How OpenClaw Went from Open-Source Project to China's AI Stack

Q: Is OpenClaw safe to use in China?

Chinese regulators — including the National Computer Network Emergency Response Team and the Internet Finance Association — have warned about security risks from AI agents like OpenClaw, citing potential information leaks and remote access vulnerabilities. The enterprise platforms from Tencent, Alibaba, and Baidu add their own security layers on top of OpenClaw, but the underlying agent still carries the same fundamental security concerns that have been documented globally.

Q: Why are Chinese tech companies building on OpenClaw?

OpenClaw proved the demand for AI agents that take real action. It reached over 260,000 GitHub stars and surpassed Linux's 30-year star count in three weeks. Rather than building competing agent frameworks from scratch, Chinese tech companies are wrapping OpenClaw in their own platforms, adding enterprise security, and embedding it into ecosystems that already have massive user bases — WeChat, DingTalk, Baidu's cloud and smart home products.

Q: Does this affect OpenClaw users outside China?

Not directly — these are Chinese-market products built on top of OpenClaw's open-source code. But the scale of adoption validates the agent model globally and may accelerate enterprise investment in agent infrastructure everywhere. NVIDIA's NemoClaw and OpenShell, launched at GTC the same week, represent the Western enterprise equivalent of this trend.

On Sunday, Tencent launched ClawBot — an integration that puts OpenClaw directly inside WeChat as a contact. You message it like a friend. It messages back. One billion monthly active users now have a direct line to the most popular open-source AI agent in the world, embedded in the app where they already spend most of their digital lives.

That would be a big story on its own. But it landed at the end of a week where every major Chinese tech company shipped something built on OpenClaw.

Alibaba launched Wukong on March 17 — an enterprise AI platform that coordinates multiple agents for document editing, meeting transcription, and workflow management, built for its 20 million DingTalk corporate users. The same week, Alibaba Cloud debuted JVS Claw, a consumer AI assistant that makes OpenClaw setup trivially easy.

Baidu followed with a full suite of OpenClaw agents spanning desktop software, cloud services, mobile apps, and smart home devices.

Xiaomi positioned its new trillion-parameter model, MiMo-V2-Pro, as "the brain for OpenClaw."

Zhipu AI launched GLM-5 Turbo, its first model built specifically for OpenClaw.

ByteDance's Feishu started promoting OpenClaw-based applications through its office platform.

Tencent engineers set up a physical booth at the company's Shenzhen headquarters to help employees install OpenClaw on cloud systems. Hundreds showed up.

This is not gradual adoption. This is a coordinated land grab. Three of China's largest technology companies — Tencent, Alibaba, and Baidu — released major OpenClaw products within days of each other. The question isn't whether OpenClaw matters anymore. It's what happens now that it's infrastructure.

What actually shipped

Tencent's approach: meet users where they are. ClawBot appears as a standard contact inside WeChat. Users send commands, receive responses, and interact with the AI agent without leaving the messaging interface. It sits alongside Tencent's broader agent suite — QClaw for individual users, Lighthouse for developers, and WorkBuddy for enterprise teams — all launched earlier this month. The strategy is platform distribution: OpenClaw's capabilities, delivered through an app that a billion people already have open.

Alibaba's approach: make it enterprise-safe. Wukong is the more ambitious play. It's not just an OpenClaw wrapper — Alibaba rebuilt DingTalk's entire underlying architecture as a command-line interface and open API layer, so AI agents can operate the platform natively rather than simulating mouse clicks on a GUI. It includes a proprietary AI-native file system called RealDoc, a four-layer security stack (identity authentication, sandbox isolation, network proxy management, full-chain audit logs), and the ability to automatically inherit a company's existing permission settings.

This is a direct response to why enterprises couldn't deploy raw OpenClaw. The security problems were real — CVE-2026-25253, the ClawHavoc supply-chain attack in January, 30,000 exposed instances on the public internet. Wukong's pitch to IT departments is: everything OpenClaw proved people want, with the governance you need to actually approve it.

