China’s National Computer Virus Emergency Response Center has detected counterfeit OpenClaw skill packages embedded with Trojan viruses, posing what Xinhua called “severe risks to users’ data security and system stability.” The disclosure, published May 14, arrives alongside a broader regulatory acceleration: 111 OpenClaw vulnerabilities recorded in the CNNVD database between April 14 and April 28, and a new three-agency policy framework governing AI agent development nationwide.
The Supply Chain Problem
The counterfeit skill packages represent the latest escalation in a supply chain attack pattern that has tracked OpenClaw’s adoption curve since late 2025. In January, security firm Koi identified 341 malicious skills out of 2,857 published on ClawHub, with 335 linked to a single campaign deploying keyloggers, droppers, and infostealers, according to Stormshield’s retrospective. By February, fake OpenClaw installers were appearing in Bing’s top search results. By March, more than 200 CVEs had been published against the platform.
China’s virus center did not disclose the scale of the counterfeit skill campaign or the specific malware families involved. But the context is clear: OpenClaw adoption in China has been explosive. Tian Suning, co-founder of cybersecurity firm AsiaInfo, told Xinhua that “OpenClaw-type agents are likely to become the next generation of operating systems,” noting that corporate assets are shifting from traditional personnel and software to data and agents.
111 Vulnerabilities in 14 Days
The CNNVD figure of 111 vulnerabilities in a two-week window underscores the velocity problem. These flaws range from access control errors to critical code issues, according to Xinhua. The National Computer Network Emergency Response Technical Team (CNCERT/CC) and the Ministry of Industry and Information Technology had previously issued high-level warnings about OpenClaw vulnerabilities.
Stormshield’s May 7 retrospective documented the accumulation: CVE-2026-25253 (CVSS 8.8, operator-level privilege escalation through token exfiltration), CVE-2026-27522 (CVSS 7.1, arbitrary file access), the “ClawJacked” full agent takeover vulnerability discovered by Oasis Security, and the Hudson Rock infostealer specifically targeting OpenClaw configuration files. The trend line points one direction: attack surface expanding faster than patch cycles can compress it.
Enterprise Adoption Continues Anyway
Chinese enterprises are not waiting for the security picture to stabilize. Liu Longwei, CSO of Tuya Smart, told Xinhua that the company equipped its entire workforce with “digital employees” based on modified OpenClaw and that AI generated 70% of the company’s code last year. To manage the risk, Tuya built six layers of defense including system hardening and supply chain security controls.
Liang Hongwei, a senior expert at Alibaba Cloud, warned that “allowing employees to run unregulated OpenClaw in the workplace is risky, as it undermines control over security and data exposure threats,” recommending elastic cloud deployment and strict operational principles prioritizing security and compliance, according to Xinhua.
The Regulatory Response
Beijing’s answer is a layered regulatory stack. On May 8, the Cyberspace Administration of China (CAC), the National Development and Reform Commission, and the Ministry of Industry and Information Technology jointly issued implementation guidelines for the “standardized application and innovative development” of AI agents. The guidelines define AI agents as intelligent systems capable of autonomous perception, memory, decision-making, interaction, and execution.
The framework identifies four priority areas: consolidating technological foundations and standards, ensuring safety and security, driving application across 19 identified scenarios spanning scientific research to public governance, and building an innovation ecosystem. Caixin Global reported the policy targets 70% adoption of smart terminals and AI agents by 2027.
Separately, five central departments including the CAC rolled out regulations on AI anthropomorphic interactive services in April, establishing risk-based oversight mandating security assessments and algorithm filings. That framework introduced China’s first articulation of an AI sandbox governance concept, according to Xinhua.
The Parallel With Singapore
The timing is notable. On the same day as Xinhua’s report, Singapore’s Infocomm Media Development Authority (IMDA) released an advisory warning organizations against deploying single all-powerful OpenClaw agents with unrestricted access, citing architectural risks of autonomous escalation and data leakage. Two major technology regulators, on two continents, arriving at the same conclusion within hours: agent security requires governance frameworks that the technology itself does not yet provide.
AsiaInfo’s cybersecurity arm has responded with the Agent Trust Framework (ATF), a governance model integrating “agent intent alignment” and “human-AI co-governance” designed to contain risks from AI randomness within compliance boundaries, per Xinhua. Whether vendor-led trust frameworks can scale ahead of the exploit curve is the open question. The CNNVD’s 111 vulnerabilities in 14 days suggest the attackers are not waiting for the answer.