The IT Nerd

The AI agent OpenClaw’s popularity has skyrocketed over recent weeks, but so have concerns about its cybersecurity risks. New findings reveal that roughly 73% of OpenClaw servers exposed this week remain publicly accessible to this day, creating a significant threat to users and an even greater risk to businesses — a single employee using OpenClaw could potentially expose sensitive information or corporate credentials.

openclaw.ai (formerly Clawdbot or Moltbot) is a self-hosted AI agent and assistant created by developer Peter Steinberger. Recently, it took the internet by storm with the promise of an AI agent that not only responds but also takes independent action — OpenClaw can instantly execute commands, such as scheduling meetings, editing files, or browsing the internet, among many other use cases.

Although deemed revolutionary by some users, OpenClaw’s functionalities come with a hefty cost — with extensive access to local and web-based applications, passwords, and other sensitive information, the responsibility of securing the environment in which the AI agent is deployed falls on the user, and failure to do so poses a high risk of leaking data to the open web. Labeled as a “hobby project” by its creators, OpenClaw doesn’t sugarcoat its cybersecurity risks and recommends that users who are not familiar with basic security and access control avoid the AI agent or seek guidance from professionals.

A senior threat intelligence researcher from NordStellar, a threat exposure management platform, analyzed findings from network observability tools that revealed about 21,000 (21,356) servers running OpenClaw or its prerequisites were accessible on the public internet this week.

As of Thursday, February 5th, nearly 16,000 (15,578) of those servers were still accessible, highlighting that not only does OpenClaw pose significant cybersecurity risks, but users are slow to take the necessary security measures to make these servers inaccessible, leaving them publicly exposed, and further illustrating that the majority of them lack the technical knowledge to mitigate the security risks of deploying OpenClaw.

And that’s only part of the story — a recently documented high severity vulnerability in OpenClaw allows an attacker to gain remote code execution just by tricking a user into clicking a single malicious link. Users have also been flocking to GitHub to report vulnerabilities. While not all of them have been validated, the number of identified security issues has been growing rapidly and has already surpassed 100 reports.

Having already garnered over 145,000 GitHub stars and 20,000 forks, users are nevertheless quick to adopt the new agent. Andrius Buinovskis, a cybersecurity expert at NordLayer, a toggle-ready network security platform for businesses, warns that OpenClaw’s growing popularity should be a cause for concern among businesses.

“OpenClaw introduces significant security risks for users, but they’re even more dangerous for organizations. Businesses handle extremely sensitive data, and a single employee using OpenClaw could unknowingly jeopardize the organization’s security,” says Buinovskis.

He explains that the AI agent stores passwords, API keys, and OAuth tokens in plaintext — without encryption — so leaked corporate credentials will be easily accessible and usable by anyone who manages to get their hands on them. This sensitive data, along with chat history with the AI bot, is stored on a local web server that could accidentally be exposed to the public internet.

“With the ability to automate some everyday work tasks, it’s understandable why employees could be eager to deploy OpenClaw. The software is primarily designed for a more tech-savvy audience, such as developers and vibe-coders. However, the sheer number of exposed servers proves that even experienced users overlook basic security hygiene when a tool is easy to misconfigure,” says Buinovskis.

Mitigating OpenClaw security risks in a business environment

According to Buinovskis, while there are many cybersecurity concerns surrounding OpenClaw, businesses can take key preventive measures to mitigate some of the main risks. He highlights that full system access, autonomy, and complex setups are key risks security teams should keep in mind and aim to address.

“The first key objective is to mitigate the shadow IT problem OpenClaw poses for organizations by avoiding uncontrolled and decentralized deployments,” says Buinovskis. “This calls for clear policies surrounding approved software enforcement mechanisms, like endpoint detection, to prevent employees from running unapproved instances in the first place.”

He highlights that while OpenClaw is dangerous, security teams would benefit from getting ahead of the problem. Since employees might go rogue and use it anyway, it’s better for them to do so in a secure, controlled environment.

“In reality, even extensive cybersecurity awareness training does not guarantee that users will refrain from risky behaviour, despite knowing the threats that may follow. While it might seem counterintuitive, allowing employees who are interested in using OpenClaw to deploy it centrally would eliminate any risks that could arise from poor misconfiguration,” says Buinovskis.

He explains that centralized deployment provides a single point of control for security teams, allowing them to configure a single instance correctly rather than relying on numerous employees to do it right. This approach also establishes consistent security settings throughout — ensuring that authentication, firewalls, and encryption are applied, and allowing easier monitoring of logs and access attempts.

“Even if OpenClaw is deployed centrally, users still need a safe way to access it. For this, they need a secure, encrypted tunnel that they could access with authorization,” says Buinovskis. “Secure tunnels ensure that the server containing sensitive data is isolated from the public internet, and setting up a VPN or private network allows only authorized users to have access to OpenClaw.”

Bunovskis continues that creating remote access via secure tunnels prevents the server containing sensitive data from becoming publicly accessible, safeguarding it from attackers. This approach also encrypts the traffic, mitigating the risk of data exposure during transit.