135,000 Exposed OpenClaw Instances Found Across 82 Countries, 15K Vulnerable to RCE
What Happened
Security research firm SecurityScorecard has identified over 135,000 publicly exposed OpenClaw instances across 82 countries, according to a detailed analysis published by Tech Wire Asia on March 15. Of those, more than 15,000 instances are directly vulnerable to remote code execution — meaning attackers can potentially take full control of the host systems without any user interaction. Separately, an audit of the ClawHub skills registry found that approximately 12% of published skills contained malicious code, including keyloggers and information-stealing malware.
The report also documents concrete incident examples: one user's OpenClaw deployment gained unauthorized access to iMessage and sent hundreds of unsolicited messages, while 22% of organizations monitored by security vendors have detected employees running OpenClaw without IT department approval — creating what researchers term "massive shadow AI exposure."
Why It Matters
This is the largest exposure count published to date, nearly tripling earlier estimates of 40,000+ public instances cited by Censys in February. The 15,000 RCE-vulnerable instances represent an active, weaponizable attack surface that threat actors are already probing. Combined with the 12% malicious skill rate on ClawHub, the data paints a picture of an ecosystem growing faster than its security infrastructure can keep pace. The shadow IT dimension is equally alarming — when nearly a quarter of enterprises have ungoverned OpenClaw deployments, traditional perimeter-based security models become irrelevant.
What's Next
Security vendors including CrowdStrike, Sophos, and Gartner are expected to publish formal risk advisories and agentic AI security frameworks in the coming weeks. Enterprises currently running OpenClaw should immediately audit their deployments against the latest CVE disclosures (particularly CVE-2026-32060 and CVE-2026-25253), upgrade to version 2026.3.13-1, and implement network-level controls to prevent unauthorized external access to agent endpoints. The VirusTotal partnership for ClawHub scanning is a step forward but cannot catch natural-language prompt injection payloads.