Its been a brutal week for OpenClaw security. Two major reports dropped within days of each other.
The Numbers
| Metric | Value |
|---|---|
| Exposed instances | 40,214 |
| Vulnerable | 63% |
| RCE exploitable | 12,812 |
| New CVEs patched | 6 |
Report #1: SecurityScorecard Finds 40K+ Exposed Instances
SecurityScorecard reported finding over 40,000 misconfigured OpenClaw instances exposed to the public internet.
- 549 instances already correlated with prior breach activity
- 1,493 instances with known vulnerabilities
- 12,812 instances exploitable via RCE
- 63% of all observed deployments are vulnerable
Most exposures are in China, followed by the US and Singapore.
"The more centralized the access, the more damage a single compromise can cause." — SecurityScorecard
And threat actors are already targeting agents with infostealers.
Report #2: Endor Labs Discovers 6 New Vulnerabilities
Endor Labs revealed six new vulnerabilities:
| CVE | Type | Severity |
|---|---|---|
| CVE-2026-26322 | SSRF in Gateway | High (7.6) |
| CVE-2026-26319 | Missing Telnyx webhook auth | High (7.5) |
| CVE-2026-26329 | Path traversal in browser upload | High |
| GHSA-56f2 | SSRF in image tool | High (7.6) |
| GHSA-pg2v | SSRF in Urbit auth | Moderate (6.5) |
| GHSA-c37p | Twilio webhook auth bypass | Moderate (6.5) |
The common thread: trust boundaries that dont exist.
Why Sandboxes Alone Dont Fix This
Sandboxes contain blast radius. Thats good. But they miss:
-
Credential access — your agent needs creds to work. Sandbox doesnt prevent reading
~/.ssh/id_rsa - Prompt injection — malicious instructions execute within whatever permissions the agent has
- Malicious skills — installed from ClawHub, run as trusted code
- Network egress — agent needs net access; sandbox doesnt monitor what leaves
As one HN commenter noted: "The unfixable trifecta: personal data access + network + untrusted inputs."
Theyre partially right. You cant eliminate the risk. But you can monitor, detect, and limit it at the host level.
The Missing Layer: Host-Level Runtime Protection
SecurityScorecards own recommendations:
- Aggressively limit access
- Adopt zero trust
- Monitor the logic and components
- Treat every agent like a privileged identity
This is what host-level protection does. Not instead of sandboxes — alongside them.
What Host Protection Catches That Sandboxes Dont
- Agent reading credential files outside its working directory
- Skills with obfuscated code or suspicious network calls
- Permission escalation beyond the assigned tier
- Data exfiltration through allowed network channels
- Behavioral anomalies (3 AM file access, unusual commands)
What You Can Do Today
1. Check if youre exposed — if your OpenClaw is internet-accessible, fix your firewall now.
2. Update immediately — all six CVEs have patches: npm update -g openclaw
3. Audit your skills — remove anything you dont use.
4. Add runtime monitoring:
npm install clawmoat
# Scan a skill before installing
npx clawmoat skill-audit ./path-to-skill
# Run with host protection
npx clawmoat --tier worker --audit-log ./agent-audit.json
ClawMoat adds the host protection layer: permission tiers, forbidden zone enforcement, credential monitoring, skill integrity checking, and network egress logging. Open source, zero dependencies, 142 tests.
5. Dont run on your primary workstation — use a dedicated machine. But if you must (most people do), at minimum enforce permission tiers and monitor file access.
The Bigger Picture
The OpenClaw ecosystem grew faster than its security model. No single tool fixes this. You need:
- Sandboxing — blast radius containment
- Host monitoring — runtime behavior detection
- Skill auditing — supply chain security
- Network controls — egress filtering
- Human oversight — approval of sensitive operations
ClawMoat handles three of those five layers. Its not a silver bullet — nothing is. But its the layer most deployments are missing entirely.
Full post with interactive stats: clawmoat.com/blog/40000-exposed-openclaw-instances.html
GitHub: github.com/darfaz/clawmoat
Top comments (0)