China’s national cybersecurity authority CNCERT has issued a formal warning about OpenClaw’s default security configuration, citing vulnerabilities that enable prompt injection attacks and potential data exfiltration from local systems. In response, Chinese government agencies have begun pulling OpenClaw from official infrastructure — a sharp reversal from the aggressive state-backed deployment push that dominated headlines less than a week ago.
The advisory, reported by The Hacker News on March 14, identifies weak default settings as the primary attack surface. Without manual hardening, OpenClaw instances expose local file systems and connected services to manipulation through crafted prompts — a risk that scales dramatically when agents have privileged access to government networks.
From “Lobster Buffet” to Lockdown in Four Days
The timing makes this story extraordinary. On March 12, CNBC reported that Chinese enterprises and government bodies were deploying OpenClaw at a pace Western organizations couldn’t match. Baidu engineers installed it publicly. State media framed the rollout as a national priority. Bloomberg ran explainers. CGTN celebrated 250,000 GitHub stars.
Four days later, CNCERT effectively told those same agencies to stop.
The speed of the reversal suggests the security assessment came after — not before — the deployment wave. When adoption moves faster than auditing, vulnerabilities get baked into production before anyone checks the defaults.
135,000 Instances Still Exposed Globally
The CNCERT advisory lands on top of existing concerns. A PBX Science deep-dive published March 8 found over 135,000 OpenClaw instances globally still unpatched against the ClawJacked WebSocket hijack vulnerability disclosed in early March. That figure predates the Chinese deployment surge, meaning the actual number of exposed instances is likely higher now.
The pattern is familiar from cloud infrastructure’s early days: rapid adoption, default configs shipped as-is, security treated as a follow-up task. The difference with AI agents is the attack surface. A compromised cloud server leaks data. A compromised AI agent with system access can read files, execute commands, and exfiltrate information autonomously — all while appearing to function normally.
Design Philosophy or Growing Pains?
The core question for OpenClaw’s maintainers is whether weak defaults are a design choice or a maturity gap. Open-source projects often ship permissive defaults to reduce friction for developers experimenting locally. The assumption is that anyone deploying to production will harden their configuration. That assumption breaks when state agencies deploy at speed without a security review cycle.
OpenClaw now faces the same tension every open-source infrastructure project eventually hits: developer convenience versus production safety. The project’s response — whether it tightens defaults, ships hardened deployment profiles, or leaves security entirely to operators — will shape how enterprises and governments evaluate it going forward.
Why This Matters
China’s CNCERT action is the first government-level security restriction on an AI agent platform. It sets a precedent. If other national cybersecurity agencies follow with their own advisories, OpenClaw’s default security posture becomes a regulatory surface, not just a technical one.
For operators running OpenClaw in any environment with sensitive data: audit your defaults now. The Chinese government just demonstrated what happens when that step gets skipped.
Sources: The Hacker News, PBX Science, CNBC