Amazon Web Services has made OpenClaw available as a pre-configured blueprint on Amazon Lightsail, making the viral open-source agent a one-click deployment on AWS infrastructure rather than a do-it-yourself setup on a home device.
In its announcement, the company said the Lightsail instance is “pre-configured with Amazon Bedrock as the default AI model provider” and is designed to get users from launch to a working assistant with no additional configuration beyond pairing and enabling Bedrock access.
OpenClaw describes itself as a “personal AI assistant” that can be reached through chat surfaces such as WhatsApp, Telegram, Slack, Discord and Microsoft Teams and can run tools, including shell commands, depending on how the user configures it.
The project’s GitHub repository showed about 263k stars and 50k forks as of March 5. The project has also documented its renaming history from earlier names, including Clawd and Moltbot, before settling on OpenClaw in late January.
What the blueprint changes
AWS’ Lightsail blueprint changes the operational path. In the launch post, AWS said users select “OpenClaw” as a Lightsail blueprint, choose an instance plan (AWS recommends a 4 GB memory plan), then pair a browser session using a gateway token shown in the SSH welcome message.
In the accompanying Lightsail user guide, AWS describes a “Copy the script” flow that runs in AWS CloudShell to create an IAM role and attach a policy that grants the instance access to the Bedrock API.
The same guide also notes the blueprint’s default model behavior: the Lightsail OpenClaw instance “uses Anthropic Claude Sonnet 4.6 by default” through Amazon Bedrock and may require a one-time “First Time Use” form to access Anthropic models in a given AWS account.
AWS’s own security caveats at launch
AWS described the release as a response to customer demand and acknowledged security risk in plain terms.
AWS recommends hiding the OpenClaw gateway and “never” exposing it to the open internet, rotating the gateway authentication token frequently and storing secrets in environment files instead of hardcoding them in configuration.
AWS also said the setup script creates an IAM role and Bedrock access policy that customers can customize but warned that permission changes can break model calls.
Security context ahead of the launch
The timing intersects with a growing body of security reporting on OpenClaw gateways and extensions. The U.S. National Vulnerability Database lists CVE-2026-25253 affecting OpenClaw versions before 2026.1.29, describing a one-click attack path where a crafted URL can trigger an automatic WebSocket connection that transmits a token.
In separate internet-scale measurement, Bitsight said it observed more than 30,000 exposed OpenClaw instances during an analysis period running from Jan. 27 to Feb. 8. Hunt.io reported identifying over 17,500 internet-exposed OpenClaw, Clawdbot and Moltbot instances vulnerable to CVE-2026-25253 and said the issue enabled unauthenticated extraction of stored API tokens via an endpoint it describes as lacking authentication checks.
Two more attack surfaces: local takeover and the skills marketplace
A second exposure class focused on local takeover rather than internet-facing deployments also surfaced in late February.
Oasis Security disclosed what it called “ClawJacked,” describing a vulnerability chain that could allow a malicious website to take control of a locally running OpenClaw gateway via localhost WebSocket behavior and weak protective controls, with a fix released by OpenClaw in late February versions.
Researchers have also targeted the agent “skills” ecosystem as a supply-chain problem. Koi Security said that as of a Feb. 16 update it had continued scanning ClawHub as the marketplace grew from 2,857 to over 10,700 skills and that its findings more than doubled from 341 to 824 malicious skills, which it tied to a campaign it named “ClawHavoc.”
Separately, Snyk reported scanning thousands of agent skills and described the ecosystem as inheriting the permissions of the agent runtime, with findings that included malicious payloads and prompt-injection exposure paths.
Where enterprise exposure is already showing up
For enterprise security teams, the most direct confirmed spillover signal in public sources has been endpoint telemetry rather than vendor marketing.
Bitdefender said its GravityZone telemetry from business environments shows employees deploying OpenClaw agents onto corporate machines using “single-line commands,” describing this pattern as “Shadow AI” because deployments occur outside formal IT governance.
Industry security guidance is also converging on agent-specific failure modes that map closely to OpenClaw’s design, particularly when the agent can browse, ingest untrusted content and invoke tools. OWASP’s Top 10 for Large Language Model Applications lists prompt injection as a top risk category and describes it as inputs that alter model behavior in unintended ways.
Separately, the Cloud Security Alliance has published guidance arguing that agentic systems strain conventional identity patterns because agents can assume delegated authority and require secure, auditable authentication and authorization approaches for non-human identities.