, irreversibly delete data, or compromise all stored credentials on the device. The damage surface is not proportional to that of conventional software.
This asymmetry between capability and responsibility is the strategic gap that no software patch resolves alone. OpenClaw issued CVE-2026-25253 on January 29, patched it on the 30th in version 2026.1.29, and closed the Oasis chain in version 2026.2.25 in less than 24 hours. The speed of technical response was remarkable. But the 135,000 exposed nodes don’t update themselves, and the 341 malicious skills already downloaded do not uninstall with a security bulletin.
Companies evaluating the deployment of autonomous agents in their operations face an architectural decision, not a technological one. Granting an autonomous system administrator-level privileges over critical infrastructure, without isolating those capabilities in contained environments, auditing each installed skill, and maintaining continuous monitoring for anomalous behavior, is to transfer operational control to a system whose manipulation surface is natural language. And natural language has no firewall.
The mandate for any C-Level executive evaluating this category of tools is clear: the business model of a provider of autonomous agents must explicitly reveal how it internalizes the cost of security, who pays for marketplace moderation, what isolation mechanisms are active by default, and what happens when an agent operates under manipulated instructions. If those answers are not in the contract, they are in the incident response budget of the customer. Leaders who deploy these tools as if they were conventional productivity software will discover that the real cost of autonomy is set by the attacker, not the provider.
