Local Policies Experiment With “Lobster” AI Agents Accelerate Into The Agent Era But Security Risks Remain

On March 9, reports highlighted the rapid rise of the open‑source AI agent project OpenClaw, whose “lobster” motif has captured national attention and been swiftly incorporated into local development plans. Shenzhen’s Longgang District has taken the lead with a set of measures—dubbed the “Ten Lobster Measures”—to promote deployment and commercialization of related projects.

On March 8, the Longgang District Artificial Intelligence (Robotics) Bureau published a consultation draft titled “Several Measures To Support The Development Of OpenClaw & OPC In Longgang District.” The proposal encourages market‑oriented, professional platforms to establish “Lobster Service Zones” that provide free OpenClaw deployment services and offer subsidies to qualifying projects. It also proposes support for development and promotion of OpenClaw‑style agent tools, and sets out financial incentives of up to RMB 2 million for contributions of key code to international communities, for publishing industry‑relevant skill packages on skill‑trading platforms, and for projects that integrate agents with embodied devices. The draft further proposes an annual selection of high‑impact OpenClaw application projects in areas such as smart manufacturing, e‑government, smart parks and smart healthcare, awarding demonstration status and one‑time grants of up to RMB 1 million based on actual investment.

OpenClaw originated in November 2025 as a weekend project by Austrian retired programmer Peter Steinberger. The framework grants large language models local operating‑system permissions, enabling them to execute shell commands and manipulate file systems—functionality described as “local agent sovereignty.” The project’s red lobster logo became widely recognized within the tech community well before broader public attention. On February 15, Steinberger joined OpenAI to lead development of next‑generation personal agents, and Jensen Huang publicly praised OpenClaw as a landmark software release. Within four months of its launch, OpenClaw amassed more than 248,000 GitHub stars, surpassing Linux to become one of the most starred open‑source projects on the platform.

In recent weeks, installation guides and paid setup services for OpenClaw have proliferated across social platforms, and queues for installation have been reported outside major corporate offices in Shenzhen. This pattern indicates a shift from curiosity to operational adoption: OpenClaw is moving from demonstration to active deployment, and AI is increasingly being used as a practical productivity tool. Unlike conversational systems that remain confined to dialogue, OpenClaw functions as an executable digital worker. Its architecture comprises channel adapters for integration with workplace tools such as Feishu and DingTalk, a decision core that can switch among models, a skill plugin system that enables concrete actions—browser control, email handling, code execution—and a dual‑mode memory that stores data locally for ongoing learning. By converting intelligence into action, OpenClaw supplies the execution layer that complements model capabilities and lowers the barrier for individuals and small teams to automate complex tasks.

Market research and brokerage reports suggest that the combination of models and agent frameworks will define the next phase of AI application. Guojin Securities notes that as the industry enters an Agent era, attention is shifting from isolated model performance to the system capabilities of “model plus agent.” The OpenClaw–GPT‑5.4 pairing is widely cited by developers and media as a promising technical path that could transition agents from experimental tools into production‑grade systems, accelerating adoption in office automation, software development and complex knowledge work. Usage metrics from OpenRouter show OpenClaw ranked first globally over the past 30 days, consuming 8.69T tokens across 344 models. Among the top five models by call volume, three are domestic models—Kimi K2.5, Step3.5Flash and MiniMaxM2.5—with DeepSeekV3.2 also appearing in the top ten.

Jensen Huang has observed that agents can perform tasks that previously required substantial time and expertise using only prompt sequences, a shift that has driven token consumption roughly 1,000‑fold and created a pronounced demand for compute resources. CMB Securities and other firms characterize this development as the onset of a compute‑intensive era for AI applications, with cloud compute services emerging as the most certain growth area. Huaxi Securities anticipates that OpenClaw’s popularity will boost demand for domestic large models and accelerate their international expansion.

Despite the momentum, OpenClaw’s rapid proliferation raises material security concerns. The framework’s capacity for autonomous operation, system access and external resource invocation blurs traditional trust boundaries. In the absence of robust permission controls, audit mechanisms and security hardening, misconfigurations, prompt‑based manipulation or malicious takeover could enable unauthorized actions, data exfiltration or system compromise. China’s Ministry of Industry and Information Technology cybersecurity platform has detected high‑risk configurations in some OpenClaw instances that could facilitate network attacks and information leakage. The ministry recommends that deployers verify public exposure, review permission settings and credential management, disable unnecessary public access, and implement strong identity authentication, access control, data encryption and security auditing while monitoring official security advisories.

Industry analysts note that OpenClaw remains immature and identify practical pain points such as complex installation procedures, potential file loss and privacy risks. Network‑attached storage (NAS) devices are proposed as a mitigation measure: by leveraging snapshot functionality, NAS can enable rapid recovery from accidental deletions; by isolating agent deployments on dedicated hardware, NAS can limit attacker lateral movement and protect core devices and sensitive data. With centralized storage, low‑power continuous operation and scalable compute, NAS may become a preferred hardware platform for agent deployment, helping to address data integrity and privacy concerns as agent adoption expands.