In Longgang, a manufacturing district in Shenzhen, local officials are dangling subsidies of up to 2 million yuan ($275,000) per project to lure OpenClaw startups into the neighborhood. Three hundred kilometers north in Wuxi, another local government is doing the same. Hefei, the capital of Anhui province, has joined the race. Across China’s eastern seaboard, a subsidy war for AI agent companies is underway.
At the same time, three of China’s central cybersecurity agencies have issued formal warnings about OpenClaw. State-owned banks have banned employees from using it. Government offices are locking it out of internal networks. And security researchers have found roughly 23,000 OpenClaw instances in China sitting exposed on the open internet, many of them vulnerable to remote code execution.
This is the paradox at the heart of China’s AI strategy in 2026: the country is simultaneously pouring millions into OpenClaw adoption and actively trying to contain it.
The Subsidy Gold Rush
China’s local governments have a long history of competing for emerging industries through subsidies — solar panels, electric vehicles, semiconductors. OpenClaw is the latest target.
The most aggressive push is happening in Shenzhen’s Longgang district. According to the South China Morning Post, Longgang is offering subsidies of up to 2 million yuan per OpenClaw project, part of a broader effort to position the district as a hub for AI agent development. The subsidies cover everything from compute costs to office space to talent recruitment.
But Longgang isn’t alone. As NBC News reported, cities including Wuxi and Hefei have launched similar programs, creating a competitive landscape where local governments are essentially bidding against each other for OpenClaw startups. The total package in some cities — combining direct subsidies, low-interest financing, and operational support — can reach up to 10 million yuan ($1.38 million) per company, according to Reuters. It’s important to note that figure includes both subsidies and financing instruments, not grants alone.
The logic is straightforward. OpenClaw has become the dominant open-source framework for building AI agents — autonomous systems that can browse the web, write code, manage files, and interact with APIs on behalf of users. Chinese officials see it the same way they saw mobile internet in 2012 or cloud computing in 2016: a platform shift where early positioning matters.
“The local government subsidy race for OpenClaw mirrors what we saw with cloud computing zones five years ago,” TechNode reported, noting that at least a dozen Chinese cities have now mentioned AI agents or OpenClaw-compatible frameworks in their 2026 industrial policy documents.
The frenzy has real commercial momentum behind it. Chinese developers have been among the most active contributors to the OpenClaw ecosystem, building Chinese-language extensions, integrations with domestic platforms like WeChat and DingTalk, and custom agent frameworks layered on top of the core protocol. CNBC noted that several Chinese AI startups have raised significant funding rounds specifically to build OpenClaw-based products for enterprise customers.
The Ban Hammer
While local governments write checks, central authorities are sounding alarms.
In March 2026, three Chinese cybersecurity bodies — the National Computer Network Emergency Response Technical Team (CNCERT), the China Information Technology Security Evaluation Center, and the National Computer Virus Emergency Response Center — issued coordinated warnings about the security risks of OpenClaw deployments, as CGTN reported. The guidance was unusually specific, breaking down risks by user type: individual users, enterprise administrators, and platform operators each received tailored recommendations.
The warnings weren’t theoretical. They cited concrete attack vectors: prompt injection through malicious tool servers, credential theft via compromised MCP endpoints, data exfiltration through agent-to-agent communication channels, and unauthorized access to internal systems when OpenClaw instances are exposed without authentication.
The response from state institutions has been decisive. According to China Daily, multiple government agencies have prohibited the use of OpenClaw on internal networks. Several state-owned banks — institutions that collectively manage trillions in assets — have banned employees from connecting OpenClaw agents to any system that touches customer data or financial records, as Global Times reported.
This isn’t a case of bureaucratic caution outrunning reality. The security concerns are well-documented and serious.
23,000 Exposed Instances and Counting
The scale of China’s OpenClaw exposure problem is staggering.
According to SecurityScorecard’s research, approximately 42,900 OpenClaw instances are currently exposed on the public internet across 82 countries. China accounts for a significant share of these — roughly 23,000 instances accessible without proper authentication, based on scanning data cross-referenced by multiple security firms.
Of the global total, SecurityScorecard found that approximately 15,200 instances are vulnerable to known remote code execution (RCE) exploits. These aren’t theoretical vulnerabilities requiring sophisticated attack chains. They’re known bugs with published proof-of-concept exploits, sitting on internet-facing servers with default configurations.
The Register reported that many of the exposed Chinese instances appear to be development environments that were spun up quickly and never properly secured — a predictable consequence of the subsidy-driven rush to build OpenClaw applications.
