MIIT NVDB: "Six Do's and Six Don'ts" Recommendations for Preventing Security Risks of OpenClaw ("Lobster") Open-Source Intelligent Agents

On March 11, the Ministry of Industry and Information Technology’s Cybersecurity Threats and Vulnerabilities Information Sharing Platform (NVDB) organized intelligent agent providers, vulnerability collection platform operators, cybersecurity companies, and others to research and propose the “Six Musts and Six Don’ts” recommendations regarding security risks in typical “Lobster” application scenarios.

1. Security Risks in Typical Application Scenarios

(1) Main Risks in Intelligent Office Scenarios: Supply chain attacks and internal network infiltration

1. Scenario Description: Deploying “Lobster” within enterprises to connect with existing management systems, enabling intelligent data analysis, document processing, administrative management, financial assistance, and knowledge management.

2. Security Risks: Introducing malicious plugins or “skill packs” can trigger supply chain attacks; lateral network spread can lead to sensitive information leaks or loss in connected systems, databases, etc.; lack of auditing and traceability mechanisms increases compliance risks.

3. Countermeasures: Deploy on isolated network segments, separate from critical production environments; prohibit use of unapproved “Lobster” agents within internal networks; conduct thorough security testing before deployment; grant minimal permissions during deployment; prevent cross-segment, cross-device, or cross-system access unless necessary; retain complete operation and runtime logs to meet audit and compliance requirements.

(2) Main Risks in Development and Operations Scenarios: Sensitive information leakage and hijacking of system devices

1. Scenario Description: Deploying “Lobster” by enterprises or individuals to convert natural language into executable commands, assisting with coding, code execution, device inspection, configuration backups, system monitoring, and management processes.

2. Security Risks: Unauthorized execution of system commands; device hijacking via network attacks; exposure of system account and port information leading to external attacks or password brute-force; leakage of network topology, account credentials, API interfaces, and other sensitive data.

3. Countermeasures: Avoid deploying directly in production environments; prefer running in virtual machines or sandboxes; conduct security testing prior to deployment; grant only necessary minimal permissions; establish blacklists for high-risk commands; implement manual approval for critical operations.

(3) Main Risks in Personal Assistant Scenarios: Personal information theft and sensitive data leakage

1. Scenario Description: Accessing locally deployed “Lobster” via personal instant messaging apps for personal information management, daily affairs, digital asset organization, and serving as a knowledge, entertainment, and lifestyle assistant.

2. Security Risks: Excessive permissions allowing malicious reading, writing, or deleting of files; network attacks when connected to the internet; prompt injection leading to execution of dangerous commands or takeover of the agent; plaintext storage of keys and sensitive data risking leaks or theft.

3. Countermeasures: Strengthen permission management; restrict access to necessary directories; prohibit access to sensitive directories; prefer encrypted channels for access; block unnecessary internet access; disable high-risk commands or require secondary confirmation; store API keys, configuration files, and personal data encrypted.

(4) Financial Trading Scenarios: Risks of erroneous transactions or account hijacking

1. Scenario Description: Deploying “Lobster” in enterprises or individually to call financial application interfaces, enabling automated trading, risk control, improving quantitative trading, intelligent research, and asset management; functions include market data collection, strategy analysis, and trade execution.

2. Security Risks: Memory poisoning causing incorrect trades; identity bypass leading to unauthorized account control; malicious plugins stealing trading credentials; lack of circuit breakers or emergency mechanisms causing agent to malfunction and place frequent orders.

3. Countermeasures: Implement network isolation and least privilege; close unnecessary internet ports; establish manual review and circuit breaker mechanisms; add secondary confirmation for critical operations; strengthen supply chain review, use official components, and regularly patch vulnerabilities; enforce full-chain audit and security monitoring to detect and respond to risks promptly.

4. Recommendations for Secure Usage

(1) Use the latest official version. Download from official channels, enable automatic update notifications; back up data before upgrading; restart services after updates and verify patches are effective. Do not use third-party or outdated versions.

(2) Strictly control internet exposure. Regularly check for internet-facing instances; take immediate offline and rectify if found. Do not expose “Lobster” agents directly to the internet; if necessary, use SSH or other encrypted channels, restrict source IPs, and use strong passwords, certificates, or hardware keys for authentication.

(3) Follow the principle of least privilege. Grant only necessary permissions for tasks; implement secondary confirmation or manual approval for critical actions like file deletion, data transmission, or system configuration changes. Prefer running in containers or VMs to isolate permissions; avoid deploying with administrator accounts.

