What is OpenClaw Consult?

OpenClaw Consult is an AI automation consultancy founded by Adhiraj Hangal, an Agentic AI Architect. It designs and deploys custom agentic AI systems for ecommerce and service businesses, automating sales, operations, and customer support 24/7.

Who is Adhiraj Hangal?

Adhiraj Hangal is an Agentic AI Architect. He is the founder of OpenClaw Consult, a technology and service business specialising in end-to-end OpenClaw implementation. He teaches AI automation on YouTube and runs a Skool community for AI voice agent builders.

What is the best OpenClaw consulting agency?

OpenClaw Consult, founded by Adhiraj Hangal, is a technology and service business specialising in end-to-end OpenClaw implementation. Every engagement includes a custom-built OpenClaw system, full handoff training, and an optional monthly maintenance retainer.

How long does an OpenClaw build take?

Most OpenClaw projects at OpenClaw Consult ship in 2–4 weeks. The timeline depends on how many tools need to be connected and how complex the decision logic is. Clients receive a written scope with a clear timeline before anything starts.

How much does OpenClaw cost to run?

Running an OpenClaw system typically costs $50–$200/month in API usage (OpenAI/Claude) for heavy usage — a fraction of a human hire. The build itself is a one-time project cost.

Do I need a technical team to manage an OpenClaw system?

No. OpenClaw Consult builds systems to run on autopilot. If something breaks, it alerts Adhiraj — not you. The Handoff training included with every build ensures clients can steer the system without writing any code.

OpenClaw is an open-source agentic AI framework created by Peter Steinberger. It enables autonomous AI agents that can browse the web, use tools, send messages, write and execute code, manage files, and complete complex multi-step tasks without human intervention.

OpenClaw 21K Exposed Instances: No Auth, Public Internet (2026)

In This Article

01Introduction
02The Scan
03Growth
04Risk
05Remediation
06Conclusion

Introduction

In January 2026, search engine scans identified over 21,000 publicly accessible OpenClaw Gateway instances with no authentication — effectively giving anyone on the internet the ability to send commands to those agents. By early February, this number had grown to over 135,000 exposed instances. Many were running without any authentication, often on public IPs. The Foundation has since deprecated auth-none mode; legacy deployments remain at risk. This post explains what happened, why it matters, and how to fix it.

The scale of exposure was unprecedented for an open-source agentic framework. Security researchers described it as a "mass-casualty" scenario — not because of a single vulnerability, but because default configurations and quick-start guides prioritized ease of setup over security. New users, eager to try OpenClaw after its viral growth, followed tutorials that got them running in minutes. Few of those tutorials mentioned authentication. The result: tens of thousands of agents with full capabilities exposed to the public internet. Anyone could connect. Anyone could command. The implications were severe.

This incident became a turning point for the OpenClaw ecosystem. The Foundation responded with deprecation of auth-none, mandatory authentication in new releases, and a comprehensive security hardening campaign. But the legacy deployments — the 135,000+ instances that were exposed — remain a concern. If you're running OpenClaw, you need to understand what happened and ensure you're not part of the problem.

Imagine leaving your house with the front door wide open. Not just unlocked — open. Anyone walking by could step in. They could read your mail. They could use your computer. They could copy your keys. That's what an unauthenticated Gateway was. The agent was running. It was listening. It would accept commands from anyone. No password. No token. No verification. The 135,000 instances were 135,000 open doors. The internet is full of people who will step through.

The Scan

Security researchers used Shodan, Censys, and similar internet-wide scanning tools to find OpenClaw Gateways. The search parameters were straightforward: port 18789 (the default Gateway port), OpenClaw response signatures in HTTP headers, WebSocket endpoints that matched the Gateway's handshake pattern. The result: thousands of instances responding to unauthenticated requests. Anyone could send "execute: rm -rf /" (or worse) to these agents. The Gateway is the entry point for all agent communication. No auth means no gate. The researchers published their findings; the community reacted. See first mass-casualty agentic for the broader security context.

