In three months, OpenClaw surpassed React and Linux in GitHub stars — two of the most beloved open source projects in software history. In China, people are lining up in Shenzhen to have it installed in person. Token consumption from OpenClaw users alone is reshaping the revenue projections of entire AI companies.
And then the Chinese government banned it from every government office, state-owned enterprise, and national bank in the country.
The OpenClaw China ban is not just a tech policy story. It reveals something important about what agentic AI actually does — and why the same capability that makes it extraordinary also makes it genuinely dangerous.
Not familiar with OpenClaw yet? Read our full breakdown of what OpenClaw is and how to deploy it first.
How OpenClaw Became More Popular Than Linux
GitHub stars are the closest thing open source software has to a popularity metric. They do not measure downloads or active users directly, but they reflect the attention and enthusiasm of the developer community — and they are notoriously hard to accumulate for established projects because the competition includes decades of accumulated goodwill.
OpenClaw passed both React (Meta’s frontend framework, used by millions of developers worldwide) and Linux (the operating system that runs most of the internet) in GitHub stars within three months of going viral. That is not a normal trajectory.
| Project | Years to Reach Peak Stars | Status vs OpenClaw |
|---|---|---|
| Linux | 30+ years | Surpassed by OpenClaw ↓ |
| React | 10+ years | Surpassed by OpenClaw ↓ |
| OpenClaw | 3 months | Current leader ↑ |
The growth has been called a “second DeepSeek moment” — a reference to the Chinese AI model that shocked the Western tech world earlier in 2025 by matching frontier performance at a fraction of the expected cost. OpenClaw is generating a similar level of disruption, but in a different direction: not at the model level, but at the interface level. It changes what AI can do with existing software, not just how well it reasons.
Why China Adopted It Faster Than Anyone Else
OpenClaw’s explosive adoption in China is not accidental. It solves a problem that is uniquely severe in the Chinese enterprise software market.
The average Chinese company runs approximately 150 independent IT systems. Around 60% of those systems have no APIs and no documentation — meaning there is no standard way for software to connect to them or build on top of them. For years, integrating AI into Chinese business operations meant either rebuilding systems from scratch or accepting that AI would only work with a fraction of the existing infrastructure.
OpenClaw sidesteps this problem entirely. Instead of requiring APIs or integrations, it operates the way a human operator would: it sees the screen, reads the interface, clicks buttons, fills in text fields, and navigates applications as if it were a person sitting at the keyboard. No API required. No documentation needed. If a human can use the software, OpenClaw can use the software.
For a country with 150 legacy systems per company average, that is not a minor convenience. It is a fundamental unlock.
The Token Consumption Nobody Saw Coming
Conventional AI tools like ChatGPT are token-efficient by design. A user asks a question, the model generates a response, the interaction ends. Token consumption is bounded by the conversation.
OpenClaw does not work that way. It operates continuously and autonomously — monitoring, executing, responding, and executing again. A single advanced user can consume 50 million tokens per day running OpenClaw agents across their workflows.
At scale across millions of Chinese users, the impact has been measurable and dramatic:
- By late February, Chinese AI models — primarily Kimi 2.5 and DeepSeek — were consuming 61% of all global tokens processed through OpenRouter, a platform that aggregates access to dozens of AI model APIs
- Kimi, developed by Moonshot AI, generated more revenue in 20 days of OpenClaw-driven usage than its creators had projected for the entire year of 2025
The financial implications for AI infrastructure companies are significant. Every OpenClaw session running 24/7 on a user’s server is a continuous, recurring revenue stream for whoever is providing the underlying model API. This is why Chinese tech companies moved so quickly to offer one-click OpenClaw deployments — they were racing to capture that token consumption on their own platforms.
