China banned OpenClaw for government use — should you worry too?

By Linas Valiukas · March 25, 2026

On March 11, 2026, Bloomberg reported that Chinese government agencies and state-owned banks had received notices to stop using OpenClaw on work devices. A day earlier, China's national CERT had published a security advisory calling the platform's default configuration "extremely weak." Some employees were told to uninstall it immediately. Others needed manager approval to keep it.

Two weeks later, Tencent shipped OpenClaw inside WeChat to 1.4 billion users. Local governments in Shenzhen and Wuxi started offering multimillion-yuan subsidies for companies building on it. Same country. Same month. Opposite directions.

That contradiction tells you something. The problem isn't OpenClaw as a concept. It's OpenClaw as a default-insecure, self-hosted service that people deploy without understanding what they're exposing.

What China's CERT actually said

CNCERT/CC (China's National Computer Network Emergency Response Technical Team) published their advisory on March 10. The Register got the details. Four specific threats were called out:

1. Prompt injection. Attackers embed hidden instructions in web pages. If OpenClaw reads those pages, the instructions can trick it into leaking system keys, API tokens, or conversation history to external servers.
2. Malicious plugins. ClawHub — OpenClaw's public skill registry — has a serious malware problem. CNCERT flagged poisoned plugins as a direct attack vector.
3. Known vulnerabilities. The advisory cited existing CVEs that allow credential theft and full system compromise. CVE-2026-25253, the one-click RCE bug from January, was the headliner — one malicious link gives an attacker your auth token and full shell access.
4. User error. OpenClaw running with shell access can delete files, modify configurations, and act on the host system. CNCERT thinks users will inadvertently destroy important data. Given that Meta's AI safety director had her inbox wiped by a rogue OpenClaw agent, they're not wrong.

CNCERT recommended that ordinary users install OpenClaw only on dedicated devices, virtual machines, or containers — never on everyday work computers. They also said to disable automatic updates and restrict plugin access. A second, broader advisory followed on March 23 with guidelines for cloud providers and developers too.

It wasn't just China

South Korea moved first, actually. By early February, Kakao, Naver, and Karrot Market had banned OpenClaw company-wide. Not just "discouraged" — banned, with Karrot blocking both OpenClaw and its predecessor Moltbot. The concern was the same: an AI agent with access to corporate Slack, email, and internal tools is a data exfiltration risk that their security teams couldn't monitor or control.

Then came the Western tech giants. Meta banned OpenClaw on work devices in mid-February, reportedly threatening termination for employees who installed it. Google, Microsoft, and Amazon followed. These are companies that build AI agents themselves. When they won't let their own employees run someone else's agent on corporate hardware, that says something about the security model.

The security picture that triggered all of this

To understand why governments are reacting, you need the timeline:

• January 28: Researcher @fmdz387 scans Shodan, finds nearly a thousand OpenClaw instances with no authentication. That number would climb to 40,000+ within weeks.
• February 3: CVE-2026-25253 goes public. One click on a malicious link leaks your gateway auth token. CVSS 8.8. Affects all versions before 2026.1.29.
• February 8: Korean tech companies start banning OpenClaw internally.
• February 14: OpenClaw ships v2026.2.14 with 50+ security fixes. Same day, Peter Steinberger announces he's joining OpenAI and OpenClaw is moving to a foundation.
• February 18: 312,000+ instances found on Shodan on default port 18789. Many with no auth. Researcher Jamieson O'Reilly demonstrates access to Anthropic API keys, Telegram tokens, Slack accounts, and full chat histories.
• February 19: Microsoft publishes their security advisory: OpenClaw is "not appropriate to run on a standard personal or enterprise workstation." Full VM isolation required.
• March 10-11: CNCERT advisory drops. Chinese government agencies and banks told to uninstall.
• March 18-21: Nine more CVEs in four days, including a 9.9 critical.

That's two months. From "cool open-source project" to government bans in eight weeks.

The shadow AI problem

What spooked these organizations wasn't just the CVEs. It was the discovery that employees had already installed OpenClaw without anyone knowing.

TechRepublic called it "the fastest-adopted software ever" and "a security blind spot." Reco.ai's analysis found that Bitdefender telemetry confirmed employees deploying OpenClaw on corporate devices using single-line install commands — no approval process, no SOC visibility. Traditional endpoint security sees the process running but can't interpret what the agent is actually doing. Network tools see API calls but can't distinguish legitimate automation from data exfiltration.

A Help Net Security survey from February put numbers to the gap: 82% of executives believe their existing policies protect against unauthorized agent actions, but only 21% have actual visibility into what their agents can access. Another survey found 56% of organizations already have real agentic AI exposure, with 23% of deployments being shadow installations IT doesn't know about.

This is the part that applies to you even if you're not a Chinese bank. If someone on your team installed OpenClaw on their work laptop — connected it to Slack, gave it access to email, maybe pointed it at a shared drive — you'd have an AI agent with broad access to internal systems, running with whatever default configuration the installer chose. Which, based on the 40,000 exposed instances, probably means no authentication, no sandbox, and an LLM API key sitting in a plaintext config file.

Where does your data actually go?

OpenClaw is local-first. The agent itself runs on your hardware. Configuration, memory, and chat history are stored as Markdown files and SQLite databases on the host machine. That sounds private. It isn't.

Every conversation that hits the LLM gets sent to whichever API provider you configured — Anthropic, OpenAI, Google, DeepSeek. Your data leaves the machine on every single message. If you're hosting in the EU on a GDPR-compliant VPS but calling the OpenAI API, your conversation content is subject to OpenAI's data handling policies, not yours. A compliance analysis by dcode found this is the part most self-hosters miss entirely.

