OpenClaw Banned: Which Governments and Companies Have Restricted It, and Why

The bans are real

The headlines started in early 2026, and they have not slowed down. Multiple governments and large organizations have moved to restrict or outright ban OpenClaw on work devices. Here is a timeline of the major actions so far.

China’s National Internet Finance Association (NIFA) published a formal alert urging financial institutions to prohibit OpenClaw installations on any device connected to corporate networks. The concern centers on data leakage through unvetted third-party skills that could exfiltrate sensitive financial records to external servers.

CNCERT (China’s National Computer Network Emergency Response Technical Team) followed up with a broader security warning directed at government agencies and critical infrastructure operators. Their advisory specifically flagged OpenClaw’s default configuration as dangerously permissive, noting that agents running with unrestricted tool access could read, modify, or transmit files without adequate user oversight.

Bloomberg reported that several major banks and government agencies in the US and Europe have issued internal policies prohibiting employees from installing OpenClaw on company-managed hardware. These organizations cited shadow IT concerns and the inability to audit what skills employees were running or what data those skills could access.

Microsoft’s security team published an advisory documenting attack vectors in OpenClaw deployments, including skill-based prompt injection and credential harvesting through malicious ClawHub packages. Cisco Talos released a companion report confirming active exploitation in the wild.

To top it off, security researchers identified over 42,000 OpenClaw instances exposed directly to the public internet with no authentication layer. Many of these were running on corporate networks.

Why organizations are banning it

The bans are not arbitrary. They stem from four specific risks that are difficult to mitigate in a corporate environment.

1. Data leakage through skills

OpenClaw skills can read local files, access clipboard contents, and interact with APIs. A skill that appears to summarize documents could also quietly send those documents to a remote endpoint. In a corporate setting, this means proprietary code, financial data, client records, or internal communications could leave the network without anyone noticing.

Unlike traditional software that goes through procurement and security review, OpenClaw skills are installed by individual users with a single command. IT teams have no visibility into what skills are active or what data they touch.

2. Unvetted and malicious skills

The ClawHavoc campaign proved that malicious skills can slip onto ClawHub and persist for weeks before detection. Over 340 poisoned skills were identified, some designed to harvest API keys and credentials from the host machine.

Corporate security teams cannot reasonably audit every skill an employee might install. The ClawHub ecosystem currently lacks the kind of code signing, review process, or trust chain that enterprise software requires.

3. API key and credential exposure

OpenClaw stores API keys in plaintext configuration files by default. On a shared workstation or a device managed by MDM software, these credentials are accessible to anyone with file system access. Worse, a compromised skill can read those keys and forward them silently.

In environments where employees connect to production databases, cloud infrastructure, or financial systems, an exposed API key is not a theoretical risk. It is a direct path to a breach.

4. Shadow IT and compliance gaps

From a compliance perspective, OpenClaw is a nightmare for regulated industries. When employees install it without IT approval, the organization has no audit trail for what the agent did, what data it accessed, or what external services it contacted. For companies subject to SOC 2, HIPAA, GDPR, or financial regulations, this is a non-starter.

IT departments cannot enforce policies on software they do not know exists. OpenClaw’s lightweight installation process means an employee can have it running in minutes without triggering any endpoint detection.

An honest risk assessment

Not every OpenClaw deployment is a disaster waiting to happen. The risk profile depends heavily on how it is configured and what it has access to.

High risk: Running OpenClaw on a work device connected to corporate networks, with access to production credentials, using unvetted skills from ClawHub. This is the scenario that prompted the bans, and the risk is real.

Moderate risk: Running OpenClaw on a personal device for personal tasks, with skills limited to those you have reviewed yourself. The main concern here is a supply-chain attack through a compromised skill update.

Lower risk: Running OpenClaw on an isolated machine with no access to sensitive data, using only locally developed skills, behind a properly configured gateway. This is achievable, but it requires deliberate setup.

The core issue is not that OpenClaw is inherently dangerous. It is that the default configuration assumes a level of trust that does not exist in enterprise environments. Most users never change the defaults.

If you use OpenClaw at work: how to do it safely

If your organization has not banned OpenClaw and you have approval to use it, these steps will significantly reduce your risk.

Run it on an isolated network segment

OpenClaw should never run on the same network as production systems or sensitive data stores. Set up a dedicated VLAN or use a separate physical network. If your agent cannot reach your production database, a compromised skill cannot exfiltrate data from it.

Use a dedicated device

Do not install OpenClaw on your primary work machine. Use a dedicated laptop, a virtual machine, or a containerized environment. This limits the blast radius if something goes wrong. A compromised skill on an isolated VM cannot access your email, your SSH keys, or your browser sessions.

Approve skills through a formal review process

Maintain an internal allowlist of approved skills. Every skill should be reviewed by someone with security expertise before it touches a work environment. Do not pull skills directly from ClawHub without inspection. Clone the skill repository, audit the code, and host it internally.

Enable audit logging

Turn on full audit logging and ship those logs to your SIEM. Every skill execution, every file access, every network request should be recorded. If you cannot answer the question “what did the agent do at 2:14 PM on Tuesday,” your logging is insufficient.

For a complete hardening walkthrough, follow the OpenClaw Security Checklist.

Rotate credentials frequently

Any API key used by OpenClaw should be scoped to the minimum permissions necessary and rotated on a short schedule. Use short-lived tokens where possible. Never store production credentials in OpenClaw configuration files.

Enterprise alternatives worth considering

If the safety requirements above sound like too much overhead, purpose-built enterprise options exist.

NemoClaw is NVIDIA’s enterprise wrapper around OpenClaw, announced at GTC 2026. It adds built-in sandboxing, role-based access control, declarative policy enforcement, and a full audit trail. The tradeoff is vendor lock-in to NVIDIA’s Nemotron models and Linux-only support. For a detailed comparison, read NemoClaw vs OpenClaw.

OpenClaw Cloud (Managed) is the hosted version with enterprise controls baked in. It handles authentication, skill vetting, and network isolation at the platform level. You lose the self-hosted flexibility, but you gain compliance-ready infrastructure without building it yourself.

Both options cost more than running vanilla OpenClaw. Whether that cost is justified depends on what data your agents will touch and what regulations you operate under.

The bottom line

The government and corporate bans on OpenClaw are not overreactions. The combination of 42,000+ exposed instances, active malware campaigns targeting skills, a critical RCE vulnerability, and zero built-in access controls creates genuine risk for any organization handling sensitive data.

That said, OpenClaw itself is not the problem. The problem is running powerful autonomous agents without guardrails. If you configure it properly, isolate it from sensitive systems, vet every skill, and maintain audit logs, OpenClaw can be used safely in a professional setting.

The organizations issuing bans are making a rational choice: it is easier to prohibit the tool entirely than to trust every employee to configure it correctly. If you want to be the exception, the burden of proof is on you.

Start with the security checklist, understand the malicious skills landscape, and evaluate whether a managed enterprise option makes more sense for your team.

For questions about securing OpenClaw in your organization, reach out to us at info@openclawdc.com.