China’s Government Warned About OpenClaw — Here’s What They Found and Why It Matters

On February 5, 2026, China’s Ministry of Industry and Information Technology (MIIT) did something unusual: it issued a formal security alert about an open-source AI tool that Chinese cloud providers were actively selling hosting packages for. The warning, published through China’s National Vulnerability Database (NVDB) and picked up by Reuters, called out OpenClaw deployments with default or improper configurations as carrying “high security risks.” This post unpacks what the MIIT found, why it matters beyond China, and what specific actions you should take.

What the MIIT actually said

The MIIT alert wasn’t vague. The NVDB’s published language identified specific risk categories:

Trust boundary failures. The advisory specifically called out “unclear trust boundaries during deployment” as a root cause. In practical terms, this means OpenClaw’s default configuration doesn’t clearly separate what the agent can access from what it should be prevented from touching. When you install OpenClaw and connect it to your messaging apps, email, and files, the agent inherits broad access by default. There’s no built-in mechanism that says “you can read these files but not those.”

Autonomous decision-making risk. The NVDB flagged “continuous operation, autonomous decision-making, and access to system and external resources” as creating exposure to “prompt-induced misuse, configuration flaws, or hostile takeovers.” This is a precise description of the threat model that Palo Alto Networks later formalized as the “lethal trifecta” — read access, network access, and ability to act.

Specific recommended actions. The ministry urged organizations and users to:

1. Review public network exposure — check whether your OpenClaw instance is accessible from the internet
2. Audit permission settings and credential management — verify what the agent can access
3. Close unnecessary public access — lock down any exposed control interfaces
4. Strengthen identity authentication, access control, data encryption, and security auditing

The warning doesn’t constitute a ban. But from a government that rarely issues public software-specific security alerts, it carried significant weight.

Why China specifically matters

China’s warning is particularly significant because of two factors that most English-language coverage overlooked.

China is one of the largest OpenClaw deployment markets. Alibaba Cloud, Tencent Cloud, and Baidu all launched dedicated OpenClaw hosting services, allowing users to rent servers optimized for running OpenClaw remotely. These aren’t unofficial workarounds — they’re productized offerings with dedicated deployment guides.

When SecurityScorecard mapped the geographic distribution of exposed OpenClaw instances, China (along with the US and Singapore) accounted for a significant share. Censys’s analysis noted that at least 30% of identified instances appeared to be running on Alibaba Cloud infrastructure alone.

The government was warning about a product its own cloud ecosystem was selling. This is the equivalent of the USDA issuing a food safety warning about a product that Amazon, Walmart, and Costco are all stocking. The commercial incentive runs one direction; the security reality runs the other. That the MIIT issued the warning anyway suggests the security findings were significant enough to override commercial considerations.

What the data actually shows

The MIIT warning wasn’t published in isolation. It was grounded in findings that multiple security firms had independently verified:

135,000+ exposed instances on the public internet. SecurityScorecard’s analysis (updated March 1, 2026) found that OpenClaw instances bound to 0.0.0.0:18789 — meaning they accept connections from any IP address, not just the local machine — were visible across the public internet. Of these, 63% were classified as vulnerable, and 12,812 were directly exploitable via remote code execution.

For context: binding to 0.0.0.0 instead of 127.0.0.1 is often unintentional. Users follow quick-start guides, get the agent running, and don’t realize they’ve exposed a control interface to the entire internet. The SecurityScorecard findings also correlated 549 exposed instances with prior breach activity and 1,493 with known vulnerabilities.

9 CVEs disclosed across multiple rounds. The original three (January 29) included CVE-2026-25253, the one-click RCE that allows any website to hijack an OpenClaw agent via WebSocket brute-force. Six additional CVEs from Endor Labs (February 18) expanded the vulnerability surface. Three have public exploit code.

1,184+ malicious skills on ClawHub. Antiy CERT — a Chinese cybersecurity organization — expanded on Koi Security’s original audit and identified 1,184 malicious packages tied to 12 publisher accounts. One account alone pushed 677 packages. The campaign, tracked as ClawHavoc and classified as Trojan/OpenClaw.PolySkill, delivered credential stealers targeting browser passwords, cryptocurrency wallets, SSH keys, and OpenClaw’s own API keys.

