Beijing, Feb 5, 2026, 21:25 (GMT+8)
- China’s industry ministry warned OpenClaw deployments can expose users to hacks and data leaks if left poorly secured
- The notice stops short of a ban but urges audits, access controls and identity checks
- The alert lands as Chinese cloud firms and developers race to host and plug the agent into workplace tools
China’s Ministry of Industry and Information Technology on Thursday warned that the fast-spreading OpenClaw open-source AI agent can create “significant security risks” when it is poorly configured, leaving users open to cyberattacks and data breaches. The ministry did not ban the tool, but urged organisations to audit public network exposure and tighten identity authentication and access controls. OpenClaw, first released in November, has surged online, and Chinese cloud providers including Alibaba’s Alicloud, Tencent Cloud and Baidu have rolled out services to run it remotely, rather than on a personal device. (Reuters)
The warning is one of the clearest public signals yet that Chinese regulators are watching high-privilege “agent” software as it moves from demos to day-to-day use. OpenClaw’s appeal is that it can carry out tasks on a user’s behalf — but that also means mistakes, sloppy setups or malicious add-ons can turn into real-world breaches.
An AI agent is software designed to take actions, not just answer questions. In plain terms, it is a helper that may read files, click through websites, run commands and log into accounts if a user grants it those permissions. That power is the feature. It is also the risk.
Chinese tech companies have been moving quickly to make OpenClaw easier to deploy. Tencent, Alibaba and ByteDance’s Volcano Engine have begun integrating it into cloud and workplace ecosystems, linking it to tools such as DingTalk and WeCom, Business Insider reported. In guidance aimed at developers, Volcano Engine cautioned that because the tool can have broad “account and network access permissions,” it should be run in a dedicated environment with access restrictions and regular permission reviews. (Business Insider)
Security specialists have warned that agents with broad access can be manipulated through “prompt injection” — hidden or crafted instructions that trick a model into taking actions a user did not intend, such as leaking data or posting content. The danger is amplified when an agent is plugged into email, chat, browsers and cloud dashboards.
In recent days, researchers have also flagged malware-laced “skills” — add-ons that extend OpenClaw — circulating in its ClawHub marketplace. Jason Meller, a product vice president at 1Password, described the hub as “an attack surface,” warning that the top download could become a “malware delivery vehicle,” The Verge reported. (The Verge)
The Verge said security trackers found waves of malicious skills masquerading as crypto or productivity tools, designed to push information-stealing malware and grab secrets such as API keys and passwords. OpenClaw’s creator, Peter Steinberger, has added friction for uploaders and reporting tools, but researchers said the marketplace model leaves room for bad code to slip through.
The ministry’s note also follows a separate jolt to the agent hype cycle: cybersecurity firm Wiz said a new Reddit-like site called Moltbook, pitched as a social network for OpenClaw bots, exposed private messages and user data before it was fixed. Wiz cofounder Ami Luttwak said fast “vibe coding” — using AI to help assemble software — often leads people to “forget the basics of security,” Reuters reported. (Reuters)
There are still big unknowns. The ministry’s warning is not a prohibition, and OpenClaw’s open-source community can patch holes quickly. But it could chill adoption inside companies that handle sensitive data, and it raises the prospect of tighter rules if breaches keep piling up.
For China’s cloud firms, the moment is awkward: hosting OpenClaw is a way to pull in developers and sell compute, while also concentrating risk if insecure deployments become common. For users, the calculus is simpler and messier — a tool that can do more can also break more.
