OpenClaw, an open-source AI agent Photo: VCG

Chinese authorities on Tuesday warned of the security risks of an open-source project OpenClaw and urged government agencies to exercise extreme caution, given its rapidly rising downloads from Chinese IP addresses and the fact that views of Chinese-language documents have exceeded those of all other non-English languages since January. 

According to a notice released Tuesday by an account affiliated with the National Administration of State Secrets Protection, OpenClaw is rapidly reshaping the boundaries of artificial intelligence (AI). Its widespread adoption has sparked global debate over privacy limits and digital risks in early 2026.

OpenClaw integrates multi-channel communication capabilities with large language models to build customized AI assistants equipped with persistent memory and proactive task execution. It can also be deployed locally in private environments. Unlike traditional conversational AI systems such as ChatGPT, OpenClaw is positioned to "get things done" rather than simply "chat." This functional orientation means it must obtain extensive system permissions in order to manipulate local files and applications.

Once granted authorization, OpenClaw can autonomously browse the Web to search for lower prices, draft and send emails, arrange calendar schedules, and even complete complex online shopping and payment processes without human intervention.

However, since OpenClaw operates with "blurred trust boundaries" during its deployment, featuring continuous operation, autonomous decision-making and the ability to access system and external resources, an expert warned that significant risks may arise in the absence of effective permission controls, auditing mechanisms and security reinforcement.

"The risks can be broadly divided into three categories. First, excessive system permissions may lead to data leaks. Second, large language model (LLM) "hallucinations" may cause operational errors. For instance, when instructed to delete one email, the system might mistakenly delete emails from an entire day, which reflects risks associated with the broader trend toward autonomous interaction. Third, when security incidents occur, it is difficult to trace the model's decision-making process, making it hard to identify the cause and correct the problem," Li Chaozhuo, a research fellow at the School of Cyberspace Security at Beijing University of Posts and Telecommunications, told the Global Times on Tuesday.

On February 5, China's Ministry of Industry and Information Technology issued a security alert warning of risks related to OpenClaw. The alert stated that monitoring had found certain OpenClaw deployments, under default or improper configurations, to trigger relatively high security risks, making them highly susceptible to cyberattacks and information leakage.

Chinese government agencies and enterprises are urged to adhere to the core principle that "classified information must not be connected to the internet, and internet-connected systems must not handle classified information."

The alert therefore advised relevant units and users, when deploying and applying OpenClaw, to thoroughly examine public network exposure, permission configurations and credential management, to shut down unnecessary public access, to strengthen identity authentication, access control, data encryption, and security auditing mechanisms, and to continue following official security notices and hardening recommendations in order to guard against potential cybersecurity risks.

The risks are not merely theoretical. A Meta AI safety expert asked OpenClaw to categorize its emails to decide which to delete and which to archive. The tool reportedly lost control, ignoring the expert's three consecutive "stop" commands and deleting hundreds of messages at Meta's Superintelligence Lab when connected to a work email account.

Such risks have already triggered what observers described as "defensive shutdowns." Several major South Korean technology companies have restricted the use of OpenClaw within corporate networks due to rising concerns about security and data privacy, according to the Korea Times.

For individual users, authorities caution that OpenClaw remains at an early stage of development and is not suitable for direct use by the general public. Those who have a genuine need to use it should strictly limit the scope of sensitive information provided, supplying only the basic data necessary to complete specific tasks, and should never input core sensitive information such as bank card passwords or stock account details. Before using the application to organize files, users are advised to proactively remove personal identification numbers, private contact details and other sensitive information to avoid inadvertent disclosure, according to the notice.

"As the operating mechanisms of current models exhibit 'black box' characteristics, it is difficult to clearly define or regulate responsibility for such security vulnerabilities. However, such AI agents are likely to become increasingly prevalent. At this stage of technological development, it is therefore essential for users to strictly manage access permissions and other control settings," Li said.