Artificial Intelligence Industry Development Alliance: Continuously Tracking Security Risk Dynamics of OpenClaw and Similar AI Agents

Recently, the Cybersecurity Threat and Vulnerability Information Sharing Platform (NVDB) of the Ministry of Industry and Information Technology released an open-source intelligent agent security risk warning and the “Six Do’s and Six Don’ts” recommendations for OpenClaw (formerly known as Clawdbot, Moltbot). The warning indicates that this product has multiple high-level security vulnerabilities that could adversely affect users. Security measures should be strengthened during deployment and application.

As a platform for artificial intelligence industry collaboration and services, the China Artificial Intelligence Industry Development Alliance always aims to ensure members operate compliantly and promote the safe and healthy development of the AI industry. To help members accurately identify risks, effectively prevent hidden dangers, and avoid losses caused by improper application, a security alert is issued.

1. Security Risk Tips

1. Risks of prompt injection and command hijacking. This intelligent agent can operate autonomously over time, read multimodal content, and execute commands across platforms. Attackers can embed malicious prompts in documents, web pages, or interactive content to bypass security controls, hijack commands, and induce unauthorized actions such as data theft, permission tampering, or malicious code execution. This can lead to leaks of sensitive data, core intellectual property, system access credentials, and turn the host into a botnet node, among other security incidents.

2. Risks of autonomous decision bias and irreversible operations. Affected by the inherent “hallucination” problem of large language models, this intelligent agent may misinterpret instructions or make logical errors during autonomous task execution, potentially causing irreversible damage such as destruction of core production data, tampering with critical system configurations, or business process interruptions, adversely impacting normal operations.

3. Malicious poisoning risks in third-party ecosystems. The open-source ecosystem for this intelligent agent includes various third-party plugins, extensions, and skill components, many of which have not undergone security review and may contain malicious code or backdoors. Using such non-compliant components can lead to unauthorized control of deployment environments, lateral movement within internal networks, ransomware attacks, and other secondary security risks.

4. Configuration flaws and known vulnerability exploitation risks. Multiple high-severity vulnerabilities have been publicly disclosed in this intelligent agent. Default configurations often lack sufficient security protections. Improper setups such as exposing instances to the internet, weak password authentication, running with high-privilege accounts, or storing sensitive information in plaintext can allow attackers to exploit these vulnerabilities for system takeover, resulting in data leaks or business system paralysis.

5. Beware of complex attack risks. OpenClaw faces the risk of deep coupling attacks that combine inherent AI model security issues with traditional software vulnerabilities. Attackers can exploit traditional vulnerabilities to breach environment boundaries, hijack model behavior through internal risks, and amplify attack impacts, breaking the defense boundaries between traditional and AI security, creating complex threats that cannot be defended by a single protective system.

6. Compliance operation and liability risks. If the intelligent agent’s development, deployment, or application involves processing personal information, transferring important data across borders, automated decision-making, or cross-border data transfer, failure to strictly comply with relevant Chinese laws, regulations, and industry standards can lead to compliance risks. Using third-party encapsulation services may also cause difficulties in accountability and legal responsibility for data breaches.

7. Cross-border data transfer risks. Deployment scenarios may involve automatic calls to overseas large-model APIs or access to foreign data sources, or deployment in cross-border scenarios, which could result in unassessed, high-frequency cross-border data transmissions, potentially violating China’s “Data Export Security Assessment Measures.”

2. Security Control Guidelines for Different Scenarios

Based on current mainstream application modes, the alliance categorizes deployment into three scenarios: local deployment of OpenClaw, cloud deployment, and third-party vendor encapsulation services. First, universal basic security requirements are clarified for all scenarios, followed by specific security tips tailored to the risk characteristics of each scenario.

(a) General Basic Security Requirements for All Scenarios

These requirements apply to all applications involving OpenClaw and similar AI intelligent agents and constitute the fundamental security bottom line:

• Carefully evaluate actual needs. Avoid blind deployment; strengthen supply chain and plugin management. Conduct code review and behavior verification in isolated environments for third-party plugins, extensions, and skills, and promptly remove malicious components. Establish a full-process control mechanism of “assessment before use, testing before deployment.”

• Define usage boundaries and prevent sensitive data leaks. Prohibit deployment, use, or access in environments handling sensitive or confidential information, core production systems, or internal sensitive networks. Do not grant access to core business secrets, important data, or personal sensitive information.

• Adhere to compliance and legal requirements. Strictly follow laws such as the Cybersecurity Law, Data Security Law, Personal Information Protection Law, and Interim Measures for Generative AI Services, ensuring compliant operation.

• Strengthen full-process auditing and establish emergency response mechanisms. Audit operational behaviors, commands, and data flows, retain logs for at least six months, and set up real-time anomaly monitoring and emergency handling to promptly shut down and trace risks.

• Continuously reinforce security and promptly fix vulnerabilities. Follow authoritative vulnerability alerts and security notices, update to the latest official security versions, and regularly conduct risk assessments and security hardening of deployment environments and permissions.

• Enhance staff security management and awareness. Provide targeted training on deployment risks, sensitive data protection, and emergency procedures. Avoid linking enterprise applications with personal instant messaging accounts to prevent data leaks, and improve employees’ security awareness.

(b) Local Deployment Scenario Security Tips

Applicable when downloading OpenClaw source code independently and deploying on own physical servers, office terminals, or private internal networks. Core risk control measures include:

• Strict source code security. Download only from official trusted repositories. Conduct static code analysis and vulnerability scans immediately after download, focusing on backdoors, malicious code, and known high-risk vulnerabilities. Avoid using unofficial branches or images.

