On March 11, 2026, the Network Security Threat and Vulnerability Information Sharing Platform (NVDB), operating under the auspices of the Ministry of Industry and Information Technology (MIIT), unveiled a set of ‘Six Dos and Six Don’ts’ guidelines aimed at mitigating security risks associated with the OpenClaw (‘Longxia’) open-source agent. In light of prevalent security threats in common application scenarios—such as intelligent office automation, development and operations (DevOps), personal assistant services, and financial transactions—including supply chain attacks, sensitive data breaches, personal information theft, and erroneous transaction processing, the NVDB collaborated with agent providers, vulnerability management platform operators, and cybersecurity firms to craft these specific recommendations:

• Do: Utilize the latest official version of the agent, enable automatic update notifications, and refrain from using third-party images or outdated versions.
• Don’t: Neglect software updates or rely on unverified sources for agent deployment.
• Do: Exercise stringent control over internet exposure, conduct regular self-assessments and remediation efforts, and avoid exposing agent instances directly to the internet. When external access is necessary, employ encrypted communication channels with restricted access controls.
• Don’t: Leave agent instances vulnerable to unauthorized access or exposure to potentially malicious networks.
• Do: Adhere to the principle of least privilege, granting permissions strictly based on business requirements. Implement secondary confirmation or manual approval processes for critical operations, and avoid deploying agents with administrator-level privileges.
• Don’t: Over-provision permissions or use privileged accounts for routine agent operations.
• Do: Exercise caution when utilizing the skill marketplace. Thoroughly review and vet code for ‘skill packages’ before downloading, and avoid those that necessitate script execution, password input, or additional downloads.
• Don’t: Blindly trust or install unverified skill packages from unknown sources.
• Do: Guard against social engineering attacks and browser hijacking attempts. Employ browser sandboxes and other security extensions to block suspicious scripts, enable comprehensive log auditing functions, and avoid visiting unfamiliar websites, clicking on unknown links, or opening untrusted documents.
• Don’t: Fall prey to phishing attempts, malicious links, or unsolicited document downloads.
• Do: Establish robust, long-term protection mechanisms. Regularly inspect and patch vulnerabilities, monitor official security bulletins and risk alerts, and combine cybersecurity tools with antivirus software for real-time threat detection and prevention. Ensure detailed log auditing functions remain enabled for forensic analysis.
• Don’t: Disable critical security features or neglect ongoing vulnerability management and monitoring efforts.