I Left My AI Agents Exposed for 3 Weeks. Here's What Happened.
A freelance developer left OpenClaw AI agents exposed with no auth on a VPS for 3 weeks. Here's the damage and what he learned about managed hosting.
It was a Tuesday at 1:47am when my phone buzzed. Not a client. Not a friend. It was a billing alert from DigitalOcean telling me I'd burned through $186 in compute charges in 72 hours on a droplet that was supposed to cost me $24/month.
I sat up in bed and stared at the number. Then I SSH'd in on my phone (yes, I have Termius, judge me) and watched the CPU graph. Flat 100%. All cores. For days.
Someone was cryptomining on my server. And it was entirely my fault.
How it happened#
Three weeks earlier, a client asked me to set up an OpenClaw instance for their customer service team. Small SaaS company, maybe 200 users. Standard gig for me. I spun up a 4GB droplet, pulled the Docker image, got it running in about 40 minutes.
The plan was to circle back and configure authentication the next day.
I didn't.
A new project came in. Then another. The OpenClaw instance was running fine, the client was using it, and the auth setup kept sliding down my to-do list. I told myself I'd get to it this weekend. Then next weekend. Then the weekend after that.
For 22 days, that OpenClaw instance sat on the public internet with zero authentication. No password. No API key. No firewall rules. Just an open door with a neon sign that said "come on in."
What they did#
When I finally dug into the logs, the timeline was depressing. A scanner found the instance within 9 hours of it going live. By hour 14, someone had accessed the API and started poking around. By day 3, they'd deployed a Monero mining container that pegged all 4 CPUs.
But that wasn't even the worst part.
The worst part was the data. My client had been piping customer support tickets through the agent. Names, email addresses, order details, a few partial addresses. Three weeks of customer conversations, sitting there for anyone to read.
I had to call my client and explain what happened. That call lasted 43 minutes and I wanted to crawl under my desk for every single one of them.
The damage#
Here's the actual bill: $186 in overage charges. 6 hours of my time investigating and cleaning up. One extremely uncomfortable conversation with a client. And about 1,100 customer interactions potentially exposed.
The client didn't sue me. They also didn't hire me again. Can't blame them.
I got lucky. Really lucky. The miners just wanted compute cycles, not data. If someone with worse intentions had found that endpoint first, I'd be writing this post from a much darker place.
This is not a rare story#
Here's what shook me when I started researching after the incident: there are over 220,000 AI agent instances exposed on the public internet right now with no authentication. That number comes from security researchers scanning common ports and endpoints. Two hundred and twenty thousand.
Most of them are developers like me. People who spun something up to test it, or set it up for a quick demo, or planned to "add auth later." The gap between "I'll get to it" and "someone got in" is usually measured in hours, not weeks.
AI agent frameworks are particularly bad about this because they're designed for rapid deployment. You pull an image, run a compose file, and you've got a working agent in minutes. The docs mention authentication, sure. Usually about halfway through a setup guide that most people stop reading after the "verify it's working" step.
I know because that's exactly what I did.
What managed hosting actually fixes#
After the incident, I moved my remaining client projects to RapidClaw. Not because I can't set up auth (I obviously can, when I remember to), but because the security model is fundamentally different.
On a managed platform, auth isn't a step you configure. It's baked in before your instance ever touches the internet. SSL certificates renew themselves. Firewall rules exist by default. DDoS protection through Cloudflare sits in front of everything. Your agent's API endpoint never exposes raw ports to the open internet.
Could I replicate all of that myself? Sure. I've done it dozens of times for web apps. But the difference is that a managed platform does it every time, automatically, without me having to remember. And "remembering" is the failure mode that bit me.
The backup situation is the other thing. RapidClaw runs daily backups. If I'd had that on my self-hosted instance, at least I could have told my client exactly what data was exposed and when. Instead I was guessing based on incomplete Docker logs.
The uncomfortable truth#
I'm a developer. I've been doing this for 8 years. I know how to configure nginx, set up Let's Encrypt, write iptables rules. And I still left an instance wide open for 3 weeks because I was busy and distracted and it was "just a quick setup."
If it can happen to me, it can happen to anyone running their own infrastructure. The question isn't whether you know how to secure things. It's whether you'll do it every single time, on every instance, without fail, even when a client is waiting and you've got three other things due.
I couldn't answer yes to that anymore. So I stopped pretending.
A caveat#
Managed hosting isn't magic. You're trusting someone else with your data, and that's a real trade-off. You lose some configurability. You're dependent on another company's uptime. For certain high-security, air-gapped use cases, self-hosting behind your own firewall is still the right call.
But for freelancers deploying client projects on VPS instances? The math isn't close. $19/month for someone else to handle security is cheaper than one phone call explaining to a client why their customer data was exposed.
I learned that the expensive way.
Frequently asked questions#
How quickly can an unsecured AI agent be found by attackers?#
Very quickly. In this case, a scanner found the exposed OpenClaw instance within 9 hours of it going live. By hour 14, someone had accessed the API. Automated scanners constantly probe common ports and endpoints on the public internet, so an unprotected instance is typically discovered within hours, not days.
What are the risks of self-hosting an AI agent without authentication?#
The main risks are unauthorized compute usage (cryptomining is common), data exposure (any conversations or documents processed by the agent are readable), and potential legal liability if customer data is involved. In this case, 1,100 customer interactions were potentially exposed and the server racked up $186 in overage charges from unauthorized mining.
Is managed hosting more secure than self-hosting AI agents?#
Managed hosting eliminates the most common self-hosting failure: forgetting to configure security. Platforms like RapidClaw include authentication, SSL certificates, firewall rules, and DDoS protection by default — before your instance ever touches the internet. Self-hosting can be equally secure if configured correctly, but the failure mode is human error, and even experienced developers skip steps when busy.
Ready to build your own AI agent?
Deploy a personal AI agent to Telegram or Discord in 60 seconds. From $19/mo.
Get StartedStay in the loop
New use cases, product updates, and guides. No spam.