#security-research#ai-agents#mcp#hackmyagent#openclaw

The State of AI Agent Security: 97,000 Hosts, 1,190 Exposed Configs, and What We Did About It

OpenA2A Team

February 5, 2026

12 min read

TL;DR: We scanned 97,013 internet-facing hosts for AI agent vulnerabilities. 14.4% had confirmed security issues. 1,190 had their system instructions (CLAUDE.md) publicly readable. 645 had MCP tool definitions exposed. 32 were leaking API keys in HTTP responses. These are not theoretical risks — they are production systems, reachable right now.

97,013

Hosts Discovered

11,100

Hosts Scanned

1,594

Confirmed Vulnerable

14.4%

Vulnerability Rate

How We Collected This Data

We used 207 Shodan queries across 10 categories — Python frameworks, Node.js servers, WebSocket endpoints, API patterns, AI/ML infrastructure, and more — to identify internet-facing hosts that might be running AI agent infrastructure.

Each candidate IP was then scanned using HackMyAgent's external scanner, which performs 12 active security checks: probing for MCP SSE endpoints, MCP tool listings, exposed configuration files, CLAUDE.md system instructions, API keys in HTTP responses, gateway endpoints, debug mode, and more.

Every number in this report comes from our scanner. If we couldn't confirm a vulnerability, we didn't count it. Our full methodology is documented at hackmyagent.com/methodology.

What We Found

Across 11,100 scanned hosts, we confirmed 8,449 individual security findings. Here is the breakdown.

Finding	Count	Severity
Outdated API Endpoints	5,042	Medium
CLAUDE.md Exposed	1,190	High
Outdated Versions	829	Medium
MCP Tools Exposed	645	Critical
Gateway Exposed	289	Critical
Debug Mode Enabled	272	Medium
Unauthenticated MCP	58	Critical
Config Files Exposed	54	Critical
API Keys in Responses	32	Critical
WebSocket Control Exposed	22	Critical
MCP SSE Exposed	14	Critical

1,190 Agent Configurations on the Open Internet

CLAUDE.md files contain system instructions for AI agents — behavioral rules, tool access policies, persona definitions, and sometimes credentials. They are the equivalent of an application's source code and configuration combined into one file.

We found 1,190 of them accessible via HTTP GET requests on the public internet.

What an attacker learns from a CLAUDE.md file:

•What tools the agent has access to — file system operations, database queries, API calls, code execution capabilities
•How the agent makes decisions — authorization logic, escalation rules, content filters, guardrails (and how to bypass them)
•Internal infrastructure details — database names, API endpoints, service dependencies, deployment architecture
•Credentials and API keys — some CLAUDE.md files contain hardcoded secrets (we found 32 hosts leaking API keys in HTTP responses)

Exposing a CLAUDE.md file is equivalent to publishing your application's security policy alongside its source code. An attacker doesn't need to probe for vulnerabilities — the instructions tell them exactly where to look.

645 MCP Tool Definitions Exposed

The Model Context Protocol (MCP) is how AI agents connect to external tools — databases, APIs, file systems, code execution environments. MCP servers expose a /tools endpoint that lists every available tool with its parameters and descriptions.

645 hosts had their MCP tool listings publicly accessible. 58 of those had no authentication at all — meaning anyone on the internet could invoke the tools directly.

14 hosts exposed MCP SSE (Server-Sent Events) endpoints, which allow real-time bidirectional communication with the agent. An attacker connected to an exposed SSE endpoint can send tool invocations and receive results as if they were a legitimate client.

# What an attacker sees on an exposed MCP endpoint

$ curl https://target:8000/tools

{

"tools": [

{ "name": "execute_sql", "description": "Run SQL queries..." },

{ "name": "read_file", "description": "Read any file..." },

{ "name": "run_command", "description": "Execute shell..." }

]

}

289 Agent Gateways Reachable from the Internet

AI agent frameworks like OpenClaw use gateway servers (typically on port 18789) to manage agent sessions, tool execution, and channel integrations. The gateway provides admin access to all conversations, configuration, and connected services.

We found 289 gateway instances reachable from the public internet. 22 of those also had their WebSocket control plane (port 18790) exposed, which provides real-time administrative access to agent sessions.

When we analyzed OpenClaw's gateway code, we found that the config.get API method returns the entire configuration object — including Discord bot tokens, Slack OAuth tokens, Telegram bot tokens, and LLM provider API keys. If the gateway has no authentication configured (or uses the dangerouslyDisableDeviceAuth flag), this data is accessible to anyone who connects.

