OpenClaw draws review amid China uptake, ClawJacked risk

Claim status: No accountable source confirms 200k/23k figure

A widely circulated statistic asserts there are over 200,000 active OpenClaw instances globally, with 23,000 in China. As of publication, no accountable, named authority has publicly verified that figure or its methodology.

Available evidence points to high online exposure but uneven counting practices. Reported totals often conflate installed copies, internet‑exposed gateways, and authenticated production deployments, which makes like‑for‑like comparisons unreliable and inflates perceived scale.

What OpenClaw is and why exposure counts matter

OpenClaw is an AI agent framework that relies on skills (plugins) and an HTTP‑accessible gateway, creating powerful automation capabilities alongside a broad external interface. Exposure counts matter because they approximate the number of reachable endpoints and, by extension, the platform’s externally accessible attack surface.

In practice, a high number of exposed endpoints increases the chance of misconfiguration, data leakage, and plugin‑driven compromise. Even when authentication is enabled, weak defaults or over‑privileged service accounts can magnify organizational risk.

According to CNCERT/CC, deploying OpenClaw without sufficient protections poses serious security risks, especially where instances are poorly configured and connected to critical infrastructure such as finance and energy. The agency advises limiting system permissions, tightening authentication, and exercising caution with external plugin components.

Exposure vs deployments: reading OpenClaw instance counts correctly

Across security reporting, metrics describe different realities: how many copies exist, how many endpoints are exposed online, and how many are actively used behind authentication. Treating these as interchangeable produces misleading narratives and policy responses.

Total deployments vs publicly exposed endpoints vs active, authenticated use

Total deployments capture installations, including lab and development copies; publicly exposed endpoints reflect gateways routable from the internet; active, authenticated use refers to production systems with enforced controls. Each bucket answers a different risk question and changes more quickly than static headlines suggest.

Editorial context: the dispute over headline totals stems from mixing these categories without a disclosed methodology. According to the National Cybersecurity Notification Center: “There are currently over 200,000 active OpenClaw instances globally, with approximately 23,000 located within China.”

ClawJacked vulnerability, Microsoft cautions, and Bitdefender skill findings

According to Security‑land, the ClawJacked flaw enables HTTP gateway authentication bypass and potential takeover; a patch is available, yet many instances reportedly remain on insecure versions. Microsoft has cautioned that OpenClaw should not run on standard personal or enterprise workstations unless properly hardened. Bitdefender has reported hundreds of malicious skills, particularly in crypto workflows, including cloned or repackaged modules that masquerade as benign.

FAQ about OpenClaw instances

How many OpenClaw instances are actually exposed online right now according to credible scans?

No authoritative, accountable count is confirmed. Public scans generally show tens of thousands of exposed endpoints, not 200k, and totals fluctuate due to duplicates, misclassification, rate limits, and downtime.

What are the most critical OpenClaw security vulnerabilities (e.g., ClawJacked) and are patches available?

ClawJacked enables gateway authentication bypass and potential takeover; a patch exists, but many deployments lag. Harden configurations, apply least privilege, and verify plugin provenance before enabling.