On March 10, 2026, China's National Computer Network Emergency Response Technical Team (CNCERT) issued a formal security advisory about OpenClaw. The timing was pointed: OpenClaw's "raise a lobster" craze had driven adoption to over 200,000 active installations across China, with state-run enterprises, local governments, and millions of consumers deploying the agent on personal and corporate systems. CNCERT identified four categories of vulnerability. State-run enterprises were subsequently barred from using the software.
The advisory matters beyond the immediate China context because the vulnerabilities it identifies are not bugs in OpenClaw specifically — they are structural risks inherent to the local-first AI agent architecture that OpenClaw, PicoClaw, ZeroClaw, and similar frameworks all share.
The Four Vulnerability Categories
1. Prompt Injection via Messaging Interfaces
OpenClaw's architecture routes user messages from chat platforms through the gateway daemon to the agent runtime. The agent runtime constructs a prompt that includes the user's message, available tools, and conversation history, then sends it to the LLM. The LLM's response may include tool calls that execute on the user's machine.
The attack surface is the gap between "text that the user intended as a message" and "text that the LLM interprets as instructions." If an attacker can inject content into the agent's context — through a shared group chat, a forwarded message, or content that the agent retrieves from the web — that content can potentially override the agent's system prompt and trigger tool calls the user did not intend.
This is not a novel vulnerability. Prompt injection has been a known risk since the first LLM-powered applications. What makes it more consequential in OpenClaw's architecture is the scope of what a successful injection can trigger: the agent has access to the local file system, shell execution, email, calendar, and every MCP skill the user has configured.
2. Data Exfiltration via Link Previews
CNCERT and subsequent security research from The Hacker News identified a specific exfiltration vector: when the agent generates a response containing a URL, messaging platforms like Telegram automatically generate a link preview by fetching the URL. An attacker who can control the URL the agent produces (via prompt injection or a compromised MCP server) can encode sensitive data from the agent's context into URL parameters that are then sent to an attacker-controlled server when the messaging platform fetches the preview.
This is a cross-system vulnerability: the agent, the messaging platform, and the external server interact in a way that none of them individually considers problematic. The agent is generating text. The messaging platform is rendering a preview. The server is receiving a GET request. The exfiltration happens in the interaction between these behaviors.
Attacker injects prompt → Agent generates URL with encoded data
↓
Telegram fetches URL for link preview
↓
Attacker's server receives data in URL params
3. Malicious ClawHub Skills
ClawHub, the community-maintained registry of MCP servers for OpenClaw, has over 3,200 entries. The security review process for these entries is — as of the CNCERT advisory — minimal. An attacker can publish an MCP server that appears to provide a legitimate service but includes tool implementations that exfiltrate data, modify files, or establish persistence on the user's system.
This is analogous to supply chain attacks on package managers like npm or PyPI, but with an additional dimension: MCP servers are invoked by the LLM based on the tool descriptions in their manifests. A malicious server can describe its tools in ways that make the LLM more likely to call them, effectively social-engineering the model into executing the attacker's code.
4. Accidental Data Deletion and System Modification
OpenClaw's agent has access to local file operations and shell execution by default. When the agent makes an error — misunderstanding a user's intent, hallucinating a file path, or incorrectly interpreting an ambiguous instruction — the consequences are applied to real files on the real system. CNCERT documented cases of users who lost data because the agent deleted files based on misunderstood instructions.
This category is less about malicious attacks and more about the inherent risk of giving an AI agent write access to a real system without adequate guardrails. The default OpenClaw configuration does not enforce workspace isolation or require user confirmation for destructive operations.
Vulnerability Severity Assessment
| Vulnerability | Attack Vector | Impact | Mitigation Difficulty |
|---|---|---|---|
| Prompt injection | Shared chats, web content, forwarded messages | Full agent capability hijack | High — fundamental LLM limitation |
| Link preview exfiltration | Injected URLs in agent responses | Silent data theft | Medium — disable previews, URL filtering |
| Malicious MCP skills | Supply chain via ClawHub | Arbitrary code execution | Medium — review process, sandboxing |
| Accidental data operations | Agent misinterpretation | Data loss, system modification | Low — confirmation prompts, workspace scoping |
What This Means for the Local-First Agent Model
The CNCERT advisory is significant not because OpenClaw is uniquely vulnerable, but because it forces a conversation about the security properties of local-first AI agents in general. The same architectural pattern — LLM reasoning connected to local system access via tool calls — appears in PicoClaw, ZeroClaw, and every custom agent built on similar principles.
The privilege problem. Local-first agents run with the user's permissions. Any tool call the agent makes has the same system access as the user. This is the source of their power (they can do anything the user can do) and their risk (they can do anything the user can do, even if the user did not intend it). Cloud-hosted agents like Manus run in sandboxed environments where the blast radius of an error or attack is contained. Local-first agents do not have this containment by default.
The trust boundary problem. In a local-first agent, the trust boundary between "data the agent should act on" and "data the agent should treat as untrusted input" is undefined. When the agent reads an email, browses a web page, or processes a message from a group chat, the content enters the agent's context alongside the user's instructions. The LLM does not have a reliable mechanism for distinguishing between them.
The ecosystem trust problem. MCP's power as an extensibility mechanism — any developer can publish a server that any agent can use — is also a security liability when the ecosystem lacks robust review processes. The npm ecosystem took years to develop effective malware detection for package registries. The MCP skill ecosystem is younger and less mature.
How the Ecosystem Is Responding
The response to the CNCERT advisory has been substantive on several fronts:
OpenClaw's maintainers are working on a permissions model that requires explicit user confirmation for destructive operations and supports workspace-scoped file access rather than full system access.
ZeroClaw launched with these security properties as first-class design goals: deny-by-default allowlists, filesystem scoping, encrypted secrets, and sandbox controls. The project explicitly positions itself as the security-conscious alternative.
ClawHub is implementing a review process for skill submissions, though the scale of the registry (3,200+ entries) makes comprehensive review challenging.
Anthropic's MCP specification work through the Agentic AI Foundation is beginning to address server authentication and capability attestation, though these features are not yet in the stable specification.
Practical Guidance for Local-First Agent Users
The risks identified by CNCERT are real, but they are manageable with appropriate caution:
- Scope file access. Configure workspace isolation so the agent can only access designated directories, not your entire home directory.
- Review MCP skills. Before installing a ClawHub skill, inspect its source code and verify the publisher. Prefer skills with substantial community adoption and review.
- Disable link previews in your messaging client when using OpenClaw, or configure the agent to avoid generating clickable URLs.
- Avoid group chats. Do not add your OpenClaw agent to group chats where other participants could inject adversarial content into the agent's context.
- Back up critical data. Until agent confirmation prompts are implemented, ensure that files the agent has access to are backed up.
The local-first agent model is powerful precisely because it operates on real systems with real access. That power requires proportional caution. The CNCERT advisory is a useful forcing function for the ecosystem to mature its security posture, not a reason to abandon the model.
References
- CNCERT OpenClaw security advisory (March 10, 2026)
- China Daily, "CNCERT issues OpenClaw security warning" (March 13, 2026)
- The Hacker News, "OpenClaw AI Agent Flaws Could Enable Data Exfiltration" (March 14, 2026)
- Giskard, "OpenClaw Security Vulnerabilities Include Data Leakage and Prompt Injection Risks"
- Tom's Hardware, "OpenClaw AI agent craze sweeps China as authorities seek to clamp down" (March 2026)
- CloudBees, "OpenClaw Is a Preview of Why Governance Matters More Than Ever"