Infosecurity Magazine documented several cases where exposed OpenClaw instances were connected to internal databases, file systems, and even code repositories. An attacker exploiting an RCE vulnerability on one of these servers wouldn’t just compromise the agent — they’d potentially gain access to everything the agent could reach.
The math is grim. Local governments are paying companies to deploy OpenClaw as fast as possible. Central cybersecurity agencies are warning that rushed deployments are creating massive attack surfaces. And the scanning data confirms that thousands of instances are already exposed.
Why the Contradiction Isn’t Really a Contradiction
To Western observers, China’s simultaneous subsidy and ban approach looks incoherent. It isn’t — or at least, it follows a pattern that’s entirely consistent with how China has managed previous technology waves.
China’s governance structure creates natural tension between local and central authorities on technology adoption. Local governments are evaluated primarily on economic growth metrics. They have strong incentives to attract new industries, regardless of security concerns — that’s someone else’s department, literally. District-level officials in Longgang don’t report to CNCERT. Their KPIs are GDP growth, employment, and tax revenue.
Central cybersecurity agencies, meanwhile, have a different mandate entirely. Their job is to identify and mitigate risks to national security and critical infrastructure. They don’t care whether Longgang hits its AI startup targets.
This isn’t dysfunction. It’s how China has operated through every major technology transition. During the mobile payment boom, local governments aggressively promoted cashless cities while central regulators issued warnings about financial stability and data privacy. During the cloud computing buildout, provinces raced to build data center zones while Beijing tightened rules around data localization and cross-border transfers. The electric vehicle subsidy wars ran in parallel with crackdowns on fraud and safety violations.
The pattern is: promote aggressively at the local level, regulate reactively at the central level, and eventually converge on a managed framework that captures the economic benefits while containing the risks.
NBC News quoted analysts suggesting that China’s endgame is likely a domestically controlled version of the OpenClaw ecosystem — one where the protocol itself is open, but the deployment infrastructure, model access, and data flows are subject to central oversight. Several Chinese companies are already building “OpenClaw-compatible” platforms that route all agent activity through government-approved model providers and logging systems.
The Security Guidance Tells the Real Story
The most revealing document in this saga is the CGTN-reported security guidance itself. It’s not a ban on OpenClaw. It’s not even a discouragement. It’s a framework for making OpenClaw deployable within China’s security requirements.
The CGTN report detailed how the guidance segments users into three tiers. Individual users get basic hygiene recommendations — don’t connect agents to sensitive accounts, verify tool server authenticity, monitor agent activity logs. Enterprise administrators get more prescriptive rules — mandatory authentication, network segmentation, audit logging, and restrictions on which internal systems agents can access. Platform operators face the strictest requirements — real-name verification for users, content monitoring for agent outputs, and mandatory vulnerability reporting.
This is regulation, not prohibition. China doesn’t want to stop OpenClaw. It wants to own the terms of OpenClaw’s deployment.
The contrast with the outright bans at state banks and government agencies makes more sense in this light. Those bans are temporary holding actions — keep OpenClaw out of the most sensitive environments until the regulatory framework is in place to manage it. The subsidies keep the commercial ecosystem growing so that when the framework arrives, there’s actually an industry to regulate.
What Comes Next
The subsidy-ban paradox is likely to resolve within six to twelve months, following the pattern of previous technology cycles. The probable outcome:
A licensing regime. OpenClaw platform operators in China will need approval from cybersecurity authorities, similar to how cloud service providers currently require licenses. The technical requirements from the March security guidance will become mandatory compliance standards.
Domestic forking. Chinese companies will build increasingly divergent versions of the OpenClaw protocol — compatible in name but adding mandatory logging, content filtering, and model routing through approved providers. The open-source base will remain, but the production deployments will be distinctly Chinese.
Continued subsidies with strings attached. Local government funding will increasingly come with security compliance requirements baked in. Longgang’s 2 million yuan per project will still be available, but applicants will need to demonstrate adherence to the central cybersecurity standards.
A security reckoning. Those 23,000 exposed instances won’t stay exposed forever. Expect a coordinated cleanup campaign, likely triggered by a high-profile breach, that forces rapid remediation and gives central authorities the political cover to impose stricter deployment rules.
For the rest of the world, China’s OpenClaw paradox is a preview. Every government is going to face the same tension between wanting AI agent capabilities and fearing AI agent risks. China is just moving through the cycle faster and with less concern for the optics of contradicting itself along the way.
The subsidy checks are still being written. The bans are still being enforced. And somewhere in Shenzhen, a startup founder is cashing a government check to build the exact kind of OpenClaw deployment that another government agency just told everyone to stop using.
That’s not a bug in China’s system. It’s the feature.