Internet-Wide AI Exposure Sweep: April 2026
Published on research.opena2a.org
TL;DR: Shodan indexes 321,929 AI-adjacent services as of April 10, 2026. OpenClaw gateways on port 18789 remain the dominant exposure (263,853 hosts, up 5.8% from March). This is the first sweep where we replaced port-based Ollama queries with product-based ones: 25,036 hosts actually identified as Ollama, versus 224,551 TCP-open on port 11434 last month. The port number over-counts real instances by roughly 9x. Streamlit AI apps (25,097) and MCP Streamable HTTP endpoints (1,010) enter the index as new populations. Two hosts now serve responses containing the literal string ANTHROPIC_API_KEY. Zero last month.
Methodology change since March
Last month's report used port:11434 for Ollama and port:18789 for OpenClaw, then extrapolated from a 20-host manual sample. That approach over-counts by design: most open ports on those numbers run unrelated services. This month we switched to Shodan's product: facet where available, which filters to hosts whose banners actually match the expected software.
The result is a smaller but more defensible number. The Ollama "decrease" from 224,551 to 25,036 is a measurement improvement, not a real drop.
Category Breakdown
All counts are direct Shodan index totals from the April 10, 2026 sweep. Queries listed below each row document exactly how each number was obtained, so anyone with a Shodan account can reproduce them.
| Population | Query | Count |
|---|---|---|
| OpenClaw Clawdbot gateway | port:18789 | 263,853 |
| Clawdbot banner string | "clawdbot" | 2,733 |
| Streamlit AI apps | http.title:"Streamlit" | 25,097 |
| Ollama (product-matched) | product:"Ollama" | 25,036 |
| Jupyter Notebooks | http.title:"Jupyter Notebook" | 1,993 |
| MLflow Tracking | http.title:"MLflow" | 1,061 |
| MCP Streamable HTTP | "mcp-session-id" "application/json" | 1,010 |
| Clawdbot Alt Port | port:18790 | 274 |
| Moltbot banner string | "moltbot" | 306 |
| Gradio ML Demos | http.title:"Gradio" | 197 |
| AI Debug Endpoints | "/debug" "model" http.status:200 | 132 |
| MCP SSE Endpoints | "text/event-stream" "mcp" | 123 |
| OpenAI-Compatible APIs | "/v1/chat/completions" | 91 |
| A2A Agent Cards | "/.well-known/agent.json" | 8 |
| OpenClaw SKILL.md files | "SKILL.md" http.status:200 | 6 |
| LangServe deployments | http.title:"LangServe" | 4 |
| ANTHROPIC_API_KEY in responses | "ANTHROPIC_API_KEY" | 2 |
| CLAUDE.md Files | "CLAUDE.md" http.status:200 | 1 |
| MCP tools/list endpoints | "tools/list" "jsonrpc" | 1 |
| Total indexed | 321,929 |
What Changed Since March
Only categories whose query was unchanged between March and April are meaningful to compare directly.
| Category | March | April | Delta | Note |
|---|---|---|---|---|
| OpenClaw port:18789 | 249,366 | 263,853 | +5.8% | Same query, real growth |
| MLflow (title) | 984 | 1,061 | +7.8% | Consistent growth |
| Gradio (title) | 233 | 197 | -15.5% | Small population, noisy |
| MCP SSE | 64 | 123 | +92% | Still tiny absolute |
| Ollama port:11434 | 224,551 | — | n/a | Query deprecated (see above) |
| Ollama product: | — | 25,036 | new | First product-matched count |
The OpenClaw gateway population continues to dwarf every other category we track and posted its largest month-over-month gain in three months (+5.8%). MLflow tracking servers grew almost as fast (+7.8%), consistent with its default-unauthenticated posture still being a common misconfiguration. Gradio contracted slightly. The Ollama number cannot be compared directly because the query methodology changed.
Geographic Distribution
Top countries by Shodan detection count across all categories in the April 10 sweep:
| Country | Detections |
|---|---|
| China | 81,700 |
| United States | 64,657 |
| Israel | 36,744 |
| Singapore | 24,201 |
| Vietnam | 14,472 |
Compared to March, China and the United States remain the two largest populations. Singapore moves into the top four on the back of one autonomous system (ACEVILLE PTE.LTD., 25,965 hosts, roughly 8% of the entire sample). Vietnam enters the top five for the first time. Israel's detection count is heavily concentrated in one ASN (Internet Rimon, 36,226 hosts).
