The State of AI Agent Security: 97,000 Hosts, 1,190 Exposed Configs, and What We Did About It

How We Collected This Data

We used 207 Shodan queries across 10 categories -- Python frameworks, Node.js servers, WebSocket endpoints, API patterns, AI/ML infrastructure, and more -- to identify internet-facing hosts that might be running AI agent infrastructure.

Each candidate IP was then scanned using HackMyAgent's external scanner, which performs 12 active security checks: probing for MCP SSE endpoints, MCP tool listings, exposed configuration files, CLAUDE.md system instructions, API keys in HTTP responses, gateway endpoints, debug mode, and more.

Every number in this report comes from our scanner. If we couldn't confirm a vulnerability, we didn't count it.

What We Found

Across 11,100 scanned hosts, we confirmed 8,449 individual security findings.

1,190 Agent Configurations on the Open Internet

CLAUDE.md files contain system instructions for AI agents -- behavioral rules, tool access policies, persona definitions, and sometimes credentials. They are the equivalent of an application's source code and configuration combined into one file.

We found 1,190 of them accessible via HTTP GET requests on the public internet.

What an attacker learns from a CLAUDE.md file:

• What tools the agent has access to -- file system operations, database queries, API calls, code execution capabilities
• How the agent makes decisions -- authorization logic, escalation rules, content filters, guardrails (and how to bypass them)
• Internal infrastructure details -- database names, API endpoints, service dependencies, deployment architecture
• Credentials and API keys -- some CLAUDE.md files contain hardcoded secrets (we found 32 hosts leaking API keys in HTTP responses)

645 MCP Tool Definitions Exposed

The Model Context Protocol (MCP) is how AI agents connect to external tools. MCP servers expose a /tools endpoint that lists every available tool with its parameters and descriptions.

645 hosts had their MCP tool listings publicly accessible. 58 of those had no authentication at all -- meaning anyone on the internet could invoke the tools directly.

14 hosts exposed MCP SSE (Server-Sent Events) endpoints, which allow real-time bidirectional communication with the agent.

# What an attacker sees on an exposed MCP endpoint
$ curl https://target:8000/tools
{
  "tools": [
    { "name": "execute_sql", "description": "Run SQL queries..." },
    { "name": "read_file", "description": "Read any file..." },
    { "name": "run_command", "description": "Execute shell..." }
  ]
}

289 Agent Gateways Reachable from the Internet

AI agent frameworks like OpenClaw use gateway servers (typically on port 18789) to manage agent sessions, tool execution, and channel integrations. We found 289 gateway instances reachable from the public internet. 22 of those also had their WebSocket control plane (port 18790) exposed.

When we analyzed OpenClaw's gateway code, we found that the config.get API method returns the entire configuration object -- including Discord bot tokens, Slack OAuth tokens, Telegram bot tokens, and LLM provider API keys.

What We're Doing About It

Reporting vulnerabilities without contributing fixes is incomplete work. We are doing both.

Contributing Upstream: OpenClaw Skill Code Safety Scanner

OpenClaw has 145,000+ GitHub stars and a known malicious skills problem. We submitted PR #9806 -- a skill/plugin code safety scanner that detects dangerous patterns before they execute.

HackMyAgent: Scanning at Scale

The internet-wide scan data in this report was collected using HackMyAgent, our open-source security scanner for AI agents.

Recommendations

If you are running AI agents in production: