Kimi Claw: Risks from Chinese-Hosted ‘Always On’ AI Agents

On February 15, 2026, Moonshot - a Beijing-based, Alibaba-backed AI company - announced Kimi Claw, a new feature in its consumer platform kimi.com. Kimi Claw offers ‘always-on’ AI agents that operate from a browser tab and can undertake a number of tasks commonly done via a computer or mobile device. These Chinese-hosted AI agents have the ability to observe, collect, shape, and act upon nearly everything a user does digitally. The combination of Moonshot being subject to China’s legal framework with cybersecurity vulnerabilities identified in the OpenClaw ecosystem creates the potential to cause severe and widespread harm to American and allied citizens.

If Chinese-hosted agentic AI services like Kimi Claw were to be taken up at scale, the national security risks associated with this could exceed those of the TikTok case. Where TikTok collects browsing behavior and content preferences from a single app, an ‘always-on’ agent with access across the spectrum of users’ digital lives represents a qualitatively deeper level of data exposure. Moreover, akin to the TikTok case, as increasing numbers of users adopt these services and they become progressively more integrated into their daily activities, the likelihood of backlash to future government efforts to manage these risks may increase.

Given that ‘always-on’ agents constitute compute and memory-intensive workloads, Moonshot moving to offer Kimi Claw widely also suggests a level of comfort on compute capacity to meet customer demand. This, combined with Moonshot’s competitive models, aggressive pricing, opaque corporate structure, and viral adoption of OpenClaw, warrants proactive policy action before we proceed from the early stages of AI agent adoption.

This memo outlines four low-burden and low-cost recommendations the federal government can adopt now to respond: a joint security assessment of Kimi Claw's data flows; a public advisory on the risks of ‘always-on’ agents hosted by companies subject to Chinese law; support for cost-competitive US-hosted alternatives, and; consideration of a ban on OpenClaw and Chinese AI agent services on federal devices.

Background

As of writing, Artificial Analysis - an independent AI benchmarking platform that ranks LLM capabilities - places Kimi K2.5 among the most capable open-source models currently available, lagging behind the best American ‘closed-source’ models by a relatively small margin. Moonshot - a Beijing-based, Alibaba-backed AI company - develops the Kimi model family.

OpenClaw is an open-source software project - originating from an Austrian developer - that turns an AI model into an ‘always-on’ AI agent. OpenClaw achieved viral adoption in early 2026 and its developers claim it is the fastest-growing GitHub project ever. OpenClaw's modular architecture allows extendibility through a community-driven marketplace called ClawHub, containing ‘skills’ for integration with Google Docs, Stripe and even home speakers.

Kimi Claw is the result of Moonshot embedding OpenClaw directly into its consumer platform kimi.com - the equivalent of ChatGPT.com or Claude.ai - offering users a persistent AI agent powered by Moonshot's models and hosted on their infrastructure. Moonshot’s ‘Bring Your Own Claw’ feature, included in Kimi Claw, allows users who have set up their own OpenClaw agent on a personal computer - which may have broad access to their files, apps, and wider system - to connect it to Moonshot's infrastructure. This allows users to easily interface with their AI agent and power it with Moonshot's AI models while maintaining the personalization factor of having an agent on their local device. This ecosystem creates several privacy and national security risks which are discussed below.

Corporate Structure and Privacy Risks Under Chinese Law

Moonshot's corporate structure and privacy policies create pathways for user data to be transferred to the Chinese authorities. The privacy policy for kimi.com - through which users deploy and configure Kimi Claw - identifies the service provider as ‘MOONSHOT AI PTE. LTD.’ This is a Singapore-incorporated entity registered in July 2023, just four months after the company was founded in Beijing. The policy never mentions China, Beijing, or Singapore, creating a misleading impression of the company’s jurisdictional footprint. Content in the footer of the Chinese version of Moonshot’s website also suggests a Chinese-registered affiliate.

Regardless of the Singapore incorporation of ‘MOONSHOT AI PTE. LTD.’, China’s legal framework - particularly China’s National Intelligence Law (Article 7) - gives authorities broad powers to compel data access from Chinese companies and their subsidiaries. Moonshot’s privacy policy compounds these risks. The company collects user content, including prompts, files, and generated outputs. An affiliate-sharing clause allows transferring user information to corporate affiliates for undefined “internal administration”. A data retention clause allows the company to store personal information “for as long as necessary” to, among other things, “comply with legal and regulatory obligations”. Moonshot could well be required to provide user data, including from Americans, to the Chinese authorities to meet such requirements.