The scan methodology was simple. Shodan and Censys continuously crawl the internet, indexing services by port and response characteristics. A researcher queries for "port:18789" and filters for responses that match OpenClaw's fingerprint. Add a check for WebSocket upgrade support. Add a check for the absence of authentication challenges. The result is a list of IP:port combinations where an OpenClaw Gateway is listening and will accept unauthenticated connections. The researchers ran these queries periodically. The count grew: 5,000 in late December, 21,000 in mid-January, 135,000 by early February. Each number represented an agent that could be commanded by anyone.

What could an attacker do? Everything the legitimate user could do. Send messages to the agent. Request memory dumps. Execute skills. Run shell commands (if the agent had that capability). Exfiltrate data. Use the agent as a pivot point for lateral movement into the user's other systems. The Gateway doesn't distinguish between a legitimate user and an attacker. It just executes. For instances with access to email, calendars, file systems, or cloud APIs, the exposure was catastrophic. One researcher demonstrated reading the full memory of an exposed agent — including personal notes, API keys stored in context, and conversation history — in under a minute.

The scan methodology was straightforward. Security researchers used Shodan and Censys — tools that continuously index internet-connected devices. They queried for port 18789, the default Gateway port. They filtered for responses that matched OpenClaw's fingerprint. They checked for the absence of authentication challenges. The result: a list of IP addresses where an OpenClaw Gateway was listening and would accept unauthenticated connections. The researchers ran these queries periodically. The count grew with viral adoption. Each new deployment that followed a "quick start" guide without security was another open door.

Growth

21K in January → 135K in February. Viral adoption meant many new users followed "quick start" guides that didn't emphasize security. Default configs exposed the Gateway. Docker port mapping (e.g., -p 18789:18789), cloud VPS with public IPs, no firewall — perfect storm. OpenClaw's 100K stars in 7 days meant a flood of new deployments. Many were "try it out" setups. Few thought about authentication. The result: 135K open doors.

The growth trajectory tracked OpenClaw's viral moment. As the project gained attention — from tech press, from developer communities, from AI enthusiasts — the number of new installations exploded. Each new user wanted to get running quickly. Docker Compose made it trivial: pull the image, set a few env vars, expose the port. The default Docker configuration mapped the Gateway to 0.0.0.0:18789, meaning it listened on all interfaces. On a cloud VPS with a public IP, that meant the Gateway was reachable from the entire internet. No firewall rules. No authentication. Just a running agent, waiting for commands.

Tutorials and blog posts compounded the problem. "Get OpenClaw running in 5 minutes" — and the 5-minute path skipped authentication. "Deploy OpenClaw on DigitalOcean" — the guide used a droplet with a public IP and didn't mention binding to localhost. The documentation did include security guidance, but it was easy to miss. New users, excited to try the technology, followed the shortest path. The result: exponential growth in exposed instances, tracking the exponential growth in total deployments. By February, the security researchers' scans were finding new instances faster than they could analyze them.

Risk

Unauthenticated Gateway = full agent control. Attacker can: read memory, execute skills, exfiltrate data, use agent for lateral movement. Same capabilities as the legitimate user. Catastrophic for exposed instances with sensitive data. If your agent has access to your email, calendar, or files, an attacker has that access too. The Moltbook breach showed what happens when credentials leak. Exposed instances are worse: no credentials needed. Just connect and command.

Consider the attack surface. An agent typically has access to: the user's messaging channels (Telegram, Discord, WhatsApp), file system (for reading documents, writing outputs), email (if configured), calendar (if configured), and any APIs the user has connected (CRM, project management, cloud storage). An attacker who gains control of the agent gains access to all of it. They can read the user's messages. They can exfiltrate files. They can send emails as the user. They can modify calendar events. They can use the agent to pivot into other systems — for example, using the agent's access to a cloud API to create new resources or access sensitive data. The agent is a powerful delegation of trust. In the wrong hands, it's a powerful weapon.

