Shenzhen, March 2026. Nearly a thousand people waiting.
It is a Friday morning. Outside the headquarters of Chinese tech giant Tencent in Shenzhen, a queue has formed — nearly a thousand people, reports the South China Morning Post. Not a queue for an iPhone. Not a queue for concert tickets. A queue for software.
Who is standing there: pensioners with laptops. Housewives. Students. Office workers on their lunch break. Some carry MacBooks under their arms, others a mini PC in a shopping bag. Some are even holding NAS drives.
What they want: Tencent engineers are to install an AI agent called OpenClaw on their devices, free of charge. The Chinese internet knows OpenClaw only by its nickname: "the lobster" — after its red lobster logo.
The engineer takes roughly three minutes per person. He installs OpenClaw on the laptop, connects it to WeChat on the phone, configures the AI model — and calls the next person forward. What happens in those three minutes, and what comes after: that is the real story.
Similar scenes were playing out simultaneously outside Baidu's headquarters in Beijing. And in 17 other Chinese cities where Tencent had opened installation centres. Those without time to queue ordered a technician to come to their home — for 500 yuan, roughly €65. And those who had second thoughts after installation? Paid again for the uninstall.
Not a chatbot. An agent.
We have already explained OpenClaw in detail in our OpenClaw fundamentals article. Here is the short version relevant to this article:
ChatGPT replies. OpenClaw acts. Whilst a chatbot responds to questions and then waits, OpenClaw receives a task — and completes it independently, step by step, without asking at every stage. It reads emails, sends emails, moves files, books appointments, executes shell commands. Around the clock. Even whilst you sleep.
OpenClaw runs locally on the user's own computer — it does not need a cloud service. That is the advantage Tencent and Baidu promote: the data stays on your own device. What receives less emphasis: the agent requires deep system privileges for this. Full access to files. Email accounts. Calendars. Contacts. And — particularly relevant in the Chinese context — WeChat Pay.
Not an app. An infrastructure.
Those unfamiliar with WeChat might think of WhatsApp. That comparison falls short. WeChat is the digital operating system of everyday Chinese life — and that is no exaggeration.
Tencent officially reported 1.385 billion combined monthly active users for WeChat and Weixin (the Chinese domestic version) at the end of 2024. That is the only reliable figure confirmed by Tencent itself — more recent official numbers for 2026 are not yet available.
What this billion people do via WeChat goes far beyond messaging:
Sources: Tencent Investor Relations · 99firms WeChat Statistics 2026
Not having WeChat in many Chinese cities means: no taxi, no doctor's appointments, no payments at the supermarket. Cash has become effectively redundant across large parts of the country — WeChat Pay has replaced it. Even street vendors accept only QR code payments.
That is the context into which OpenClaw has now arrived.
ClawBot: the lobster moves into WeChat.
On 22 March 2026, Tencent officially launched ClawBot — a direct integration of OpenClaw into WeChat. ClawBot appears as a normal contact in WeChat, just like a friend or colleague. Users can send commands to their agent via text message — or voice message.
The setup: update WeChat, activate the plugin in settings, scan a QR code. Done. According to Tencent, this takes roughly three minutes.
In everyday terms, this sounds convenient: send a voice message from the commuter train — "Summarise the meeting recording on my desktop and send it to me." Minutes later the file arrives in WeChat. No detour, no separate app.
What receives less attention: WeChat is not just any channel. WeChat is the app through which 935 million people pay, communicate and work every day. The laptop — with OpenClaw on it — is from this point remotely controllable via this app. Not only by Grandma Li.
How many WeChat users have actually activated ClawBot is unknown. Tencent has published no figures on this. The rollout is proceeding in stages. We therefore cite no combined figure — it would be speculation.
What we know — in chronological order.
OpenClaw has existed since November 2025. In the five months since, the project has experienced a security crisis that is characteristic of a new category of software: powerful, popular, and structurally difficult to secure.
ClawHavoc campaign: Coordinated attack on the official skill marketplace ClawHub. 341 malicious skills from 7 attackers, disguised as legitimate plugins. Distribution of keyloggers and the AMOS infostealer. The only barrier to upload: a GitHub account at least one week old.
CVE-2026-25253: One-click remote code execution. A user visits a malicious website — within milliseconds an attacker takes over the entire OpenClaw instance. Also exploitable against locally bound instances because the attack runs through the browser. Patched in version 2026.1.29.
135,000 unprotected instances worldwide, identified by SecurityScorecard. 63% with no authentication whatsoever. Compromised instances leaked API keys, OAuth tokens and credentials in plain text.
Moltbook data leak: Cybersecurity firm Wiz discovered an open Supabase database — 1.5 million API tokens and 35,000 email addresses of all registered OpenClaw agents on the platform were freely accessible — before Wiz informed the team and the database was secured.
