The State of AI Agent Security: 97,000 Hosts, 1,190 Exposed Configs, and What We Did About It
Originally published on opena2a.org
TL;DR: We scanned 97,013 internet-facing hosts for AI agent vulnerabilities. 14.4% had confirmed security issues. 1,190 had their system instructions (CLAUDE.md) publicly readable. 645 had MCP tool definitions exposed. 32 were leaking API keys in HTTP responses. These are not theoretical risks — they are production systems, reachable right now.
How We Collected This Data
We used 207 Shodan queries across 10 categories — Python frameworks, Node.js servers, WebSocket endpoints, API patterns, AI/ML infrastructure, and more — to identify internet-facing hosts that might be running AI agent infrastructure.
Each candidate IP was then scanned using HackMyAgent's external scanner, which performs 12 active security checks: probing for MCP SSE endpoints, MCP tool listings, exposed configuration files, CLAUDE.md system instructions, API keys in HTTP responses, gateway endpoints, debug mode, and more.
Every number in this report comes from our scanner. If we couldn't confirm a vulnerability, we didn't count it. Our full methodology is documented at hackmyagent.com/methodology.
What We Found
Across 11,100 scanned hosts, we confirmed 8,449 individual security findings.
| Finding | Count | Severity |
|---|---|---|
| Outdated API Endpoints | 5,042 | Medium |
| CLAUDE.md Exposed | 1,190 | High |
| Outdated Versions | 829 | Medium |
| MCP Tools Exposed | 645 | Critical |
| Gateway Exposed | 289 | Critical |
| Debug Mode Enabled | 272 | Medium |
| Unauthenticated MCP | 58 | Critical |
| Config Files Exposed | 54 | Critical |
| API Keys in Responses | 32 | Critical |
| WebSocket Control Exposed | 22 | Critical |
| MCP SSE Exposed | 14 | Critical |
1,190 Agent Configurations on the Open Internet
CLAUDE.md files contain system instructions for AI agents — behavioral rules, tool access policies, persona definitions, and sometimes credentials. They are the equivalent of an application's source code and configuration combined into one file.
We found 1,190 of them accessible via HTTP GET requests on the public internet. What an attacker learns from a CLAUDE.md file:
- What tools the agent has access to — file system operations, database queries, API calls, code execution
- How the agent makes decisions — authorization logic, escalation rules, guardrails (and how to bypass them)
- Internal infrastructure details — database names, API endpoints, service dependencies
- Credentials and API keys — some CLAUDE.md files contain hardcoded secrets
645 MCP Tool Definitions Exposed
The Model Context Protocol (MCP) is how AI agents connect to external tools. MCP servers expose a /tools endpoint that lists every available tool with its parameters.
645 hosts had their MCP tool listings publicly accessible. 58 of those had no authentication at all — meaning anyone on the internet could invoke the tools directly.
14 hosts exposed MCP SSE (Server-Sent Events) endpoints, which allow real-time bidirectional communication with the agent. An attacker connected to an exposed SSE endpoint can send tool invocations and receive results as if they were a legitimate client.
289 Agent Gateways Reachable from the Internet
AI agent frameworks like OpenClaw use gateway servers (typically on port 18789) to manage agent sessions, tool execution, and channel integrations. The gateway provides admin access to all conversations, configuration, and connected services.
We found 289 gateway instances reachable from the public internet. 22 of those also had their WebSocket control plane (port 18790) exposed, which provides real-time administrative access to agent sessions.
When we analyzed OpenClaw's gateway code, we found that the config.get API method returns the entire configuration object — including Discord bot tokens, Slack OAuth tokens, Telegram bot tokens, and LLM provider API keys. If the gateway has no authentication configured (or uses the dangerouslyDisableDeviceAuth flag), this data is accessible to anyone who connects.
What We're Doing About It
Reporting vulnerabilities without contributing fixes is incomplete work. We are doing both.
Contributing Upstream: OpenClaw Skill Code Safety Scanner
We submitted PR #9806 — a skill/plugin code safety scanner that detects dangerous patterns before they execute:
- dangerous-exec— child_process.exec/spawn command injection
- dynamic-code-execution— eval() and new Function()
- potential-exfiltration— file read + outbound HTTP
- env-harvesting— process.env access + network send
- obfuscated-code— hex-encoded strings, large base64 payloads
- crypto-mining— stratum protocol indicators
- suspicious-network— WebSocket to non-standard ports
HackMyAgent: Scanning at Scale
The internet-wide scan data in this report was collected using HackMyAgent. Try it yourself:
Recommendations
If you are running AI agents in production:
- Audit your network exposure. Run
hackmyagent scan your-domain.comto check what's reachable from the internet. - Protect CLAUDE.md and config files. Configure your web server to deny access to /.claude/, /CLAUDE.md, /mcp.json, /.env.
- Authenticate MCP endpoints. Every MCP server should require authentication. An exposed /tools endpoint is an invitation to invoke your agent's capabilities.
- Scan plugins before installing. Use static analysis to detect dangerous patterns in plugin code before execution.
- Don't use dangerous config flags in production. Flags like
dangerouslyDisableDeviceAuthexist for local development only. - Rotate exposed credentials immediately. If your config files were publicly accessible, assume any credentials in them are compromised.
Disclosure: This research was conducted using publicly accessible services only. No authentication was bypassed, no private data was accessed, and no vulnerabilities were exploited.
About OpenA2A: OpenA2A builds open-source security tools for AI agents. Our projects include HackMyAgent (security scanner), AIM (agent identity management), and the OpenA2A Registry (agent trust and verification).