The Three Security Risks That Triggered the Ban
The same capability that makes OpenClaw powerful — its ability to see and control anything on a screen — is also what makes it a serious security concern. Researchers and security firms identified three distinct risk categories almost immediately after it went viral.
| Risk | What It Means in Practice |
|---|---|
| Private data access | An agent with screen access sees everything — passwords, confidential documents, internal communications, financial data. Any breach of the agent means a breach of everything it can see. |
| External communication | OpenClaw agents can send messages, make requests, and interact with external services autonomously. A compromised agent can exfiltrate data without the user realizing it. |
| Prompt injection attacks | A malicious actor can embed instructions in content the agent reads — a webpage, a document, an email — that hijack the agent’s behavior without the user’s knowledge. |
These risks were not theoretical. An initial security audit of skills available on ClawdHub — OpenClaw’s extension marketplace — identified hundreds of malicious packages. The project subsequently formed a security partnership with VirusTotal, the malware scanning service owned by Google, to address the problem systematically.
The security risks are manageable on a properly configured, privately hosted server with careful access controls. They are much harder to manage when millions of non-technical users are deploying agents through one-click mobile apps with default settings.
What the Government Actually Banned — and What It Did Not
Beijing’s response was fast and targeted. Government agencies, state-owned enterprises, and major national banks received urgent notices prohibiting the installation of OpenClaw on office computers and on personal mobile devices used in those contexts.
What the government did not do — and almost certainly cannot do — is ban OpenClaw for private individuals and independent businesses. The project is open source. The code is publicly available. Anyone can download, modify, and deploy it without going through any channel the government controls.
At the same time, several Chinese cities — including Shenzhen — have announced financial subsidies worth millions of yuan for OpenClaw development and deployment. The result is a government simultaneously subsidizing the technology and restricting it, depending on who is using it and in what context.
It is an unusual policy position, but not an irrational one. The productivity case for OpenClaw in private enterprise is real. The security case for keeping it away from sensitive government systems is also real. The Chinese government appears to have decided it can pursue both positions at once.
How Tech Companies Got Caught in the Middle
For large Chinese tech companies, the government’s restrictions created an immediate problem. They had moved quickly to offer OpenClaw hosting services to capture the token consumption wave — and then watched the government restrict the institutional market they were counting on.
AI startups Zhipu (Knowledge Atlas Technology JSC Ltd.) and MiniMax Group both saw sharp stock declines following the announcement of the government restrictions. The one-click deployment offerings from Alibaba and Baidu remain available for consumer and business users, but the enterprise and government segment — potentially the most valuable and stable part of the market — is now off-limits.
The Deeper Issue: Political Control
There is a dimension to Beijing’s response that goes beyond cybersecurity policy.
China has spent years building sophisticated mechanisms for controlling information flows and monitoring digital activity — most visibly through the Great Firewall, but also through regulatory pressure on domestic tech companies. The government’s confrontation with Alibaba, which resulted in Jack Ma’s effective disappearance from public life, was a demonstration of how seriously Beijing takes challenges to that control framework.
An autonomous AI agent that operates independently, sees everything on a screen, communicates with external services, and runs on infrastructure that the government does not control represents a structural challenge to those mechanisms. It is not just a security risk in the conventional sense — it is a sovereignty question.
The speed of the government’s response suggests this framing was part of the calculus from the beginning.
What Happens Next
OpenClaw’s future in China is genuinely uncertain — which is itself remarkable for a technology that was being celebrated as a national AI breakthrough just weeks ago.
The open source nature of the project makes it nearly impossible to stop at the user level. Enthusiasts and developers will continue deploying it regardless of government guidance. The question is whether the institutional market — the enterprises, banks, and government-adjacent organizations that would drive the largest-scale deployments — remains accessible.
For the rest of the world, the China story is a preview. Every government will eventually have to decide how to handle autonomous AI agents that can see and control any software on a device. The cybersecurity risks are real. The productivity benefits are also real. China is simply further along in having to make those tradeoffs in public, at scale, under political pressure.
The resolution, whatever it is, will probably influence how other governments approach the same question.
If you want to run OpenClaw on your own infrastructure — with your data on your own server, not passing through any third-party cloud — a one-click VPS deployment is the fastest way to get started. Deploy OpenClaw here — private, always-on, ready in minutes.
Leave a Reply