(4) Use skill marketplaces cautiously. Review “skill pack” code before installation; avoid packages requiring “download ZIP,” “execute shell scripts,” or “input passwords.”

(5) Prevent social engineering and browser hijacking. Use browser sandboxes, web filters, and extensions to block suspicious scripts; enable logging and audit; disconnect and reset passwords immediately if suspicious activity is detected; avoid visiting unknown sites or clicking on unfamiliar links or documents.

(6) Establish long-term security mechanisms. Regularly patch vulnerabilities; stay updated with official security alerts and risk warnings from platforms like the Cybersecurity Threats and Vulnerabilities Information Sharing Platform; combine with cybersecurity tools and mainstream antivirus software for real-time protection; do not disable detailed logging and auditing.

Appendix: Security Baselines and Configuration References

1. Agent Deployment

Create a dedicated OpenClaw user, avoid using sudo group:

sudo adduser --shell /bin/rbash --disabled-password clawuser

Log in with this dedicated user.

Create restricted command directories, disable commands like rm, mv, dd, format, powershell:

sudo mkdir -p /home/clawuser/bin

sudo ln -s /bin/ls /home/clawuser/bin/ls

sudo ln -s /bin/echo /home/clawuser/bin/echo

Set PATH to only include /home/clawuser/bin and make it read-only, e.g., in /etc/profile.d/restricted_clawuser.sh:

echo ‘if [ “$USER” = “clawuser” ]; then export PATH=/home/clawuser/bin; readonly PATH; fi’ | sudo tee /etc/profile.d/restricted_clawuser.sh

sudo chmod 644 /etc/profile.d/restricted_clawuser.sh

Disable root login:

sudo sed -i ‘s/^#\PermitRootLogin.*/PermitRootLogin no/’ /etc/ssh/sshd_config

sudo systemctl restart sshd

2. Restrict Internet Access

(1) Linux Server Configuration

Create custom chain:

sudo iptables -N ALLOWED_IPS

Add allowed IPs (replace with actual IPs):

sudo iptables -A ALLOWED_IPS -s 192.168.1.100 -j ACCEPT

sudo iptables -A ALLOWED_IPS -s 10.0.0.5 -j ACCEPT

sudo iptables -A ALLOWED_IPS -s 172.24.57.160 -j ACCEPT

sudo iptables -A ALLOWED_IPS -j RETURN

Apply to SSH and other ports:

sudo iptables -A INPUT -p tcp --dport 22 -j ALLOWED_IPS

sudo iptables -A INPUT -p tcp --dport 17477 -j ALLOWED_IPS

Additionally, block or whitelist other ports such as Telnet (23), Windows file sharing (135, 137-139, 445), RDP (3389), remote desktop (5900-5910), database ports (3306, 5432, 6379, 27017).

(2) VPN Access Configuration

Bind OpenClaw Gateway to 127.0.0.1, do not bind directly to 0.0.0.0.

Close port 18789:

sudo ufw deny 18789

Require VPN connection and Gateway authentication (set in openclaw.json with gateway.auth.mode: “token” and strong tokens).

3. Enable Detailed Logging

Start with debug level:

openclaw gateway --log-level debug >> /var/log/openclaw.log 2>&1

4. Filesystem Access Control

In Docker deployment, mount critical directories as read-only using volumes, only allow /workspace to be writable.

On host system, set permissions:

sudo chmod 700 /path/to/your/workspace

5. Third-party Skill Review

Before installing, run:

openclaw skills info

Review ~/.openclaw/skills//SKILL.md for malicious commands (e.g., curl, bash).

Prefer built-in 55 skills or community lists (e.g., awesome-openclaw-skills).

6. Security Self-Check

Regularly run:

openclaw security audit

Address any vulnerabilities such as gateway authentication exposure or browser control issues according to the security baseline, official documentation, and alerts.

7. Version Updates

Update with:

openclaw update

8. Uninstallation

In terminal, run:

openclaw uninstall

Use mouse to select options, confirm with Enter, choose “yes” to delete OpenClaw directories.

Uninstall npm package:

npm rm -g openclaw

or

pnpm remove -g openclaw

or

bun remove -g openclaw

Source: CCTV.com

Risk Warning and Disclaimer

Market risks exist; investments should be cautious. This article does not constitute personal investment advice and does not consider individual user’s specific investment goals, financial situation, or needs. Users should evaluate whether the opinions, views, or conclusions herein are suitable for their circumstances. Investment is at your own risk.