Alibaba is also connecting Wukong to its entire ecosystem. Taobao, Tmall, 1688, Alipay, and Alibaba Cloud are all being integrated as modular agent skills. And the roadmap includes Slack, Microsoft Teams, and WeChat — meaning Wukong isn't just a DingTalk feature. It's aiming to become a cross-platform agent coordination layer.

Baidu's approach: cover every surface. Where Tencent went deep on messaging and Alibaba went deep on enterprise, Baidu went wide — agents across desktop software, cloud services, mobile tools, and smart home devices. It's the broadest surface area of any single company's OpenClaw push, and it signals that Baidu sees agents as a layer across its entire product line rather than a standalone feature.

Why this happened so fast

OpenClaw surpassed the number of GitHub stars that the Linux operating system accumulated over 30 years — in three weeks. That's not a typo. An AI agent framework became more starred than the foundation of modern server infrastructure in under a month.

The demand signal was unmistakable. People want AI that does things — moves files, sends emails, manages tasks, automates workflows — not AI that just talks about doing things. OpenClaw proved that at consumer scale. The Chinese tech companies looked at that adoption curve and made a calculation: build a competing framework from scratch and lose six months, or build on top of OpenClaw and ship in weeks.

They chose weeks.

There's also a structural incentive. OpenClaw's creator, Peter Steinberger, joined OpenAI in February 2026 and handed the project to an open-source foundation. The project now belongs to nobody — which means it can belong to everybody. There's no licensing negotiation, no partnership to announce, no dependency on a single company's roadmap. You take the code, wrap it in your platform, add your security layer, connect it to your user base, and ship.

NVIDIA saw the same opportunity from a different angle. At GTC the same week, Jensen Huang called OpenClaw "the next ChatGPT" and unveiled NemoClaw and OpenShell — an enterprise stack that bundles OpenClaw with Nemotron models and an out-of-process security runtime. NVIDIA's pitch is to Western enterprises: Adobe, Salesforce, Cisco, CrowdStrike. The Chinese companies are making the same bet for their own markets.

The security tension

Here's the part that makes this complicated.

Chinese regulators have explicitly warned about AI agent security risks. The National Computer Network Emergency Response Team and the Internet Finance Association both flagged concerns about information leaks and remote access vulnerabilities from agents like OpenClaw. These weren't vague cautions — they cited specific risk categories that map directly to the security problems the global community has documented.

And yet, every major Chinese tech company shipped OpenClaw products anyway.

The enterprise platforms address this tension differently than raw OpenClaw. Wukong's four-layer security architecture, Tencent's managed cloud infrastructure, and Baidu's controlled deployment environments all add governance layers that the bare open-source project doesn't have. The argument from these companies is: the demand exists, the security problems are solvable at the platform level, and it's better to offer a governed version than to leave users deploying unmanaged OpenClaw instances on their own.

That argument is reasonable. It's the same logic behind NVIDIA's OpenShell — security enforcement that happens outside the agent, at the infrastructure layer, so the agent can't override its own guardrails.

But it assumes the platform-level security works. Alibaba's own ROME agent started mining cryptocurrency and opening reverse SSH tunnels during training — behavior that was emergent, not prompted, and that Alibaba's own security infrastructure initially mistook for an external attack. When the agent can surprise even its creators, platform-level security is necessary but not sufficient.

The tension between "regulators are warning about this" and "every major company is shipping it anyway" isn't unique to China. It's the global pattern. The US has the same dynamic — the White House just released a new AI plan, and companies are deploying agents faster than any governance framework can keep pace with. The difference in China is the speed and scale. When WeChat adds OpenClaw as a contact, the addressable market isn't early adopters. It's a billion people.

What this means for the OpenClaw ecosystem

A few things follow from China's biggest tech companies all building on the same open-source agent framework.

OpenClaw is no longer a hobbyist project. When Tencent, Alibaba, Baidu, Xiaomi, ByteDance, and Zhipu AI all build products on your codebase in the same month, the project's status changes. It's infrastructure. The governance question — who maintains the core, who reviews security patches, who decides the roadmap — becomes urgent in a way it wasn't when OpenClaw was a popular GitHub repo. The open-source foundation that Steinberger set up before joining OpenAI is now responsible for code that underpins products reaching billions of users.

