China set ambitious AI agent penetration targets in its AI Plus initiative—70 percent across key sectors by 2027, over 90 percent by 2030—and then found itself warning that the most viable platform for getting there poses a national security risk. That is the structural contradiction at the center of China's OpenClaw moment, and it is not resolving cleanly.
OpenClaw, the open-source AI agent platform created by Austrian developer Peter Steinberger, has become one of the fastest-growing projects in GitHub's history—reaching 100,000 stars within weeks of its November launch, according to Reuters. OpenAI hired Steinberger in February 2026 to work on next-generation AI agents, a detail that frames the platform as architecturally significant in ways both Beijing and Washington are watching closely. China's Ministry of Industry and Information Technology issued a security warning on Feb. 5, citing risks from improper configuration. The Ministry of State Security went further, warning that the platform can be hijacked to spread disinformation and commit fraud. And yet adoption has not stopped. China has already surpassed the United States in OpenClaw usage, according to SecurityScorecard. Daily token usage in the country increased from 100 trillion at the end of 2025 to 140 trillion this month, the National Data Administration revealed.
The token figures are the test of commitment. Beijing can issue warnings; the adoption curve tells you whether those warnings are working. They are not—not yet. On the OpenRouter marketplace, the top three tools used by Chinese OpenClaw users in the past month were all Chinese companies, with combined usage double that of Google Gemini and Anthropic Claude, OpenRouter's data shows. Jensen Huang, Nvidia's chief executive, called OpenClaw "the next ChatGPT"—a characterization that, whatever its accuracy, reflects the genuine excitement the platform has generated.
The practical risks are not theoretical. A Shanghai consultant who tried Tencent's QClaw—a commercial wrapper on OpenClaw—found that when he asked it to organize files into two folders, it permanently erased dozens of client reports, as Wire China reported. Some Chinese users have reported that AI agents built on OpenClaw handed over sensitive personal data, company financials, and IP addresses to strangers. China's Computer Emergency Response Coordination Center, known as CNCERT, highlighted four distinct hazards: operational errors where the agent misinterprets instructions, installation of malicious plugins that steal data, and the broader societal risks Beijing cited.
The security researcher findings do not help. Researchers at Snyk found that 13 percent of skills on ClawHub and skills.sh—two popular platforms for OpenClaw extensions—contain critical-level security issues, including malware. That is the supply chain vulnerability in plain sight: not a flaw in OpenClaw's architecture, but in the ecosystem of third-party skills built on top of it. The attack surface lives in the skills, not the platform itself.
When Tencent and Baidu began hosting public OpenClaw setup sessions—Tencent's Shenzhen event drew children, retirees, and developers in the same room—Beijing's next move was predictable. Around March 11, Chinese regulators warned state-owned enterprises and banks against installing OpenClaw on office devices, according to two people familiar with the matter. The security concerns had been vindicated by documented incidents. Adoption was outpacing the safeguards.
And yet local governments have not gotten the message, or are ignoring it. Shenzhen's Longgang district released draft measures proposing subsidies up to 10 million yuan—roughly $1.4 million—for companies that build notable OpenClaw applications. The logic is transparent: local officials are measured on AI Plus compliance. Meeting the central government's penetration targets is the metric. Subsidizing the most-adopted platform is the path. Whether that platform is also flagged as a national security concern is a question that lives at a different level of government.
This is the governance stress test the headline describes. Beijing set a goal. OpenClaw is the only platform actually achieving the adoption the goal requires. Beijing simultaneously identified that platform as a risk. The two positions are not reconciled—they are coexisting, and the incoherence is the story.
Cloud stocks UCloud, QingCloud, and Hangzhou Shunwang each jumped around 20 percent on the Shenzhen subsidy news, Bloomberg reported—a reminder that the AI Plus targets are not abstract policy. They are funding commitments, and those commitments are flowing toward the platform Beijing has flagged. Chinese consumers are more optimistic about AI than their foreign peers and more eager to try new technologies, according to survey results cited in the Stanford University AI Index Report. That optimism is the demand side of the equation Beijing is struggling to govern.
The resolution, such as it is, came Monday. CNCERT and the China Cyberspace Security Association published an OpenClaw Safe Usage Guide—a set of best practices for individual users, companies, cloud providers, and tech enthusiasts. It is operational guidance for living with the platform Beijing cannot quite ban and will not quite endorse. The guide tells you to use proper configuration, vet your plugins, and maintain human oversight on sensitive operations. It is, in other words, an implicit acknowledgment that the platform is not going away—and that the answer to "is this safe?" is "not inherently, but with discipline."
What this means for the AI Plus targets remains unclear. The adoption curve is real; the security record is also real; the governance incoherence between central warnings and local subsidies is structural. A Shanghai consultant who lost client reports to QClaw told Wire China he will not use anything that has to be installed locally. That is a rational individual response to a documented risk. Whether China's bureaucracy can operationalize that same discipline at scale—across state-owned enterprises, cloud providers, and the country's sprawling manufacturing base—is the question the AI Plus initiative will eventually have to answer.
The token usage numbers will keep flowing. They are the empirical record of a commitment being tested in real time.
