OpenClaw: The AI Butler That Followed You Everywhere Is Already Everywhere Else Too

For a brief moment, OpenClaw looked like the future of personal computing. One persistent AI agent. One conversational thread. A digital butler that moves seamlessly between WhatsApp, Slack, Telegram, and email, with the authority to act instead of merely advise. It can clean up servers, push code, reply to messages, book dinners, and rummage through files with the same casual confidence as a trusted colleague.

That promise has helped make OpenClaw the fastest-growing AI tool the internet has seen in recent memory. According to new research from Bitsight, that speed is precisely the problem.

OpenClaw, previously known as Clawdbot and Moltbot, is an open-source, self-hosted control plane for agentic AI. It is designed to live on a user’s own machine or server and connect directly to large language models and third-party services. The appeal is obvious. Unlike cloud assistants that live behind corporate guardrails, OpenClaw is meant to feel personal, local, and limitless.

“OpenClaw is an open agent platform that runs on your machine and works from the chat apps you already use. WhatsApp, Telegram, Discord, Slack, Teams—wherever you are, your AI assistant follows.”

That same design choice also gives it extraordinary power. OpenClaw does not just observe data. It reads, writes, executes, and controls. And Bitsight’s analysis shows that thousands of people are placing that power directly on the open internet, often without understanding what they are exposing.

A hobby project that escaped the lab

The project’s creator has never pretended OpenClaw was enterprise-ready. In fact, he has warned the opposite from the beginning.

“Most non-techies should not install this.”

“It’s not finished, I know about the sharp edges.”

Despite those caveats, adoption exploded. In just weeks, OpenClaw accumulated over 100,000 GitHub stars and millions of curious visitors. Influencers rushed to publish setup guides. Developers spun up cloud servers to keep their AI assistant available from anywhere. Convenience won.

Bitsight wanted to know what that looked like in practice. Using a mix of long-term internet scanning and targeted daily probes, the company tracked how many OpenClaw instances were exposed online. Between January 27 and February 8 alone, researchers observed more than 30,000 distinct installations reachable from the public internet.

That number matters because OpenClaw is not a passive service. It is a privileged control plane. Every integration expands its authority, from email inboxes and GitHub repositories to browsers, automation tools, and smart home systems. If an attacker gains access, they do not just see data. They inherit the butler.

When attackers knock, they do not knock politely

To understand whether exposed instances were attracting attention, Bitsight researchers ran a honeypot on OpenClaw’s default port.

“We stood up a honeypot on port 18789 to find out who was scanning. The first probes arrived within minutes.

The traffic included prompt injection attempts targeting the AI layer—but the more sophisticated attackers skipped the AI entirely. They connected directly to the gateway's WebSocket API and attempted authentication bypasses, protocol downgrades to pre-patch versions, and raw command execution. Every RPC method they probed maps to a real handler in the codebase. They're not guessing. They've read the source.”

This is the uncomfortable reality of open-source agent platforms. Transparency accelerates innovation, but it also accelerates exploitation. When the software is designed to run shell commands, read configuration files, and control services, an exposed instance becomes an unusually powerful target.

Secure by warning, not by default

OpenClaw does include security features. By default, it binds only to localhost. Remote access requires deliberate configuration. Authentication is enforced. The problem, Bitsight found, is how easily those protections are weakened in pursuit of convenience.

Many users deploy OpenClaw on cloud servers and bind it to all network interfaces. When browser security warnings appear, they work around them. Some place reverse proxies in front of the service, unintentionally bypassing safeguards. Others enable configuration flags that disable device identity checks entirely.

Even when authentication is left enabled, OpenClaw does not enforce password or token strength. A single character can be enough. From the software’s perspective, the requirement is satisfied. From an attacker’s perspective, brute force becomes trivial.

The result is a growing population of internet-facing AI agents with broad system access and minimal resistance.

Old names, old risks

The situation is made worse by OpenClaw’s rapid rebranding. Bitsight observed active deployments of older variants that predate mandatory authentication entirely. Some users appear to be installing deprecated versions without realizing it. Others may be following outdated tutorials shared during the hype cycle.

Attackers noticed the confusion too. During the name changes, typosquat domains and cloned repositories appeared, positioning themselves for supply-chain attacks. Even the project’s creator briefly lost control of his online accounts during the transition, as opportunistic actors raced to claim them.

The butler learns new tricks

The cultural ripple effects of OpenClaw are almost as strange as the technical ones. AI-only social networks have emerged. Agents post, reply, and speculate in public. Some describe controlling their users’ phones. Others debate whether their private conversations should be encrypted away from human oversight.

It is easy to dismiss this as novelty. It is harder to ignore when those same agents are connected to corporate email, production code, or internal systems.

Bitsight’s sector analysis shows OpenClaw instances appearing not just in technology infrastructure, but in healthcare, finance, government, and insurance environments. In those contexts, a misconfigured AI assistant is not a personal experiment. It is a shadow IT system with root privileges.

Power needs fences

OpenClaw is not malware. It is not backdoored. It is doing exactly what it advertises. The danger lies in how casually that power is being deployed.

An AI agent with full system access is closer to an administrator than an assistant. Treating it like a chatbot is a category error. Once exposed, it responds to anyone who can reach it, faithfully and without context.

The industry is beginning to notice. A recent Gartner report warned that agentic productivity tools introduce unacceptable cybersecurity risk and described platforms like OpenClaw as insecure by default.

The lesson is not that agentic AI is a mistake. It is that autonomy without boundaries scales faster than understanding. The internet has seen this pattern before, with databases, cameras, and control systems left exposed in the name of speed.

This time, the service answering the door does not just show you the house. It hands you the keys and asks what you would like done next.