China’s Ministry of Industry and Information Technology (MIIT)-run National Vulnerability Database (NVDB) published formal safety guidelines for OpenClaw on March 11, 2026 — the first official government framework for safe AI agent deployment.
The Six Dos
- Use the official latest version of OpenClaw from the verified GitHub repository
- Minimize internet exposure — avoid exposing agent instances to the public internet
- Grant minimum permissions — only enable the access the agent actually needs
- Exercise caution with third-party skills — the skill marketplace contains unvetted offerings
- Guard against browser hijacking — the “ClawJacked” vulnerability demonstrated real risks
- Regularly check for patches — OpenClaw releases security fixes frequently
The Six Don’ts
- Don’t use outdated or mirror versions — unofficial builds may contain malware
- Don’t expose instances to the internet — over 40,000 exposed instances were found in February
- Don’t enable administrator accounts during deployment
- Don’t install skill packs requiring password entry
- Don’t browse unverified websites while the agent is active
- Don’t disable detailed log auditing
Industry Collaboration
The advisory was developed collaboratively with AI agent providers, vulnerability platform operators, and cybersecurity firms. It addresses risks across typical OpenClaw use cases and reflects lessons learned from the wave of security incidents in February 2026.
Services like OpenClaw Launch implement many of these recommendations by default — instances run in isolated containers with restricted permissions and are never directly exposed to the public internet.