China has curbed the use of OpenClaw and the ‘lethal trifecta’ of AI agents explains why

OpenClaw is not merely another chatbot. It is an open-source agent framework designed to connect language models to real tools such as messaging apps, email, calendars, browsers and local files, so that the system can act with limited human supervision.

Chinese authorities did not impose a blanket prohibition on all use, but reports indicate that state-linked institutions have been told not to install it on work devices and personal gizmos (in some cases) because of security concerns. This is less a theatrical ban than a sober warning that agentic software changes the security model of ordinary computing.

The most useful term in this debate is the ‘lethal trifecta,’ popularized by Simon Willison. The three parts are precise. First, the agent has access to private or sensitive data. Second, it is exposed to untrusted content such as text, images or other material that an attacker can influence, whether through a webpage, email, document or bug report. Third, it can communicate externally; for example, by sending a message, calling an API or writing outside its trust boundary.

The phrase ‘lethal trifecta’ doesn’t mean the software is evil, but that the architecture is dangerous. Private data supplies the prize, untrusted content supplies the attack path and external communication the escape route. If these features co-exist in one agent, prompt injection can turn a helpful assistant into an unwitting exfiltration channel.

This matters enormously when people use AI to build software, because modern development workflows almost beg developers to assemble the trifecta. A coding agent may need access to source code, internal documentation, test results and customer data. It may also need to read issue trackers, support tickets, websites and uploaded files, which may contain attacker-controlled text. Finally, it may be granted permission to open pull requests, send emails, post messages on a team platform, update a database or query outside services.

Each step seems reasonable in isolation but could together create a system that may be manipulated through language rather than a traditional software exploit. The core weakness is that large language models do not reliably separate instruction from data. A malicious sentence hidden in an innocuous document can be interpreted not as content to analyse, but a command to obey. That is a new problem because the attack surface now includes meaning, not just code.

OpenClaw became the emblem of these risks because real-world incidents made the abstraction vivid. After software engineer Chris Boyd gave the system access to iMessage, it reportedly sent more than 500 unsolicited messages, including to random contacts.

In a separate case, an OpenClaw agent handling email reportedly deleted or archived messages after losing track of an instruction to wait for approval. These episodes do not prove that the software became sentient or rebellious. They show something more ordinary and more important. Once an agent is connected to live systems, small failures in memory, context management or tool use can produce outsized consequences.

The danger is not complete autonomy. It is brittle autonomy. An agent that misreads a prompt, compresses context badly or follows injected text can create spam, lose data or make unauthorized disclosures at digital speed, which is why security teams worry when experimental tools are wired into systems.

Peter Steinberger, OpenClaw’s creator, has not answered the criticism by claiming the risks are imaginary, though he has said that the security story is still a work-in-progress and has framed OpenClaw as an exploratory system that lets people discover what agents can and cannot do.

This defence is reasonable.

Experimental software is often messy and open-source projects do improve through public testing. But the creator’s justification also reveals the central tension of the moment. Builders want to discover agent behaviour by giving models richer access to the digital world. Security engineers want to limit that access until key threats are understood. Both instincts are rational, but the market rewards capability before control, while the lethal trifecta punishes exactly that sequence.

The debate over OpenClaw is, therefore, not about one tool, one founder or one country. It is about a transition from assistants that wait to agents that act. With the latter, a model can produce a bad answer and embarrass a company. An agent can read private material, ingest hostile text and transmit the result outward before anyone notices.

That is why the Chinese restriction has stirred a worthy debate. It recognizes that Agentic AI is not simply better automation. It is software endowed with permissions, memory and initiative, meaning ordinary design choices may have geopolitical, corporate and personal consequences.

We need architectural discipline. Keep sensitive data away from agents that read untrusted content. Require explicit approval for outward communication. Split workflows so no single model holds all the keys. Success with AI is not about using the most impressive agents, but understanding that capability without containment is not innovation. It is deferred incident response. And deferred incidents in technology are usually the most expensive.

The author is co-founder of Siana Capital, a venture fund manager.