The Antiy CERT findings are particularly relevant here: a Chinese security research organization independently confirmed and expanded the threat data that informed the MIIT’s warning.

The Alibaba Cloud problem

One detail that deserves its own section: a significant portion of exposed instances are running on Chinese cloud infrastructure.

Censys noted that at least 30% of observed instances appeared to be on Alibaba Cloud. This creates a specific risk pattern: users who rent a cloud server to run OpenClaw often configure it for remote access (so they can reach it from their phone or laptop), which means binding to a public interface. The cloud provider gives them a public IP by default. The user follows a setup guide, opens the port, and has a working OpenClaw instance — that’s also accessible to anyone who scans that IP range.

Chinese cloud providers launched their OpenClaw hosting services in response to genuine user demand. But the deployment guides didn’t always emphasize security hardening. The gap between “it works” and “it’s secure” is where the MIIT warning lives.

Antiy CERT’s expanded analysis

Antiy CERT’s work deserves detailed attention because it represents the most comprehensive malicious skill analysis published to date.

Starting from Koi Security’s initial finding of 341 malicious skills, Antiy CERT expanded the analysis and identified:

• 1,184 total malicious packages (up from the initial 341)
• 12 publisher accounts responsible for the campaign
• One account (moonshine-100rze) pushed 677 packages and accumulated 14,285+ downloads before takedown
• 16 targeting categories including cryptocurrency tools, trading bots, YouTube utilities, ClawHub CLI typosquats, and — ironically — fake security scanners

The campaign used a three-stage architecture: legitimate-looking SKILL.md files, ClickFix social engineering (fake “prerequisite” downloads), and AMOS stealer delivery for macOS / keylogger delivery for Windows.

For the full technical breakdown, see our ClawHavoc Campaign Analysis. The key point for this context: this is the threat data that Chinese security researchers independently verified and that informed the government’s warning.

What this means outside China

If you’re reading this from the US, Europe, or anywhere else, you might wonder why a Chinese government warning matters to you. Three reasons:

First, the technical findings are universal. The MIIT didn’t identify China-specific vulnerabilities. They identified architectural weaknesses in OpenClaw’s default configuration that apply to every deployment worldwide. Your instance in Virginia has the same trust boundary problems as an instance in Shanghai.

Second, China’s warning was part of a coordinated global response. Belgium’s Centre for Cybersecurity issued an emergency advisory on February 2. The MIIT warning came February 5. South Korea’s major tech companies banned OpenClaw February 8–9. Gartner published their “block it immediately” research note. Meta prohibited it on all work devices. When security establishments on three continents independently reach the same conclusion within the same week, the signal is strong.

Third, the supply chain threat is global. The malicious skills on ClawHub don’t target users by geography. If you install solana-wallet-tracker or clawhubcli from ClawHub, you get the same AMOS stealer payload regardless of where you’re located. The 1,184+ malicious skills are an equal-opportunity threat.

What to do about it

The MIIT’s recommendations are a good starting framework, translated into specific commands:

Review public network exposure

netstat -an | grep 18789
# If you see 0.0.0.0:18789, you're exposed
# Fix: openclaw config set gateway.bind "loopback"

Audit permission settings

grep -A 20 '"permissions"' ~/.openclaw/openclaw.json
# Each agent should have explicit deny rules for sensitive directories
# See the "lethal trifecta" framework in our 40% Gap post

Credential management

ls -la ~/.openclaw/credentials/
# All files should show -rw------- (600)
# Fix: chmod 600 ~/.openclaw/credentials/*

Strengthen authentication

openclaw --version
# Must show 2026.2.25 or later for gateway auth enforcement
# If behind: openclaw update

For the complete checklist, see our OpenClaw Hardening Checklist — 11 items with exact commands and pass/fail criteria.

For the deeper audit that covers what the built-in tools miss — multi-directory skill scanning, identity file integrity, MCP server auditing, persistence detection, and the complete 1,184-skill IOC database — the Security Blueprint ($97) packages everything into scripts and configs that work across all four deployment types.