Then there's the exposure side. If your instance is accessible from the internet — and tens of thousands are — anyone who finds it can read your chat history, grab your API keys, and send messages as you through connected platforms. Kaspersky confirmed that researchers were able to extract Anthropic API keys, Telegram bot tokens, and months of chat logs from exposed instances. That's not a hypothetical. It's a documented finding.

The EU AI Act's general application date — August 2, 2026 — is five months away. Italy already fined OpenAI 15 million euros for GDPR violations. Regulators are not waiting for AI tools to mature before enforcing accountability. If your OpenClaw instance handles customer data or personal information, the compliance question isn't theoretical anymore.

The Tencent paradox

Here's the weird part. While the Chinese government was telling agencies to uninstall OpenClaw, Tencent integrated it directly into WeChat on March 22. It shows up as a contact called ClawBot — you message it like a friend and it handles tasks. Drafts emails, moves files, runs automations. 1.4 billion potential users, overnight.

But Tencent isn't telling people to self-host. They're running it for them. The security configuration, the infrastructure, the API key management, the updates — all handled by Tencent's engineering team. Users get the agent, not the server. That's the same model Alibaba and Baidu followed with their own agent launches the same week.

The message from China is actually quite clear once you look past the headlines: OpenClaw on your own computer with default settings is a security risk. OpenClaw managed by someone who knows what they're doing is fine.

What the enterprise security establishment is saying

It's not just government CERTs. By March 2026, every major security vendor has published their take on OpenClaw, and the consensus is remarkably uniform:

• Microsoft — "Not appropriate to run on a standard personal or enterprise workstation." Deploy only in fully isolated VMs with non-privileged, dedicated credentials.
• Cisco — "A security nightmare." Tested a third-party skill and found it performed data exfiltration and prompt injection without user awareness.
• Sophos — Called it "a warning shot for enterprise AI security."
• Kaspersky — Documented critical default-configuration vulnerabilities that expose private keys and API tokens.
• VentureBeat — "OpenClaw proves agentic AI works. It also proves your security model doesn't."

SecurityScorecard's STRIKE team scanned the internet and found 40,214 exposed instances across 28,663 unique IPs. Of those, 15,200 were directly vulnerable to remote code execution. Multiple hacking groups are now actively exploiting exposed instances to steal API keys and deploy malware.

Should you worry?

Yes — if you're self-hosting with default settings, or if anyone in your organization might be. The specific concerns that triggered China's ban apply to every OpenClaw deployment, regardless of geography:

• Authentication is off by default. You have to know to turn it on.
• Every conversation goes to a third-party LLM provider. Your "local-first" agent isn't local where it counts.
• The skill ecosystem has a documented malware problem with no automated vetting.
• CVEs are dropping at a pace that requires near-daily attention to keep up.
• The creator has left for OpenAI. The project is now a foundation with governance still being established. The long-term security posture is an open question.

No — if someone is handling the security for you. China didn't ban the concept of AI agents. They banned unmanaged, default-insecure installations on sensitive networks. The Korean companies didn't stop experimenting with AI agents — they stopped letting employees run unvetted ones. Tencent launched OpenClaw to a billion users the same month because they control the deployment.

What to do about it

If you're self-hosting, the minimum is documented in our posts on exposed instances and the March CVE flood. Short version: update to the latest version, enable authentication, don't expose the gateway, run in a sandbox, vet every skill you install, and accept that you're now responsible for monitoring a fast-moving security landscape.

Or let someone else handle it. That's what Tencent does for WeChat users. What managed hosting does for everyone else. You get the agent. Someone else gets the 3 AM security patch.

TryOpenClaw.ai runs your OpenClaw instance with auth always on, network isolation configured, skills pre-vetted, and patches applied same-day. Starts at $39/month. Less than the cost of finding out your instance was one of the 40,000.

Frequently asked questions

Why did China ban OpenClaw?

China's CNCERT cited four risks: prompt injection that can leak API keys, malicious plugins on ClawHub, known critical CVEs (especially CVE-2026-25253), and user error with shell-access agents. Government agencies and state-owned banks were told to uninstall or get approval before use. It was a security decision, not a political one — South Korean companies and Western tech giants made the same call independently.

Which countries and companies have restricted OpenClaw?

Chinese government agencies and state banks (formal notices, March 2026). South Korean companies Kakao, Naver, and Karrot Market (corporate bans, February 2026). Meta, Google, Microsoft, and Amazon (internal employee bans, February 2026). Belgium's CERT issued a "Patch Immediately" advisory in March. No country outside China has issued a formal government ban yet.

If China banned it, why did Tencent ship it in WeChat?

Because Tencent manages the deployment. The ban targeted self-hosted, default-insecure installations on government and bank computers. Tencent's WeChat integration (ClawBot) runs on Tencent's infrastructure with their security team handling configuration, updates, and access controls. The agent technology is the same; the security posture is completely different.

Is my data safe with self-hosted OpenClaw?

Agent data is stored locally, but every conversation is sent to your configured LLM provider (OpenAI, Anthropic, etc.) for processing. If your instance is exposed to the internet — and over 40,000 are — attackers can read your full chat history, extract API keys, and send messages through your connected accounts. The "local-first" label is misleading if you're calling cloud APIs on every message.

Does managed hosting fix these problems?

It handles the infrastructure security: authentication is always on, the gateway is never directly exposed, security patches are applied same-day, and skills are vetted before installation. You still send conversations to LLM providers for processing, but the attack surface — exposed ports, leaked API keys, malicious skills, unpatched CVEs — is managed for you.