According to the agency, software used to run AI agents comes with extremely weak security settings by default.

“If an attacker finds an entry point, they can easily gain control of the system,” the statement said.

CNCERT/CC highlighted several major concerns:

  • Prompt injection attacks: hackers can embed hidden instructions on web pages. When an AI agent reads them, it may unintentionally expose user system keys or sensitive data.

  • Risk of incorrect actions: due to misinterpreting commands or user intent, OpenClaw may delete important files, conversations, or production databases.

  • Plugin-based infection risks: third-party extensions may steal credentials, install trojans, or create backdoors after installation.

  • Existing vulnerabilities: several medium- and high-severity flaws have already been discovered in OpenClaw. Exploiting them could allow attackers to seize control of systems and trigger large-scale data leaks.

Officials warned that ordinary users could face theft of personal information, payment accounts, or API keys. For critical industries such as finance and energy, the consequences could be significantly more severe.

Security recommendations

CNCERT/CC experts issued several recommendations for organizations and individuals installing OpenClaw:

  • Strengthen network controls: management ports should not be directly accessible from the internet. Authentication, access control, and strict runtime environment isolation are required.

  • Improve credential management: avoid storing keys in plain text and implement logging and audit systems.

  • Strict plugin control: disable automatic updates and install extensions only from trusted sources.

  • Monitor security updates regularly.

China’s OpenClaw hype

China is currently experiencing an unprecedented wave of interest in OpenClaw. Citizens are reportedly lining up to receive help installing the software. Local tech companies are competing to launch services based on the platform, while educational events promoting the technology are taking place across the country.

Journalist Afra Wang, who covers China’s AI sector, attended one such event and noted overwhelming interest in the software. Organizers had to limit attendance due to space constraints.

Major corporations are also responding quickly to the trend. Alibaba introduced CoPaw, a system for configuring AI agents that integrates with messaging platforms and third-party models. On March 13, the company also released JVS Claw, an iOS and Android app that allows users to install OpenClaw on smartphones without programming skills. Baidu launched a similar service for Android devices.

Bloomberg reported that the enthusiasm extends across multiple demographic groups—from students to retirees. The surge has sparked a wave of compatible products that could push China to the forefront of agent-based AI development.

Local governments are also providing financial incentives. In the Longgang district of Shenzhen, developers and companies are offered large subsidies to adopt AI agents. Businesses can receive up to 2 million yuan ($300,000) for developing new agent “skills,” vouchers covering 40% of deployment costs, 30% discounts on hardware, and up to 10 million yuan ($1.5 million) in investment support.

Startups are offered two months of free housing, 18 months of discounted office rent, and three months of free computing resources.

The popularity of OpenClaw has even fueled a rally in Chinese equities. Since early March, the combined market capitalization of related Chinese companies has increased by more than $100 billion, Bloomberg noted.

Restrictions for the public sector

At the same time, the rapid adoption of OpenClaw and the newly highlighted risks have prompted Chinese authorities to restrict the use of applications based on the software on work computers in state-owned enterprises and government institutions.

Bloomberg reports that government agencies and state companies have been instructed not to install OpenClaw on workplace devices for security reasons.

The restriction reportedly extends even to the families of military personnel.