Skip to Content
- Home
- About
- Services
-
Top Asked
- Change OnePass Password
- Forgot Password
- Enrol in Duo 2FA for new users
- Transfer Duo 2FA to my new phone
- Collect New Staff Account
- Collect New Student Account
- Microsoft Copilot for the Web
- Define Email Address (via Campus Network or CUHK VPN)
- Manage Project / Other Account(s) (via Campus Network or CUHK VPN)
-
News
- Phishing Alert: Professor [Name][Title], [Department]
- Firewall System Upgrade (Sun, 12 Apr 2026, 8:00 a.m. – 12:00 p.m.)
- System Maintenance of CUPIS (Sat, 18 Apr 2026, 8:00 a.m. – 1:00 p.m.)
- Phishing Alert: 強制性公積金( MPF )1 » News » 關於開展強制性公積金( MPF )相關資料完善及核實工作嘅通知函 [Updated]
- Central Firewall Maintenance (Wed, 1 Apr 2026, 6:30 p.m. – 10:30 p.m.)
-
Contact
ITSC Tech Buddy
Knowledge Base
Online Service Desk (Staff / Student / Guest)
Service Desk on Campus
(+852) 39438845
User Trainings
Beware of Agentic AI Security Risks
The launch of “OpenClaw“, an open-source artificial intelligence (AI) agent, has attracted significant attention since it supports a board range of AI functions and can operate independently. However, unlike conversational AIs such as ChatGPT, OpenClaw functions as a proactive assistant – once permissions are granted, it controls applications, organizes files, processes emails, sorts data and executes coding workflows. This poses heightened security risks that users should treat with serious caution.
The Office of the Privacy Commissioner for Personal Data (PCPD) has recently published a statement about the potential cybersecurity and personal data privacy risks related to OpenClaw and other agentic AI tools, as these AI applications may request extensive system permissions and operate autonomously.
Potential Risks include:
- Unauthorized data access due to high levels of access granted,
- Data leakage and accidental deletion of files,
- System intrusion due to higher likelihood of vulnerabilities being discovered from these open-source tools and exploited by threat actors.
Recommended Good Practices on using Agentic AI tools:
DOs:
- Use the official and the latest version.
- Enforce isolation for the runtime environment.
- Strengthen network control to minimize Internet exposure.
- Grant only the minimum permission necessary.
- Install and use plugins or skills with caution.
- Guard against browser hijacking.
- Regularly check and update the official security patches.
- Enable detailed log auditing functions.
DON’Ts:
- Don’t use outdated or third-party mirror versions of AI tools.
- Don’t expose AI agent instances to the Internet.
- Don’t enable administrator accounts during deployment.
- Don’t install skill packs that require entering passwords.
- Don’t browse unverified websites.
- Don’t store keys in plaintext in environment valuables.
Users are reminded NOT to install OpenClaw nor its variants on machines connected to the campus network. Besides, they should refrain from granting excessive permissions to any agentic AI tools and must NOT use these applications to process any personal data. The University will continue to monitor the situation and provide further guidance as necessary.
Reference:
- PCPD: Privacy Risks of OpenClaw and Agentic AI and Use AI Safely
- MSN: Hong Kong government workers warned not to install OpenClaw due to security risks
- SCMP: China issues new safety rules for OpenClaw. Here are the dos and don’ts
- SCMP: China’s top court says it treats AI cases with care without stifling growth or innovation
- Digital Policy Office warns of OpenClaw security risks as mainland moves to restrict use
- HKCERT: OpenClaw’s Rapid Adoption Exposes Skills Supply Chain and Fake Installer Risks in a High-Privilege AI Agent Platform
- RTHK: IT chief urges caution over OpenClaw security risks
- NIST: OpenClaw Vulnerabilities: CVE-2026-25253, CVE-2026-24763, CVE-2026-26322, CVE-2026-26329, CVE-2026-30741
- ITSC: Security Tips when using Artificial Intelligence (AI) Tools
Published on: 27 Mar 2026
© 2026 All Rights Reserved. The Chinese University of Hong Kong.