China’s CERT warns OpenClaw can inflict nasty wounds
Summary
China’s National Computer Network Emergency Response Technical Team (CERT) has warned that the agentic AI tool OpenClaw has extremely weak default security and multiple attack vectors. The advisory highlights risks including malicious instructions embedded in web pages, poisoned plugins, vulnerabilities that can lead to credential theft, and the possibility of users accidentally deleting important data. CERT recommends isolating OpenClaw in containers, keeping its management port off the public internet, enforcing strict authentication and access control, disabling automatic updates and restricting plugin access. The warning arrives amid rapid uptake in China and reports that some government agencies and state banks have moved to ban its use.
Key Points
- OpenClaw’s default configuration is described as extremely weak and easily abused.
- Attackers can embed malicious instructions in web pages to manipulate the agentic tool.
- Poisoned plugins for OpenClaw pose a direct risk to users and systems.
- Several severe vulnerabilities have already been disclosed that can enable credential theft and follow-on attacks.
- User error with OpenClaw can result in deletion of important data.
- CERT’s mitigations: container isolation, close management ports to the public internet, strict authentication/access control, disable auto-updates and limit plugin access.
- Analyst firm Gartner previously called OpenClaw an “unacceptable cybersecurity risk” for business users, advising isolated non-production VMs and throwaway credentials.
- One-click deployments from major cloud providers (for example Tencent’s Work Buddy) have driven a surge in downloads and exposure.
- Local reports indicate some government agencies and state-run banks have banned OpenClaw.
Context and relevance
This is important for anyone running or evaluating agentic AI tools. OpenClaw’s growing popularity — combined with weak defaults and easy cloud deployment — raises the chance of widespread compromise. The story reflects broader trends: increased CERT and regulator scrutiny of agentic AIs, the need for stronger sandboxing and operational controls, and the risk that convenience can outpace security.
Author style
Punchy: this isn’t idle clickbait. The CERT advisory and reports of bans make this a genuine operational risk for security teams and IT decision-makers — worth reading in full if you manage AI deployments.
Why should I read this
Look, short and blunt: if you’re using or thinking about OpenClaw (or similar agentic agents), you need to know the checklist. Defaults are rubbish, plugins can be poisoned, and simple mistakes can leak keys or delete data. The CERT advice gives practical steps you should consider immediately.