SimpleClaw logoSimpleClaw
All articles
7 min read

17,500 OpenClaw Instances Are Exposed to the Internet — Is Yours One of Them?

A security investigation found thousands of unprotected OpenClaw instances online. Learn the most common misconfigurations and how to keep your AI assistant secure.

A recent security investigation uncovered a staggering number: 17,500+ OpenClaw instances are directly exposed to the internet with misconfigured security settings. Many of these instances are running with open DM policies, no authentication, and unpatched software — leaving their owners vulnerable to abuse, data leaks, and runaway AI costs.

If you're running OpenClaw, this article explains what went wrong, how to check if you're affected, and what to do about it.

What Does "Exposed" Mean?

An exposed OpenClaw instance is one where:

  • Anyone on the internet can send messages to the bot and consume the owner's AI credits
  • The DM policy is set to "open" instead of using a secure pairing flow
  • The management port (18789) is accessible from the public internet
  • No authentication is required to interact with the bot or its dashboard

In many cases, the owners don't even know their instance is exposed. They set it up, got it working, and never checked the security configuration.

The Most Common Misconfigurations

1. Open DM Policy

The most widespread issue. OpenClaw's dmPolicy setting controls who can message your bot:

  • "open" — anyone can message the bot. This is the dangerous default that many tutorials recommend.
  • "pairing" — users must be explicitly approved before they can interact with the bot. This is the secure option.

With an open DM policy, a stranger can find your Telegram bot, start chatting, and burn through your AI credits. Worse, they could use your bot for harmful content — and the AI provider bills go to you.

2. Unpatched Software

OpenClaw is under active development, with frequent security patches. Self-hosted instances that aren't regularly updated are running with known vulnerabilities.

The problem: most self-hosted users set up OpenClaw once and forget about it. There's no automatic update mechanism unless you build one yourself.

3. Exposed Management Dashboard

OpenClaw includes a built-in Control UI on port 18789. If your server's firewall doesn't block this port, anyone can access your instance's management dashboard — viewing configurations, conversation metadata, and potentially sensitive settings.

4. API Keys in Environment Variables

Many self-hosted setups store AI provider API keys (Anthropic, OpenAI, Google) as plain environment variables. If the instance is compromised, these keys are immediately exposed — and an attacker can use them to run up massive bills on your AI provider accounts.

How to Check If You're Exposed

If you're self-hosting OpenClaw, run through this checklist:

  1. Check your DM policy — open your openclaw.json and verify dmPolicy is set to "pairing", not "open"
  2. Check your firewall — port 18789 should NOT be accessible from the internet. Test with: curl http://your-server-ip:18789 from an external network
  3. Check your OpenClaw version — run openclaw --version and compare with the latest release on GitHub
  4. Check your bot on Telegram — try messaging your bot from a different Telegram account that hasn't been paired. If it responds, your DM policy is open.

The Cost of Getting It Wrong

The consequences of an exposed instance range from annoying to expensive:

  • Credit drain — strangers using your bot consume your AI credits. At $15-50+ per 1M tokens, this adds up quickly
  • AI provider account suspension — if your bot is used for policy-violating content, Anthropic/OpenAI/Google may suspend your API keys
  • Data exposure — conversation history and metadata could be accessible
  • Reputation damage — your Telegram bot could be used to send spam or harmful content

How Managed Hosting Solves This

Managed hosting platforms handle security configuration automatically, removing the possibility of these misconfigurations:

  • Secure pairing by default — the bot only responds to explicitly approved users
  • No exposed ports — the management dashboard is accessible only through an authenticated proxy
  • Automatic updates — security patches are applied without any action from you
  • Isolated instances — each deployment runs on its own machine, with no shared resources
  • No API key management — you never handle raw API keys; the platform manages AI provider access

With SimpleClaw, every single one of these security issues is handled automatically. You deploy, pair your Telegram, and your instance is secure from day one.

Summary

17,500+ exposed OpenClaw instances is a wake-up call for the community. The rapid growth of OpenClaw (200K+ GitHub stars) means thousands of new users are deploying instances every week — many without understanding the security implications.

If you're self-hosting, audit your configuration today. If you'd rather not worry about security at all, managed hosting gives you a secure setup by default.

Deploy a secure OpenClaw instance with SimpleClaw →

Ready to deploy OpenClaw?

One-click deploy on Telegram in under 1 minute. $15 AI credits included.

Deploy OpenClaw