OpenClaw Use Curbed Across Chinese State Agencies and Banks
Context and Chronology
In recent days multiple government organs and large state‑controlled firms were instructed to stop installing the generative agent OpenClaw on office machines and to remove unvetted instances from internal systems. The guidance, circulated through internal notices rather than public regulation, reached major banking groups and other strategic enterprises and prompted an immediate pause to new rollouts and vendor evaluations. Procurement and IT leads redirected resources into security triage, legal reviews and data‑flow audits, producing an uptick in forensic and compliance workstreams.
The advisory reflects both an operational security trigger and a broader procurement stance: independent researchers and vendor audits uncovered a coordinated supply‑chain poisoning campaign that inserted hundreds of malicious extensions into OpenClaw's official plugin marketplace (ClawHub), and routine scans found hundreds of internet‑reachable gateway/admin endpoints and misconfigurations exposing large numbers of secrets. Different analysis teams reported varying counts of flagged malicious skills (for example ~472 versus ~341 in sampled sets), underscoring scope and sampling differences among researchers.
Technical investigators documented exposed credentials at scale — audits flagged roughly 1.5 million API tokens and about 35,000 email addresses reachable through misconfigured backends in aggregated scans — and identified a client‑side gateway vulnerability tracked as CVE‑2026‑25253 that could be chained from a crafted webpage to full gateway authentication and arbitrary host command execution. OpenClaw maintainers have issued patches (including in release 2026.1.29) and advised immediate mitigations such as rotating keys, inventorying public endpoints, and restricting gateway access via IP filters or VPNs.
Operational teams inside banks and SOEs now run two urgent tracks: short‑term remediation to revoke and rotate exposed tokens, remove malicious plugins and apply patches, and medium‑term vendor gating to harden procurement requirements and demand third‑party attestations. Security chiefs are mandating scoped threat assessments, endpoint hygiene measures and tighter connector permissions; IT leaders are raising the bar for integration approvals, which will slow deployment of advanced automation inside regulated networks.
The advisory functions as both a direct risk response to concrete technical failures and a policy signal that allocates state demand. Domestic AI and managed‑service providers that can offer onshore hosting, auditable logs and hardened runtimes stand to gain preference in future procurements. At the same time, market participants note a separate circulating industry instruction urging Chinese entities to discontinue some security software supplied by firms headquartered in the United States and Israel — a broader set of guidance that may reflect parallel political and supply‑chain concerns rather than being limited to OpenClaw.
That apparent discrepancy — a narrowly framed advisory on OpenClaw tied to specific vulnerabilities versus wider, country‑targeted guidance on foreign security vendors — suggests parallel policy vectors: immediate technical remediation plus a longer arc of procurement localization. How strictly institutions convert internal notices into binding procurement rules will determine the scale and speed of market reallocation toward domestic vendors.
For the enterprise and investor community the implications are tangible: startups integrating agent plugins or connectors face intensified technical due diligence, higher insurance and remediation costs, and potential pauses in deal activity; system integrators and compliance firms with China‑specific certifications will see near‑term demand growth. For foreign vendors, even limited current sales can be hit by compliance burdens and reputational risk if guidance hardens into formal exclusionary procurement policies.
In short, the advisory is both a response to documented, high‑impact operational weaknesses in an extensible agent ecosystem and a reinforcing step in Beijing’s multi‑quarter posture to control which models and tools touch critical infrastructure. Monitor procurement notices, certification rollouts and patch attestations to judge whether the move remains an advisory or becomes formal procurement policy.
Read Our Expert Analysis
Create an account or login for free to unlock our expert analysis and key takeaways for this development.
By continuing, you agree to receive marketing communications and our weekly newsletter. You can opt-out at any time.
Recommended for you
OpenClaw: Widespread Intrusions Hit Chinese Tech Startups
Security research ties the OpenClaw campaign to a coordinated compromise of its extension ecosystem and widely exposed runtime credentials, which allowed backdoors and token theft to spread across developer environments. Startups and investors have already started emergency containment — rotating tokens, patching gateways, and pausing sensitive deal activity — and the incident will accelerate demand for developer‑centric, enterprise-grade security controls.
Baidu integrates OpenClaw AI agent into its search app ahead of Lunar New Year
Baidu will let users opt in to interact with the open-source OpenClaw agent inside its flagship search app to automate tasks like scheduling, file organization and code writing. The integration accelerates AI-driven convenience across Baidu’s services ahead of the Lunar New Year but also brings into focus documented security exposures and the need for hardened, managed deployments.
Austria-born OpenClaw’s rapid ascent sparks productivity promise and security warnings
OpenClaw, an open-source desktop AI agent created by an Austrian developer, has drawn rapid developer interest for automating multi-step tasks locally while connecting to large language models — but independent scans and practical tests have revealed hundreds of misconfigured or internet-reachable deployments that can leak bot tokens, API keys, OAuth secrets and full chat transcripts. The combination of broad system access, persistent memory and external connectivity has prompted both excitement about productivity gains and urgent warnings from security researchers and vendors to inventory deployments, lock down network exposure and rotate credentials.
OpenAI Blocks Requests Tied to Chinese Law Enforcement
OpenAI says its model declined requests linked to law‑enforcement actors in China that sought help shaping an influence effort targeting the Japanese prime minister; the company traced the queries to broader cross‑platform suppression activity, removed the account, and published a technical summary. The episode sits alongside industry allegations of large‑scale model‑extraction campaigns and heightens pressure for cross‑lab telemetry, attestation and tighter access controls.
Google DeepMind restricts Antigravity access, cutting OpenClaw integrations
Google DeepMind suspended Antigravity access for OpenClaw-based integrations, citing abusive usage and service degradation. The action blocks a path to Gemini tokens and accelerates a shift toward closed, vertically controlled agent stacks.
Runlayer introduces enterprise governance for OpenClaw agent security
Runlayer released a commercial governance layer that discovers unmanaged OpenClaw agents and enforces low-latency controls to stop dangerous tool calls and credential exfiltration. The product combines endpoint/cloud discovery, SIEM integration, identity-aware policy enforcement and sub-100ms interception; internal tests and customer pilots show large gains against prompt-based takeovers and exfiltration chains.
Global: OpenClaw plugin marketplace compromised by supply‑chain poisoning of AI skills
Researchers report that hundreds of malicious 'skills' were uploaded to OpenClaw’s ClawHub, delivering backdoors and credential‑theft routines. Separately discovered operational exposures — including internet‑reachable gateways, leaked API tokens and an OpenClaw CVE patched in a maintenance release — magnify the risk of large‑scale compromise across agent deployments.
OpenAI hires OpenClaw creator to accelerate consumer AI agents
OpenAI has recruited Peter Steinberger, the developer behind OpenClaw, to lead its push into consumer-grade personal agents while OpenClaw will be transferred to an independent foundation and remain open source. The project’s strong community traction (roughly 196,000 GitHub stars and ~2 million weekly visitors) and recent integrations into major apps have attracted sizeable offers — but independent researchers have also flagged practical security exposures that will need remediation as the technology scales.