ByteDance releases OpenClaw security guidelines internally, simultaneously launching enterprise tool ByteClaw.

According to media reports, the ByteDance security team has internally released the "OpenClaw Security Specification and Usage Guide" and simultaneously introduced the enterprise tool ByteClaw to employees to standardize the use of relevant technologies. This tool is built based on the Volcano Engine ArkClaw Enterprise Edition, which can achieve unified identity authentication, access control, and permission management within the company's account system, enabling employees to securely access internal resources and effectively avoid security risks. The internal specification points out that OpenClaw has five common risks: improper access control settings, prompt injection, sensitive message theft, supply chain vulnerabilities, and malicious plug-in poisoning. It provides security requirements and configuration guidelines targeting these risks. The ByteDance security team recommends that employees prioritize using compliant tools such as ByteClaw, which have completed the security baseline configuration and can be centrally managed on a cloud platform to continuously guard against various security risks. The internal specification also sets strict red lines for usage: employees are strictly prohibited from installing and using OpenClaw-like tools on core production environments such as business servers to avoid occupying business resources or causing security incidents. It is not recommended for employees to install related tools on office computers locally. If there is a work requirement, they must strictly follow the security configuration guidelines, complete compliance settings, and then use the tools. ByteDance's release of the internal specification comes against the backdrop of national departments issuing consecutive risk warnings. The National Cyber Security Information Notification Center has specifically pointed out that OpenClaw has significant security risks in architecture design, default configurations, and other aspects, such as default binding of public network addresses leading to a high exposure rate of up to 85% and a history of 258 vulnerabilities. The Ministry of Industry and Information Technology and experts from the China Institute of Information and Communications emphasize the risks of "fuzzy trust boundaries" and vulnerability to exploitation by malicious instructions in intelligent agents.