Home The Whole Web is "Raising Shrimp", but Hospitals Have Issued a Ban

The Whole Web is "Raising Shrimp", but Hospitals Have Issued a Ban

Mar 13, 2026 07:59 CST Updated 07:59

In March 2026, a "shrimp farming" craze swept through the Chinese internet. Regardless of age or gender, everyone was eagerly asking each other, "Are you farming shrimp?" "How do you farm shrimp?" Of course, the "shrimp" here is not the delicious crayfish, but OpenClaw, an open-source AI agent.


Compared with previous AI agents that could only chat and generate content, the operating mode of OpenClaw has brought about a revolution. It can directly take over the computer, autonomously execute corresponding tasks according to instructions, operate the mouse and keyboard like a real person, and help you send emails, organize files, and even write code. Although most people have only a limited understanding of this, obviously no one is willing to miss out on this trend.


Naturally, this "lobster-farming" trend has quickly swept into the medical circle. However, although this "lobster" also brings efficiency improvements, just one mishap will lead to catastrophic consequences.


When AI "Lobster" Takes Over Healthcare Professionals' Computers


The most notable incident caused by OpenClaw undoubtedly comes from Meta. Summer Yue, the Director of AI Alignment and Safety at its Super Intelligence Lab, as usual, attempted to use OpenClaw to organize her chaotic inbox. To be cautious, she specifically set a safety instruction: "You must confirm with me before taking any action."


However, OpenClaw erroneously ignored this command, not only failing to request confirmation but also beginning to frantically delete emails.


The expert came to their senses and immediately input the stop command, but in their panic, they failed to enter the correct one. "I had to rush to my Mac mini at full speed to physically cut the power, like defusing a bomb," her tweet described with a tone full of despair.


When an AI safety expert can encounter such problems, the significant risks associated with OpenClaw are evident. If applied in a medical context, situations like the following might occur.


For instance, a doctor from the IT department initially still had security awareness and only "raised shrimp" on a backup computer that was physically isolated from the network. As reliance on OpenClaw increased, Doctor B, who considered himself a professional "shrimp raiser," believed he had ensured proper security isolation and started "raising shrimp" on his work computer.


What was unexpected was that the patient hackers had been waiting precisely for this moment. They exploited the vulnerability to breach the system, gaining full access to various information system keys. This ultimately led to a serious security incident involving the leakage of hospital patients' private data.


For instance, an OpenClaw system used by a hospital caused the collapse of the existing HIS system's "code mess" while handling cross-system tasks, leading to a complete paralysis of the HIS system. It took several days to repair the system.


The good news is that the safety management agencies have successively issued risk announcements.


1.jpg

Security Risk Alert for OpenClaw Published by the Ministry of Industry and Information Technology's Cybersecurity Threat and Vulnerability Information Sharing Platform


As early as February 5, the Cybersecurity Threat and Vulnerability Information Sharing Platform of the Ministry of Industry and Information Technology issued a security risk alert for OpenClaw. However, at that time, "shrimp farming" had not yet become a hot topic and did not attract much attention. After the "shrimp farming" trend gradually picked up, on March 10, the National Internet Emergency Center issued a risk warning regarding the security application of OpenClaw.


According to the statistics from the China National Vulnerability Database (CNNVD), from January 2026 to March 9, 2026, a total of 82 OpenClaw vulnerabilities were collected, including 12 critical vulnerabilities, 21 high-risk vulnerabilities, 47 medium-risk vulnerabilities, and 2 low-risk vulnerabilities. These vulnerabilities encompass multiple types such as access control errors, code issues, and path traversal.


According to VCBeat, well-known tertiary hospitals have issued notices strictly prohibiting the connection of OpenClaw to the hospital intranet, dedicated business networks, and various medical information systems. Even research teams that require OpenClaw for study and testing must comply with security regulations and implement proper safety measures.


2.jpg

A well-known tertiary hospital in China has issued a risk notice regarding OpenClaw.

 

The rapid response of the regulatory authorities undoubtedly provided the public with a sense of reassurance. However, this cannot completely eliminate the security issues caused by OpenClaw. After all, most of the time, the main cause of security problems is not the system, but people.


Taking the bastion host, a must-have security mechanism in China's hospital information systems, as an example. Normally, third-party operation and maintenance personnel must obtain an account assigned by the bastion host to log into the hospital’s server resources for secure and controllable access. However, in some hospitals, the bastion host is rarely used except during classified protection testing and inspections. This is because hospital information systems are numerous, with dozens of business systems possibly involving different enterprises. Operation and maintenance personnel may feel that the account allocation and permission management of the bastion host add much workload, and setting it up does require certain professional knowledge. Therefore, some hospitals seldom activate the bastion host.


