China's MIIT Publishes Official Safety Guidelines for OpenClaw: Six Dos and Six Don'ts
What Happened
China's Ministry of Industry and Information Technology (MIIT), through its National Vulnerability Database (NVDB), published the first official government safety guidelines for OpenClaw deployments. Developed in collaboration with AI providers, vulnerability platform operators, and cybersecurity firms, the guidelines outline six recommended practices and six explicit prohibitions. The recommended practices include using only the latest official version, minimizing internet exposure, granting minimum necessary permissions, exercising caution with third-party skills, guarding against browser hijacking, and regularly checking for patches. The prohibitions include avoiding outdated or third-party mirror versions, not exposing instances to the internet, not enabling administrator accounts during deployment, not installing skills requiring passwords, not browsing unverified websites, and not disabling log auditing.
Why It Matters
This is the first time a national government has issued formal, specific operational guidelines for an open-source AI agent framework. The MIIT's approach is notably pragmatic — rather than banning OpenClaw outright (as some enterprises and the military have done), it's attempting to create a safe-use framework that acknowledges the tool's momentum while mitigating its well-documented security risks. The guidelines effectively codify security best practices that the community has been advocating but that most users have ignored, as evidenced by the 135,000+ publicly exposed instances SecurityScorecard identified.
What's Next
These guidelines are likely a precursor to binding regulation. The MIIT had already issued warnings in February, and the progression from advisory to formal guidelines suggests enforceable rules may follow, particularly for government agencies and regulated industries. Other nations will be watching China's approach as a template — or cautionary tale — for their own AI agent governance frameworks. The key question is whether voluntary guidelines change behavior, or whether the exposed-instance count continues climbing regardless.