Cybersecurity Vulnerabilities in the OpenClaw Ecosystem

The integration of OpenClaw into Kimi Claw imports a well-documented set of cybersecurity risks that have been extensively cataloged by security researchers, including in a recent MITRE ATLAS investigation. This investigation covered risks including:

1. Supply-Chain Attacks: Hundreds of outright malicious ‘skills’ were uploaded to ClawHub within weeks of launch. These could, for example, enable every keyboard input a user makes to be captured and exfiltrated, facilitate the theft of bank card details saved on-device, and establish persistent access to the victim’s device.

2. Data Exfiltration & Prompt Injection: Malicious instructions can be hidden inside ordinary-looking messages sent to an AI agent. When the agent processes these messages, it can be tricked into handing over stored passwords and access credentials.

3. Remote Code Execution Vulnerability: Attackers could hijack local OpenClaw instances via a single malicious link which would then allow execution of arbitrary commands on the user’s local machine.

Kimi Claw’s frictionless onboarding - one-click deployment requiring no server setup or command-line knowledge - could accelerate exposure to these vulnerabilities among non-technical users. Such users may be less likely to assess the cybersecurity implications of granting a persistent AI agent broad access to their digital lives, just as consumers routinely accept terms of service without reading them.

National Security Implications of Kimi Claw

Surveillance and espionage: Through the Chinese legal framework highlighted above, data from Moonshot’s ‘always-on’ Kimi Claw agents can be transferred to China. This can include information from across the spectrum of users’ digital lives which can enable targeted influence operations and public opinion shaping in America. The risk of data exfiltration also extends to American enterprise environments and can support industrial espionage: deployments of OpenClaw-based agents like Kimi Claw could enable shell access, data movement, and network connectivity, sidestepping security controls via elevated privileges. Enterprise data exposed could include sensitive commercial information, Personally Identifiable Information (PII), and legal documents. Reflecting this, WIRED recently reported that Meta and some other large technology companies are already restricting OpenClaw use on corporate devices.

Strategic dependency: Kimi K2.5 is priced at roughly one-eighth of the cost of leading US models¹ and agent hosting is offered free to paid-tier members ($31/month as of writing). If Kimi Claw achieves significant adoption, a combination of low pricing and systemic dependency through skills and integrations could be difficult to reverse, akin to concerns in the telecoms sector. This may increase the likelihood of public backlash to government action to address related national security risks in the future, narrowing the policy window for intervention.

Policy Recommendations

The CAISI-led AI Agent Standards Initiative, announced in February 2026, will support interoperable and secure AI agents and is a welcome step. Alongside this, the following low-burden and low-cost recommendations can be adopted now by the federal government to respond to the specific concerns raised by Kimi Claw, ahead of a more in-depth assessment of the appropriate policy response once further analysis has been conducted:

1. Joint security assessment: CAISI and the Department of Commerce, in collaboration with the IC, should conduct an urgent joint assessment of the data flows, infrastructure dependencies, and security architecture of Kimi Claw, with particular weight placed on the ‘Bring Your Own Claw’ feature.

2. Public advisory: Relevant federal agencies should issue a public advisory detailing the risks of granting ‘always-on’ AI agents access to personal and enterprise digital infrastructure and data, with specific reference to services hosted by companies subject to Chinese laws.

3. US alternatives: The federal government should support the development and adoption of US-hosted AI agent platforms, with strong privacy guarantees and cybersecurity, to drive cost-competitive alternatives to the Chinese ecosystem.

4. Federal device ban: The federal government should consider issuing a rule prohibiting the use of any OpenClaw deployments and AI services provided by Moonshot or any other constituents of the Chinese AI ecosystem on federal government devices and those operated by contractors being used for federal government work. Some steps have already been taken here in relation to DeepSeek.

End Notes

1. As of writing, based on a comparison with Anthropic’s Claude Opus 4.6. Kimi K2.5 costs $0.60/$3.00 per 1M input/output tokens compared with $5.00/$25.00 respectively for Claude Opus 4.6.