New This Month: Streamlit and MCP Streamable HTTP
Two populations we did not measure in March are now in the sweep.
Streamlit (25,097 hosts). Streamlit is a Python framework commonly used to wrap LLMs into lightweight demo UIs. Its default configuration binds to 0.0.0.0 with no authentication and loads whatever script it is pointed at. A public Streamlit app frequently exposes a chat UI with direct API access to the underlying model. Not all 25,097 are AI-specific, but the title filter is a strong proxy.
MCP Streamable HTTP (1,010 hosts). The MCP specification gained a streamable HTTP transport in late 2025, and servers implementing it set the mcp-session-id header. This is the first month where the query returned a meaningful count (March returned zero confirmed, 64 indexed under the older SSE query). MCP servers typically expose tool lists and resource catalogs; unauthenticated instances advertise their full capability surface.
ANTHROPIC_API_KEY in responses (2 hosts). Zero last month, two this month. A response body containing the literal string ANTHROPIC_API_KEY is not proof of a leaked key. It could be documentation, an error message, or a 404 with shell output. It is still worth flagging to the operators and worth watching month over month. Two is small enough that we will manually verify before escalating.
What This Report Is Not
This is a Shodan index analysis, not an active scan. No systems were accessed, tested, or exploited. No authentication mechanisms were bypassed. No private data was retrieved or stored. The counts reflect what Shodan's own crawlers indexed as of the sweep timestamp.
Shodan index counts are not the same as confirmed vulnerability counts. A host appearing in the OpenClaw query means Shodan saw something on port 18789. It does not mean the service is unauthenticated, that it is OpenClaw specifically, or that it is exploitable. For confirmed-exposure research we recommend either running hackmyagent scan against your own infrastructure or contacting us for a coordinated research engagement.
HMA Check Coverage
Every population in this sweep maps to a HackMyAgent detection check you can run against your own systems:
| Population | HMA Check | Severity |
|---|---|---|
| Unauthenticated Ollama | LLM-001 to LLM-004 | Critical |
| OpenClaw Gateway exposed | GATEWAY-001 to GATEWAY-008 | Critical |
| Streamlit AI app | WEBEXPOSE-004 | High |
| Jupyter no auth | AITOOL-001 | Critical |
| MLflow unauthenticated | AITOOL-003 | Critical |
| MCP Streamable HTTP | MCP-011, MCP-012 | Critical |
| CLAUDE.md exposed | WEBEXPOSE-001 | High |
| Debug endpoints exposed | WEBEXPOSE-003 | High |
Recommendations
- Do not expose Ollama, MLflow, Jupyter, or Streamlit AI apps directly to the internet. Default configurations bind to 0.0.0.0 with no authentication. If you need external access, put a reverse proxy with auth in front.
- Audit OpenClaw deployments. Port 18789 is the default control plane and its discovery surface remains the single largest exposure category we measure.
- Review MCP Streamable HTTP servers for authentication. The transport is new, 977 public instances is a small enough population that every one matters.
- Deny access to agent config paths at the web server. /.claude/, /CLAUDE.md, /SKILL.md, /SOUL.md, /mcp.json, /.env.
- Rotate credentials any time a config file was publicly reachable. Assume compromise, not innocence.
Legal Notice: This research is based on analysis of data from the Shodan search engine, a publicly available internet index. No systems were accessed, tested, or exploited. No authentication mechanisms were bypassed. No private data was retrieved or stored. All statistics represent aggregate analysis of publicly indexed information. No specific organizations, IP addresses, or domains are identified in this report.
Responsible Disclosure: If you believe your infrastructure is reflected in these counts, audit your own systems using the open-source tools referenced here. For coordinated disclosure, contact info@opena2a.org.
About: This research is conducted by OpenA2A, an open-source AI agent security research project. Detection checks referenced in this report are available in HackMyAgent (Apache-2.0).