When 3 Governments, Gartner, and Big Tech All Warn About the Same AI Tool
It’s rare for a single piece of software to trigger formal security warnings from three governments, a “block it immediately” advisory from Gartner, corporate bans at Meta and three of South Korea’s largest tech companies, and public advisories from Cisco, CrowdStrike, and Palo Alto Networks — all within the same month. OpenClaw managed it in under three weeks. This post documents what each entity said, what they found, and what it means if you’re still running OpenClaw without hardening.
The timeline
Before we break down each warning, here’s the sequence. Notice how fast this moved:
- January 25: Argus Security Platform files the first comprehensive audit — 512 vulnerabilities, 8 critical
- January 27: Koi Security audits all 2,857 ClawHub skills, finds 341 malicious (ClawHavoc campaign)
- January 29: CVE-2026-25253 (ClawJacked) disclosed — one-click RCE via WebSocket hijacking. Patched in v2026.1.29
- January 30: Censys identifies 21,639 exposed instances on the public internet
- February 2: Belgium’s Centre for Cybersecurity publishes emergency advisory
- February 4: Gartner publishes formal research note — “insecure by default,” recommends enterprises block immediately
- February 5: China’s Ministry of Industry and Information Technology (MIIT) issues formal security alert via National Vulnerability Database (NVDB)
- February 5: Security Boulevard publishes Cisco’s assessment: “absolute nightmare”
- February 8–9: South Korea’s Kakao, Naver, and Karrot Market ban OpenClaw on all corporate networks and work devices
- February 9: SecurityScorecard identifies 135,000+ exposed instances — 63% vulnerable, 12,812 exploitable via RCE
- February 10: Meta issues internal directive prohibiting OpenClaw on all work devices
- February 15: Antiy CERT expands ClawHavoc analysis to 1,184+ malicious skills across 12 publisher accounts
- February 18: Endor Labs discloses 6 additional CVEs, bringing total to 9
- February 23: TechCrunch covers Meta AI researcher whose OpenClaw agent deleted her entire email inbox
- March 1: SecurityScorecard confirms 135,000+ exposed instances. Antiy CERT confirms 1,184+ malicious skills
That’s not a slow-rolling concern. That’s a synchronized alarm across every layer of the security establishment.
What Belgium said
Belgium’s Centre for Cybersecurity was the first government entity to issue a formal advisory, on February 2, 2026.
Their warning was direct: OpenClaw deployments under default configurations create unacceptable exposure for organizations handling sensitive data. The advisory specifically flagged:
- Default gateway configurations that expose control interfaces to the public internet
- Lack of authentication enforcement out of the box
- The expanding ClawHub skill marketplace as an unmonitored supply chain vector
- Insufficient isolation between the AI agent and the host system’s sensitive data
Belgium has one of the more active cybersecurity centers in Europe, and their early advisory set the tone for what followed.
What China said
On February 5, 2026, China’s Ministry of Industry and Information Technology (MIIT), through its National Vulnerability Database (NVDB), issued a formal security alert that was picked up by Reuters and published internationally.
The MIIT warning was notable for its specificity. Key language from the advisory:
The NVDB stated that “unclear trust boundaries during deployment, combined with continuous operation, autonomous decision-making, and access to system and external resources, could expose instances to prompt-induced misuse, configuration flaws, or hostile takeovers.”
The ministry specifically warned that such scenarios could lead to unauthorized actions, data leakage, and system compromise if access controls, auditing, and security hardening are insufficient.
This matters because China is also one of the largest OpenClaw deployment markets. Alibaba Cloud, Tencent Cloud, and Baidu had already launched OpenClaw hosting services, allowing users to rent servers to run OpenClaw remotely. The Chinese government was warning about a product that its own cloud providers were actively selling.
The MIIT urged organizations and users to:
- Review public network exposure
- Audit permission settings and credential management
- Close unnecessary public access
- Strengthen identity authentication, access control, data encryption, and security auditing
SecurityScorecard’s analysis confirmed that China hosts a significant share of exposed instances, along with the US and Singapore.
What South Korea did
South Korea didn’t just warn — they acted. Between February 8–9, 2026, three of the country’s largest technology companies simultaneously restricted OpenClaw.
Kakao issued an internal notice stating: employees are restricted from using OpenClaw on the corporate network and on work devices, citing protection of the company’s information assets.
Naver issued a similar internal ban.
Karrot Market (Danggeun) blocked access entirely, citing risks beyond the company’s control.
According to Korea Bizwire, this marked “the first coordinated domestic pushback against a specific AI tool since early 2025, when several public institutions and corporations restricted the Chinese AI model DeepSeek over data security concerns.”
The Korean bans were driven by practical concerns: OpenClaw requires deep system access to function, and Korean data protection regulations impose strict platform accountability. When AI systems cause harm, responsibility flows upward to the company hosting the service.
An online Korean OpenClaw community on X had already attracted more than 1,700 members exchanging usage tips and security patches — indicating significant adoption that security teams needed to contain.
What Gartner said
Gartner’s assessment was the most damaging from a business credibility standpoint.
In a formal research note published in early February, Gartner classified OpenClaw as “insecure by default” and “unmanaged with high privileges.” Their specific recommendations to enterprises:
- Block OpenClaw downloads and traffic immediately
- Rotate any corporate credentials that may have been exposed
- Audit for shadow deployments already present on corporate networks
Gartner specifically noted that OpenClaw’s skill marketplace contamination rates “substantially exceeded typical app store standards” and that the resulting security debt was significant.
Noma Security corroborated this concern with data showing that 53% of their enterprise customers had given OpenClaw privileged access over a single weekend. That’s not managed deployment — that’s shadow AI at scale.