824 malicious skills out of 10,700 listed — roughly 8% of the entire marketplace. Skills with professional documentation and innocuous names smuggling in malware. Cisco researchers tested a popular skill live: nine security issues, two of them critical. The skill was silently forwarding user data to external servers.
CVE-2026-32922: Complete privilege escalation via token scope abuse. CVSS 9.9 — the highest possible criticality level. Affected: all versions before 2026.3.11. Anyone who had not updated was fully compromisable.
More than 60 CVEs and 60 GHSAs documented in total. 63,070 live-reachable instances as of end of March 2026 — fewer than the peak in February, but: the architecture that makes the attacks possible is unchanged.
The honest answer: nobody, really.
China's authorities responded — quickly, even, compared with other countries. On 22 March 2026, CNCERT and the China Cybersecurity Association jointly published a security guide. The Chinese Ministry of Industry and Information Technology (MIIT) followed with its own guidelines.
What they recommend: run OpenClaw only on dedicated devices or in virtual machines. Not with administrator privileges. Do not store sensitive data in the OpenClaw environment. Use the skill marketplace with caution. Update regularly.
These are sensible recommendations. For someone with a technical background. But not for the person who just had the lobster installed in three minutes by a Tencent engineer.
The protective measures were developed for technical users — and are being handed out to people who stood in a queue so that someone else could install the tool for them. This gap is not a minor issue. It is the core of the problem.
Tencent has made clear in the ClawBot terms of service: the company only provides the message transmission channel. It does not store conversation contents. And it accepts no responsibility for AI-generated results or their consequences.
OpenClaw itself is open source — no company bears responsibility. And CNCERT has explicitly warned: state-owned enterprises and government agencies must not run OpenClaw on official computers — while at the same time local governments are subsidising installation events and setting up funding programmes for OpenClaw start-ups.
The analyst firm Gartner gave an unambiguous assessment in February 2026: OpenClaw represents an "unacceptable cybersecurity risk" for business users — and should be run exclusively in isolated non-production environments with disposable credentials.
Who is really playing here.
OpenClaw is not merely a viral tool. It is the focal point of a competition for the next infrastructure of the internet — and almost all the major players are already involved.
OpenAI hired OpenClaw's creator Peter Steinberger in February 2026. Meta acquired Moltbook in March 2026 — the social network built exclusively for OpenClaw agents. The founders and COO moved directly to Meta's Superintelligence Labs. Tencent, Alibaba, Baidu and ByteDance all launched their own OpenClaw-based products within a matter of weeks. NVIDIA announced an enterprise security layer for OpenClaw at GTC 2026.
What they all have in common: they want to control the infrastructure through which autonomous agents communicate with the world — and with each other. Whoever owns this infrastructure owns a key component of the next phase of the internet.
The figures we know with certainty: 346,000 GitHub stars, 47,700 forks. China has already overtaken the United States in OpenClaw usage according to SecurityScorecard — with almost double the volume. How many people have specifically activated ClawBot on WeChat: unknown, as Tencent has published no figures.
What is really happening here.
What is happening in China right now has no precedent. A AI agentAI AgentSoftware that independently executes tasks — without waiting for human input at every step. with system access is being distributed to millions of non-technical users via state-coordinated installation events. The access point: the app that for these users is phone, wallet, workplace and social network all in one.
The security situation is documented and serious: more than 60 vulnerabilities in five months, an official marketplace with malware, and an architecture that is systemically difficult to secure. The protective measures exist — but for a different target audience.
This is not a Chinese problem. Prompt injectionPrompt InjectionAn attack in which malicious instructions are hidden within content that the AI agent reads — which it then executes as commands., compromised skills, and poorly secured instances affect OpenClaw worldwide. And OpenClaw continues to grow — in Europe too, just without state installation helpers.
The question that remains at the end is not a technical one: if a system you do not understand gains access to your entire digital life — because everyone else has it too — who bears the consequences?
Not Tencent. That is in the terms and conditions. Not OpenClaw — that is open source. And the Tencent engineer who spent three minutes: he has long since moved on to the next person in the queue.
OpenClaw itself is not a threat. It is a powerful, legitimate tool — one that can be used sensibly under the right conditions. The problem is the combination: a structurally insecure system, a rushed mass rollout, and a target audience that lacks the knowledge required for safe operation. China has just conducted the largest-scale test in history of what happens when you bring these three things together. We do not yet know the full result of that experiment. What we do know: the architecture generating the risks is unchanged — and OpenClaw is coming to the rest of the world too. Just without the queue outside Tencent's headquarters.
investor.tencent.com
scmp.com
cnbc.com
technologyreview.com
technode.com
conscia.com
thehackernews.com
armosec.io
govt.chinadaily.com.cn
theregister.com
techcrunch.com
thewirechina.com
asiatimes.com
nbcnews.com
en.wikipedia.org/wiki/OpenClaw