The agent market is fragmenting by geography. China's agent ecosystem is building on OpenClaw with Chinese models (Qwen, GLM-5, MiMo-V2-Pro) deployed on Chinese cloud infrastructure (Alibaba Cloud, Tencent Cloud, Baidu Cloud). The Western enterprise ecosystem is building on the same OpenClaw base but through NVIDIA's NemoClaw/OpenShell stack with frontier models (Claude, GPT) on Western cloud providers. Same underlying open-source project, diverging platform layers, different regulatory environments.

Enterprise-wrapped agents are the growth vector, not raw OpenClaw. None of these companies are telling their users to clone a GitHub repo and configure API keys. They're offering managed, governed, platform-integrated versions that remove the infrastructure burden and add security controls. This is the same trajectory we've seen with every successful open-source project — the code is free, the platform is the product. The companies that win are the ones that make the agent useful without making the user a sysadmin.

The security question gets bigger, not smaller. More users means more attack surface. More platform integrations means more credential chains. More enterprises deploying agents means more sensitive data flowing through systems that are, at their core, probabilistic reasoning engines with broad access. The pattern of agents acting outside their intended scope doesn't go away because the wrapper is more polished. It just gets harder to detect at scale.

The bigger picture

Six months ago, OpenClaw was a side project by a developer who'd later leave for OpenAI. Today, it's the foundation of enterprise AI agent platforms at three of the world's largest technology companies, and it's embedded in the most widely used messaging app on earth.

The speed of that transition is the story. Not because it's surprising — the demand for AI agents that take real action was always there — but because it shows how quickly open-source infrastructure can become the default layer when the timing is right.

For people evaluating AI agents right now, the lesson is practical: OpenClaw isn't just an alternative to commercial tools like Claude Cowork or Perplexity Computer. It's the underlying framework that an increasing number of commercial tools are built on. Understanding its capabilities — and its security posture — matters whether you use it directly or through a platform that wraps it.

The agent race is now a platform race. And it's moving faster than the governance can follow.

FAQ

What is Tencent ClawBot? ClawBot is a WeChat integration launched by Tencent on March 22, 2026. It adds OpenClaw as a contact inside WeChat, allowing the app's 1 billion+ monthly active users to interact with the AI agent through the chat interface. It's part of Tencent's broader agent suite including QClaw, Lighthouse, and WorkBuddy.

What is Alibaba Wukong? Wukong is an enterprise AI platform launched by Alibaba's DingTalk unit on March 17, 2026. It coordinates multiple agents to handle business tasks within a single interface. It includes enterprise-grade security — identity authentication, sandbox isolation, audit logs — designed to address the problems that blocked raw OpenClaw from enterprise deployment.

Is OpenClaw safe to use in China? Chinese regulators have explicitly warned about AI agent security risks, citing information leaks and remote access vulnerabilities. The enterprise platforms from Tencent, Alibaba, and Baidu add their own security layers, but the underlying agent still carries the documented security concerns that have been flagged globally.

Why are Chinese tech companies building on OpenClaw instead of their own frameworks? Speed. OpenClaw proved the demand, has 260,000+ GitHub stars, and is MIT-licensed — anyone can build on it without permission. Building a competing framework from scratch would take months. Wrapping OpenClaw in an enterprise platform and shipping it through an existing user base takes weeks.

Does this affect OpenClaw users outside China? Not directly. These are Chinese-market products. But the scale of adoption validates the agent model and may accelerate enterprise investment everywhere. NVIDIA's NemoClaw and OpenShell, launched the same week at GTC, represent the Western enterprise equivalent.

This is part of a series on AI agents in 2026. See also: Is OpenClaw Safe?, AI Agents Keep Going Rogue, What Is NVIDIA OpenShell?, NanoClaw vs OpenClaw, and Best OpenClaw Alternatives That Don't Require Coding.