National Industrial Information Security Development Research Center Releases Risk Warning Notice on OpenClaw Applications in Industrial Sector

On March 12, the National Industrial Information Security Development Research Center issued a risk warning bulletin regarding the application of OpenClaw in the industrial sector.

1. Basic Information

Recently, the open-source AI agent OpenClaw (commonly known as “Lobster”) has attracted widespread attention in the tech community and the public due to its disruptive “human-computer interaction” mode. OpenClaw (formerly known as Clawdbot, Moltbot) is an open-source AI agent capable of directly controlling computers to perform customized operations based on natural language commands. It features persistent memory, proactive execution, and other technical capabilities. Currently, it is accelerating deployment in industrial design, manufacturing, and operations management. However, because OpenClaw has characteristics such as blurred trust boundaries, multi-channel unified access, flexible large model invocation, and dual-mode persistent memory, without effective permission control strategies or security audit mechanisms, it could be maliciously hijacked through command induction, supply chain poisoning, and other methods. This could lead to loss of control in industrial control systems, leakage of sensitive information, and other security risks, seriously endangering normal industrial production and operations.

2. Risk Analysis

The industrial sector is characterized by high data sensitivity, strong system integration, complex industrial scenarios, and strict production processes. While applying OpenClaw to enhance productivity and optimize process management, there are potential risks due to its high-privilege design, autonomous decision-making features, and mismatch with industrial scenarios, including system overreach, sensitive information leakage, and increased attack surface.

1. Risk of industrial host overreach and production loss. When deploying OpenClaw on operator stations or engineer stations, high system permissions must be granted to assist in industrial control. However, OpenClaw has inherent flaws in permission management, making it prone to overreach, ignoring legitimate operator commands, and issuing erroneous or abnormal instructions. This can directly interfere with production processes, disrupt device operation logic, cause parameter chaos, production line shutdowns, equipment damage, and even safety accidents.

2. Risk of leakage of industrial sensitive information. Multiple plugins compatible with OpenClaw have been identified as malicious or potentially risky. If industrial enterprises use OpenClaw with infected malicious plugins and lack security protections, attackers could exploit these plugins to steal core secrets such as industrial drawings and API keys. Additionally, due to unstable command understanding, OpenClaw may misinterpret instructions and intentions, leading to incorrect data exports or content publishing, and using its system permissions to publish critical process parameters and production data—normally kept isolated—directly online.

3. Expansion of attack surface and amplification of attack effects. If enterprises do not modify default network listening configurations during deployment and lack effective boundary protections, OpenClaw management interfaces could be exposed directly to the internet. Attackers can quickly discover these interfaces through network reconnaissance, and by exploiting over 80 known vulnerabilities, conduct targeted, low-cost attacks to gain control. Since OpenClaw can execute scripts, invoke tools, and access networks, once compromised, it could serve as an automation attack assistant for internal network asset discovery, vulnerability exploitation, lateral movement, and persistent control, thereby amplifying attack impact.

3. Recommendations

Industrial enterprises are advised to follow relevant requirements such as the “Industrial Control System Network Security Protection Guidelines” and the “Industrial Internet Security Classification and Grading Management Measures,” and refer to the “Six Do’s and Six Don’ts” published by the Ministry of Industry and Information Technology’s cybersecurity threat and vulnerability information sharing platform (NVDB). Security measures should be strengthened during deployment and application of OpenClaw.

1. Strengthen access control management. It is generally prohibited to grant system-level permissions to OpenClaw, avoiding direct access to operating system management rights, command execution capabilities, or critical system resources. If necessary, permissions should be granted only after thorough security assessment and approval, with strict scope limitations. Continuous security monitoring and auditing of the agent’s operation should be implemented to prevent abnormal control over files, system commands, and network resources.

2. Reinforce network boundary isolation. OpenClaw should be deployed in an isolated environment, strictly separated from industrial control networks. Default management ports (such as Web UI, API interfaces) should not be exposed directly to the internet. Remote access should be managed via enterprise VPNs, Zero Trust Network Access (ZTNA), or jump servers.

3. Ensure timely patching and updates. Use official channels to download and deploy the latest stable versions, enable automatic update notifications, and promptly install security patches. Before upgrading, back up data; after upgrading, restart services and verify patch effectiveness. Plugin sources should be strictly controlled, installing only signed and trusted extensions from verified sources.

(Source: Jiemian News)