• Enforce environment isolation. Deployment must be logically or physically isolated from core business networks and internal intranets. Run only in closed testing environments; avoid cross-segment access to core systems or sensitive data.

• Minimize operational permissions. Follow the principle of least privilege. Do not run with administrator or root accounts; assign only the necessary minimal system permissions for testing. Prohibit high-risk operations like bulk file deletion, system configuration changes, or disk formatting.

• Harden basic configurations. Do not expose instances to the internet. Close unnecessary ports and services, enable strong authentication and multi-factor authentication, and prevent unauthenticated or weak password access. Store API keys and credentials securely with encryption and rotate regularly.

• Strictly control third-party extensions. All plugins and modules must undergo security checks and malware scans. Do not load unverified components or configuration files, especially prompt templates, to prevent injection attacks.

• Standardize secondary development. Conduct security and compliance assessments for custom development based on open-source code, focusing on permission bypass, data leakage, and injection risks. Establish security testing for version updates.

• Set operation thresholds. Configure thresholds for actions such as batch file operations, high-frequency permission calls, or large data transfers. Enable automatic detection, immediate termination of abnormal behaviors, and alert mechanisms.

© Cloud Deployment Scenario Security Tips

Applicable when deploying OpenClaw on public, private, or hybrid cloud platforms using cloud servers, containers, or serverless services. Core control measures include:

• Strictly control public network access. Do not assign public IPs or open all ports. Use security groups to restrict access to whitelisted internal IPs or VPNs, with all external access encrypted and authenticated. Review default network configurations of cloud images or templates before deployment.

• Tighten cloud platform permissions. Follow the principle of least privilege in IAM. Avoid using root or admin accounts; assign specific roles with limited cloud resource permissions. Prevent cross-tenant or cross-service access to avoid asset loss.

• Strengthen cloud-native security. Scan container images for malicious code and vulnerabilities before deployment. Enable container escape prevention, process whitelisting, and restrict system calls. Do not run containers in privileged mode.

• Manage sensitive data securely. Encrypt API keys, cloud credentials, and model access tokens using cloud KMS. Avoid hardcoding secrets in code or configs. Regularly rotate credentials.

• Improve cloud security monitoring. Integrate with intrusion detection, traffic auditing, and log analysis services. Monitor abnormal access, lateral movement, and data exfiltration in real time. Enable snapshot backups and regular data backups.

• Prevent cross-tenant and supply chain risks. Avoid deploying in shared environments; prefer dedicated hosts or private clouds. Conduct security checks on open-source components and third-party libraries for known vulnerabilities and tampering.

• Ensure full lifecycle data security. Encrypt all data generated, processed, or stored in the cloud. Regularly clear temporary caches and encrypt/destroy transient data. Prohibit storing temporary data in plaintext on cloud servers, containers, or object storage. Prevent data synchronization to overseas or unauthorized third-party cloud nodes.

(d) Third-Party Vendor Encapsulation Service Security Tips

Applicable when using third-party SaaS, finished tools, or integrated platforms based on OpenClaw, without deploying underlying code oneself. Core control points include:

• Verify vendor compliance. Choose vendors with clear security credentials, such as cybersecurity level protection and data security certifications. Avoid unlicensed, anonymous, or unverified small-scale tools.

• Clarify responsibilities and legal agreements. Sign formal service and confidentiality agreements, specifying data ownership, storage scope and location, data usage, confidentiality, security obligations, breach liability, and emergency response.

• Control data upload and usage boundaries. Do not upload core business secrets, sensitive information, or critical data unless necessary. Avoid exposing internal systems or access rights to third-party services to prevent internal network infiltration.

• Evaluate functional risks carefully. Test command execution logic, prompt injection defenses, high-risk operations, and permission boundaries before use. Avoid enabling high-risk functions like file deletion or data exfiltration unless under strict manual review.

• Conduct ongoing compliance and security monitoring. Regularly review the security status of service providers, track security incidents or penalties, and record all data flows and command executions. Immediately cease use if anomalies are detected and retain evidence.

• Prepare emergency response plans. Ensure vendors have clear procedures and response times for data breaches or service interruptions. Regularly back up data locally to prevent loss if services are terminated or systems fail.

• Establish full data traceability and ownership. Require vendors to assign unique identifiers to all uploaded data and derived data, enabling full traceability from upload to deletion. Clarify data ownership rights in agreements, ensuring users retain control over their data and derivatives. Provide one-click deletion options for all user data and derivatives, which must be irreversible.

3. Next Steps for the Alliance

The alliance will continue to support members by:

• Monitoring the security risks of OpenClaw and similar AI agents, and timely sharing risk alerts and industry best practices when possible.

• Organizing specialized technical exchanges and training sessions on AI security, inviting industry experts to share protection strategies for various scenarios.

• Developing enterprise-level deployment risk management guidelines for OpenClaw, including self-assessment checklists to help improve compliance governance.

• Assisting members in risk investigation and hidden danger mitigation by coordinating high-quality industry security resources and providing professional guidance and technical support.

Artificial intelligence security is the core foundation for high-quality industry development. The alliance encourages members to actively explore innovative applications of AI intelligent agents and related frontier technologies, but also emphasizes the importance of paying close attention to associated risks, conducting comprehensive risk assessments based on actual scenarios, implementing targeted security controls, and working together to maintain a safe, orderly, and healthy AI industry environment in China.

(Source: The Paper News)