What We're Doing About It

Reporting vulnerabilities without contributing fixes is incomplete work. We are doing both.

Contributing Upstream: OpenClaw Skill Code Safety Scanner

OpenClaw has 145,000+ GitHub stars and a known malicious skills problem — 341 malicious skills were identified in the ClawHavoc campaign . The framework had no code-level security scanning for plugins before installation or during security audits.

We submitted PR #9806 — a skill/plugin code safety scanner that detects dangerous patterns before they execute:

dangerous-exec—child_process.exec/spawn command injection
dynamic-code-execution—eval() and new Function()
potential-exfiltration—file read + outbound HTTP
env-harvesting—process.env access + network send
obfuscated-code—hex-encoded strings, large base64 payloads
crypto-mining—stratum protocol indicators
suspicious-network—WebSocket to non-standard ports

The scanner integrates into two places: openclaw security audit --deep (reports findings with severity levels) and the plugin installer (warns users before installation, but does not block — users retain control). Zero new dependencies. 19 tests. Runs against the plugin author's code, not transitive dependencies.

# What the scanner catches in production

$ openclaw security audit --deep

CRITICAL

plugins.code_safety Plugin "evil-plugin" contains dangerous code patterns

Found 1 critical issue(s) in 1 scanned file(s):

- Shell command execution detected (child_process) (index.js:2)

Fix: Review the plugin source code carefully before use.

HackMyAgent: Scanning at Scale

The internet-wide scan data in this report was collected using HackMyAgent, our open-source security scanner for AI agents. HackMyAgent operates in two modes:

Secure Mode

Static analysis of agent codebases. 100+ checks across credentials, network config, MCP servers, plugins, and more.

npx hackmyagent secure ./my-agent

Attack Mode

55 adversarial payloads across prompt injection, jailbreaking, data exfiltration, capability abuse, and context manipulation.

npx hackmyagent attack http://agent/v1

The external scanner (used for the internet-wide data in this report) performs port scanning and HTTP probing to detect exposed MCP endpoints, configuration files, CLAUDE.md instructions, API keys, gateway interfaces, and other indicators of misconfigured AI agent infrastructure.

Recommendations

If you are running AI agents in production:

Audit your network exposure

Run `hackmyagent scan your-domain.com` to check what's reachable from the internet. Gateway ports (18789, 18790) and MCP endpoints should not be publicly accessible.

Protect CLAUDE.md and config files

Configure your web server to deny access to /.claude/, /CLAUDE.md, /mcp.json, /.env, and other configuration paths. These should never be served over HTTP.

Authenticate MCP endpoints

Every MCP server should require authentication. An exposed /tools endpoint is an invitation to enumerate and invoke your agent's capabilities.

Scan plugins before installing

Use static analysis to detect dangerous patterns in plugin code before execution. Our OpenClaw PR adds this capability natively — if you use another framework, `hackmyagent secure` performs equivalent checks.

Don't use dangerous config flags in production

Flags like `dangerouslyDisableDeviceAuth` and `allowInsecureAuth` exist for local development. They should never be enabled on internet-facing deployments.

Rotate exposed credentials immediately

If your CLAUDE.md or config files were publicly accessible, assume any credentials in them are compromised. Rotate API keys, bot tokens, and database passwords.

What's Next

We will continue scanning and publishing updated numbers. The scan data on hackmyagent.com is updated as we run new scans. We plan to:

•Expand scanning coverage to additional agent frameworks and deployment patterns
•Publish the OASB-1 (Open Agent Security Benchmark) for standardized agent security assessment
•Continue contributing security improvements upstream to open-source agent projects
•Provide responsible disclosure for critical findings to affected organizations

If you find a vulnerability in AI agent infrastructure, we encourage you to report it. If you want to run these scans yourself, HackMyAgent is open source.

Check your infrastructure

# Scan your agent codebase

npx hackmyagent secure ./my-agent-project

# Test your agent with adversarial payloads

npx hackmyagent attack http://localhost:3000/v1/chat/completions

# Scan external infrastructure

npx hackmyagent scan your-domain.com

GitHub Full Methodology OpenClaw PR #9806

Disclosure: This research was conducted using publicly accessible services only. No authentication was bypassed, no private data was accessed, and no vulnerabilities were exploited. IP addresses are anonymized in public reporting. Our scanning methodology follows responsible security research practices.

About OpenA2A: OpenA2A builds open-source security tools for AI agents. Our projects include HackMyAgent (security scanner), AIM (agent identity management), and the OpenA2A Registry (agent trust and verification).