China's national cybersecurity authority has warned of security risks in the OpenClaw AI agent software, which could allow attackers to gain full control of users' computer systems. The software has seen rapid growth in downloads and usage, with major domestic cloud platforms offering one-click deployment services, but its default security configuration is weak.
OpenClaw is an AI agent software designed to execute computer tasks directly through natural language instructions, also known as Clawdbot or Moltbot. Developed by Austrian programmer Peter Steinberger, the software has quickly gained popularity on GitHub, with users nicknaming it 'lobster'. It is built to perform real-world operations, such as organizing desktops and processing data, but requires high system permissions, including access to local files, environment variables, and external APIs.
China's National Computer Network Emergency Response Technical Team/Coordination Center (CNCERT) posted a notice on its official social media account, highlighting that OpenClaw's default security configuration is weak, making affected systems vulnerable to exploitation. Key risks include attackers embedding hidden malicious instructions in web pages to trick the AI agent into revealing sensitive information, such as system keys; the software potentially misinterpreting user commands and accidentally deleting important data, including emails or core operational information; and some plugins identified as malicious, which could steal encryption keys, install malware, or turn compromised devices into cyberattack tools.
The Ministry of Industry and Information Technology (MIIT)-run National Vulnerability Database (NVDB) issued six 'dos' and six 'don'ts' for OpenClaw users. Developed in collaboration with AI agent providers, vulnerability platform operators, and cybersecurity firms, the guidelines address risks in typical use cases. Dos include using the official latest version, minimizing internet exposure, granting only minimum necessary permissions, exercising caution with the third-party skill market, guarding against browser hijacking, and regularly checking for patch vulnerabilities. Don'ts include using outdated or third-party mirror versions, exposing AI agent instances to the internet, enabling administrator accounts during deployment, installing skill packs that require entering passwords, browsing unverified websites, and disabling detailed log auditing functions.
The NVDB also provided instructions on restricting internet access, scanning files, and uninstalling the software. Several medium- and high-severity vulnerabilities have been publicly disclosed in OpenClaw, which, if exploited, could lead to system compromise and theft of sensitive data, including personal files, payment information, and API keys. The software's rapid adoption signals AI's shift from conversation to action, but experts stress starting with limited permissions and gradually expanding access to balance convenience with security.
(Word count: 248)
