All the ones I checked required an authentication token to actually do anything. Which makes me feel a bit better about this site.

Is it typical or even possible to configure OpenClaw in another way? Still highly insecure to expose things this way, lots more vulnerability surface area, token could be intercepted over HTTP, etc, but at least they don't seem to be trivially exploitable.