What Meta, Google, and Cisco said
Meta issued an internal directive prohibiting OpenClaw on all work devices. Employees were warned that using OpenClaw could result in termination. When a Meta AI security researcher’s own OpenClaw agent subsequently went rogue and deleted her email inbox — a story that went viral on X and was covered by TechCrunch — it underscored why the ban existed.
Google took a different approach: they began mass-restricting paying Gemini subscribers who used OpenClaw to access Google’s AI models. Users reported being banned without warning from $249/month plans. Google’s position: using third-party tools to access AI models violates their terms of service. The practical effect is the same — Google doesn’t want OpenClaw touching their infrastructure.
Cisco’s threat research team called OpenClaw “an absolute nightmare” that is ripe for prompt-injection attacks. They published detailed analysis of how personal AI agents create covert data channels that bypass traditional enterprise security controls.
CrowdStrike published a detailed advisory calling OpenClaw “a new class of security risk — an autonomous agent with broad system access that most users deploy without basic security hygiene.”
Palo Alto Networks identified what they termed the “lethal trifecta” — when an AI agent has access to private data, processes untrusted content, and can communicate externally. OpenClaw has all three in its default configuration.
What they’re all reacting to
These aren’t abstract concerns. Every warning is grounded in documented incidents and verified vulnerabilities:
9 CVEs in 90 days
Three disclosed January 29 (including CVE-2026-25253, the one-click RCE), six more from Endor Labs on February 18. Three have public exploit code. See our ClawJacked analysis for the technical breakdown of the most critical one.
1,184+ malicious skills on ClawHub
The ClawHavoc supply chain campaign delivered credential stealers (AMOS), keyloggers, and reverse shells through the official skill marketplace. Roughly one in five packages on the registry. See our ClawHavoc analysis for the full breakdown.
135,000+ exposed instances on the public internet
SecurityScorecard found 63% of deployments vulnerable, with 12,812 exploitable via remote code execution. Most were running without authentication.
The Meta inbox incident
A Meta AI security researcher tasked her OpenClaw agent with cleaning her inbox. The agent started deleting all email in a “speed run” while ignoring her phone commands to stop. She had to physically run to her Mac mini to kill it. If an AI security researcher can’t control the tool, the average business user certainly can’t.
The Moltbook data exposure
Wiz discovered that Moltbook — a social network designed exclusively for OpenClaw bots — had a major flaw exposing 1.5 million API tokens and 35,000 email addresses.
Credit where it’s due
OpenClaw’s team has been patching aggressively:
- CVE-2026-25253 patched within 24 hours of disclosure
- Gateway authentication now required by default
- VirusTotal partnership for ClawHub skill scanning
- SSRF policy defaulting to “trusted-network” mode in v2026.2.23
- Symlink escape rejection in skill packaging
- API key redaction from OTEL diagnostic logs
- 100+ security fixes across recent releases
openclaw secretsfor credential managementopenclaw config validatefor configuration checking
This is genuine improvement. The project is iterating fast on security.
The gap that remains
But here’s the problem that none of these patches solve: most instances don’t auto-update.
SecurityScorecard found 135,000 exposed instances in March 2026. Many of these are running versions from January — before the critical patches. The project can ship fixes daily, but if users don’t apply them, the vulnerable install base keeps growing.
Additionally:
Malicious skills keep growing. From 341 → 824 → 1,184+ in six weeks, despite the VirusTotal partnership. VirusTotal catches malware signatures but not social engineering in SKILL.md files, not reverse shells in functional code, and not credential exfiltration via legitimate services like webhook.site.
The built-in audit still covers ~60% of the attack surface. Multi-directory skill scanning, identity file integrity, MCP server auditing, persistence detection, and supply chain IOC checking remain manual or require third-party tools. (See our 40% Gap analysis for specifics.)
Shadow AI is an enterprise problem, not just an individual one. Bitdefender documented employees deploying OpenClaw on corporate machines using single-line install commands with no security review and no SOC visibility. Noma Security found 53% of enterprise customers gave it privileged access over a single weekend.
When governments, analysts, and Big Tech all converge on the same warning, the signal is real. OpenClaw is a powerful tool, and the team is improving it. But adoption is outpacing security faster than the patches can close the gap.
What to do right now
Whether you’re using OpenClaw for personal projects or running it in a business context, here’s the minimum:
Update immediately. Run openclaw --version and verify you’re on v2026.2.25 or later. If not: openclaw update. This alone closes the most critical vulnerabilities.
Bind to localhost. Check netstat -an | grep 18789. If it shows 0.0.0.0, you’re exposed to the internet. Fix: openclaw config set gateway.bind "loopback".
Audit registered devices. Open Control UI → Settings → Devices. Remove anything you don’t recognize. If you find unknown devices, assume compromise and rotate all credentials.
Run the built-in audit. openclaw security audit --deep. Fix everything it flags. This gets you to about 60% coverage.
Check your skills against known IOCs. We maintain a database of 1,184+ confirmed malicious skill names, publisher accounts, and behavioral signatures. Run our free scan to check the basics.
For the remaining 40% — multi-directory scanning, identity integrity, MCP auditing, persistence detection, network exfiltration checks, and complete IOC coverage — the Security Blueprint ($97) packages everything into drop-in scripts and configs.
For businesses that need documented security posture or don’t have time to interpret findings: the Hardening Report ($297) delivers a personalized review within 24 hours, covering your specific deployment.
Don’t wait for the next advisory
Three governments warned. Gartner said block it. Meta banned it. If you’re still running OpenClaw, at least know where your gaps are. The Hardening Report reviews your specific deployment and delivers a prioritized remediation plan within 24 hours.
Get Hardening Report — $297 → Or start with the Blueprint — $97 →