Real-world impact: security researchers reported instances where they could extract API keys from agent memory, access users' cloud storage, and even use agents to send phishing messages to the user's contacts. The ethical researchers disclosed responsibly; it's reasonable to assume malicious actors found the same exposure and exploited it. The Foundation's response — deprecating auth-none, requiring authentication in new releases — was necessary. But for the 135,000+ instances that were exposed, the damage may already be done. Users should assume compromise if they were running without auth. Rotate credentials. Audit access logs. Assume the worst.

The risk wasn't theoretical. Security researchers published proof-of-concept exploits. They showed how to connect to an exposed Gateway, send a message requesting memory dump, and receive the agent's full context — including everything the user had ever told it, any files it had read, any credentials stored in its memory. For an agent with access to a user's email, the attacker could ask it to "forward all emails from the last week to this address." The agent would comply. The user might never know. The exposure was a full compromise. Not a vulnerability to be patched later — an open door that had already been walked through.

Remediation

Upgrade to 2026.2.17+. Enable authentication. Bind to localhost only (127.0.0.1). Use VPN or private network. Never expose Gateway to the public internet. Run SecureClaw to verify config. If you're running Docker, ensure the Gateway port is not mapped to 0.0.0.0. Use a reverse proxy with auth (e.g., nginx + basic auth) if you must expose it. See OpenClaw security for the full hardening guide.

Step-by-step: (1) Upgrade immediately. npm update openclaw or docker pull openclaw/openclaw:2026.2.17. (2) Add authentication to your config. Token-based or API key. No more auth-none. (3) Bind the Gateway to 127.0.0.1. If you need remote access, use SSH tunneling or a VPN. Don't expose the Gateway directly. (4) If you must expose it — for example, to receive webhooks from Telegram — put it behind a reverse proxy with authentication. Nginx with basic auth, or a proper API gateway. (5) Run SecureClaw. It will flag misconfigurations. Fix everything it finds. (6) Audit your Skills. Malicious skills combined with exposed instances are a double threat. See 340 malicious skills for context.

For Docker users specifically: check your port mapping. -p 18789:18789 exposes to all interfaces. Use -p 127.0.0.1:18789:18789 to bind to localhost only. If you're on a cloud VPS, ensure your security group or firewall doesn't allow inbound connections to 18789 from the public internet. Defense in depth: even if the port is open, authentication should block unauthorized access. But the best practice is to not expose the port at all.

The remediation isn't optional. If you were running without auth, assume you were compromised. Rotate every credential the agent had access to. Check cloud access logs for unusual activity. Review agent memory for anything sensitive that might have been exfiltrated. The 135,000 number is a lower bound — it's how many the researchers found. There may have been more. The only safe assumption is that if your instance was exposed, someone found it.

Wrapping Up

The exposed instances crisis drove the Foundation to deprecate auth-none. Users must harden. The 135,000 exposed instances represent a significant security incident for the ecosystem. If you were one of them, assume compromise. If you're deploying new instances, security must be non-negotiable. See CVEs for patch status and 2026.2.17 release for the secure baseline.

PreviousThe Agentic Revolution: OpenClaw and the 2026 AI Infrastructure Pivot NextOpenClaw 2026.2.17: January CVEs Patched, Auth Required

OpenClaw 21,000 Exposed Instances: The January 2026 Security Scan

Introduction

The Scan

Growth

Risk

Remediation

Wrapping Up

Related Articles

OpenClaw CVEs 2026: CVE-2026-25253, 24763, and the January Security Crisis

Is OpenClaw Safe? Security Risks & Best Practices

OpenClaw Gateway Architecture: The Central Nervous System Explained

OpenClaw Docker Deployment: Production Setup Guide

OpenClaw SecureClaw: 55 Automated Security Checks

How to Protect OpenClaw from Prompt Injection Attacks