China’s government agencies and state-owned enterprises are being told to uninstall OpenClaw from their office computers. Notices issued in recent days — reported by Bloomberg — instruct banks, SOEs, and government bodies to check for existing installations, report them for security review, and remove the software from corporate devices. Some directives extend to personal phones connected to corporate networks.

The restrictions come at the peak of what Chinese media has called “OpenClaw mania” — a wave of adoption so intense it’s been compared to the iPhone’s arrival.

The Paradox: Ban It and Build on It

Here’s what makes this story unusual. China isn’t rejecting OpenClaw — it’s trying to contain it.

On one side, regulators are locking down state sector devices. On the other, Beijing’s “AI Plus” plan is actively subsidizing OpenClaw-compatible development. Local governments are offering incentives. Tencent, Alibaba, Baidu, JD.com, MiniMax, and Zhipu have all released tools that integrate with or build on OpenClaw’s architecture.

Tencent had its best single-day stock gain in a year on the back of its OpenClaw-compatible tooling announcement. MiniMax and Zhipu saw their stocks drop 6%+ when the restriction notices leaked.

The message from Beijing is nuanced: build with it, but don’t let it near state secrets.

Why the Security Concerns Are Real

OpenClaw’s design is exactly what makes it powerful — and exactly what makes security teams nervous:

  • Broad data access — an OpenClaw agent can read files, access calendars, manage emails, and interact with messaging platforms. In a government setting, that’s a direct pipeline to sensitive information.
  • External communication — agents can make API calls, send messages, and interact with external services. For a state enterprise handling trade secrets or policy drafts, every outbound connection is a potential leak.
  • Prompt injection — adversarial inputs embedded in documents, emails, or web pages can hijack agent behavior. China’s CERT has flagged this repeatedly.
  • Supply chain risk — the ClawHub skill registry has already seen malicious packages (the ClawHavoc campaign found 800+ compromised skills). Installing a skill from an untrusted source is functionally equivalent to running arbitrary code on your machine.
  • Open-source transparency cuts both ways — anyone can audit the code, but anyone can also study it for attack surfaces.

These aren’t hypothetical. Microsoft published enterprise security guidance for OpenClaw deployments in February. The 30,000+ internet-exposed instances found without authentication demonstrate that many deployments aren’t locked down.

The Self-Hosted Irony

The irony is that OpenClaw’s architecture actually addresses the core concern better than most alternatives.

Cloud-based AI assistants send your data to someone else’s servers. OpenClaw runs locally. A properly configured OpenClaw deployment — with auth enabled, skills audited, and network access restricted — keeps data on-premises by design. It’s the one AI assistant where the government could maintain full data sovereignty.

But “properly configured” is doing a lot of work in that sentence. The gap between OpenClaw’s security potential and its security reality — especially in rapid, unmanaged rollouts — is exactly what Chinese regulators are responding to.

What This Means for Enterprise Adoption

China’s restrictions are a leading indicator, not an outlier. Every enterprise security team evaluating AI agents faces the same questions:

  1. What data can the agent access? OpenClaw’s permission model is broad by default. Enterprises need to scope it down.
  2. What can the agent communicate externally? Network-level controls matter as much as application-level ones.
  3. Who audited the skills? The skill supply chain is the largest attack surface.
  4. Is there human-in-the-loop oversight? ClawBands and similar guardrail tools exist for a reason.

The U.S. government hasn’t issued similar restrictions — yet. But the Pentagon’s recent designation of Anthropic as a supply chain risk and Microsoft’s Red Report 2026 flagging AI agent exploitation suggest the conversation is heading the same direction.

The Bottom Line

China restricting OpenClaw in government settings doesn’t mean the technology is dangerous. It means the technology is powerful enough to require governance.

The same week these restrictions went out, Chinese companies collectively invested hundreds of millions in OpenClaw-compatible infrastructure. The technology isn’t going away. The question — in China and everywhere else — is whether organizations can deploy it faster than they can secure it.

For self-hosters: this is a reminder to run the security hardening checklist. Auth enabled, skills audited, network scoped, updates applied. The basics matter more than ever.

For the underlying security context, read OpenClaw security in February 2026, the complete OpenClaw security guide, and China’s five-year plan for AI agents.