Even if safety rules are extremely strict and systems are highly sophisticated, the slightest negligence in people's safety awareness could still lead to accidents like those caused by OpenClaw in another timeline, which cannot be completely prevented in the real world.


Hitting the Safety Red Line, Why is the Medical Environment a "Lobster" No-Go Zone?


The reason why OpenClaw has gained popularity lies fundamentally in its ability to intelligently handle various tasks, which gives it the characteristics of high authority, high automation, and high connectivity. However, these features that grant OpenClaw its advantages are precisely what contradict security principles.


Take the most critical permissions as an example. Traditional network security follows the principle of least privilege, granting only the minimum permissions necessary to complete a task. However, in order to carry out complex automated tasks, OpenClaw typically needs to be granted higher system privileges, such as reading files, executing commands, and accessing the network. If it is maliciously exploited or if there is an AI misjudgment, core data could be directly deleted or system configurations tampered with, causing far greater damage than ordinary programs.


Moreover, in sensitive fields such as finance and healthcare, critical operations like deleting data or modifying permissions typically require secondary confirmation or manual approval. OpenClaw, on the other hand, can automatically plan and execute a series of operations based on natural language instructions without human intervention, featuring a high level of automation. However, if the instructions are maliciously induced, it may carry out dangerous operations without being noticed, and it would be difficult to trace responsibility afterward.


AI Security Expert at Anheng Information Believes That Currently, OpenClaw’s Application in Medical Environments Poses Four Core Risks.


One is the risk of data privacy breaches. OpenClaw needs to call large models or search for information online, which poses a risk of data leakage.


The second risk is the generation of AI hallucinations. "Previous lessons have proven that OpenClaw may experience hallucinations or misjudgments of operational commands, leading to incorrect actions; in scenarios involving ambiguous instructions or incomplete information, it also tends to fabricate missing details and execute directly, resulting in extremely high operational risks. Moreover, if erroneous advice is given during diagnosis and treatment due to hallucinations, life-threatening situations could occur, which is even more serious," he stated.


The third is the risk of system overreach. Experts believe that OpenClaw, which is high-risk, could become a springboard for attackers once it connects to the hospital's core systems, making it difficult to prevent.


Finally, experts believe that the security risks of the model should not be underestimated: "OpenClaw is essentially still built on a large model and may be vulnerable to risks such as prompt injection and data poisoning. Once problems occur, they are difficult to trace, so it needs to be treated with caution."


Besides, the cost risks of OpenClaw are well-known. Since OpenClaw relies on large models for reasoning, every step of task execution requires calling the model interface. If run in the cloud and improperly configured, both computational power and invocation costs can quickly escalate.


Of course, through various security configurations and restrictions, the security risks of OpenClaw can be significantly reduced. However, at this point, its functionality has also become incomparable to its original state. A senior coder told VCBeat that if strict security configurations are applied to OpenClaw, such as full localization, strict permissions, and read-only analysis, then compared with existing solutions like custom automation scripts, it may not have absolute advantages in terms of security, cost, and maintainability.


AI security experts stated that, at this stage, safety and intelligence are indeed contradictory to each other, but OpenClaw still has its merits: "If you want it to be more intelligent, permission control needs to be more open, and security will decrease; if you want it to be more secure, there need to be more restrictions, and the level of intelligence will drop. If some reinforcement and customized development are applied to OpenClaw, even if the intelligence level decreases somewhat, it could still potentially be used in a medical environment. At the very least, it’s still based on a large model, allowing users to interact through natural language, which would lower the usage cost of some professional software and assist with tasks like document editing and statistical analysis. I believe it can actually solve many problems."


Where Will AI-Era Security Solutions Go in the Post-OpenClaw Era?


For the current stage of using OpenClaw in a medical environment, AI security experts from DBAPP Security have provided several specific security recommendations.


The first is deployment isolation, which is deployed through virtualization or containerization. In particular, physical isolation must be achieved with the hospital's HIS system.


The second point is to strictly control permissions. He mentioned in the exchange: "Some dangerous commands must be absolutely prohibited from execution, and access to sensitive file systems needs to be restricted. Additionally, for the 'input' medical data, desensitization is required, and the memory persistence function of OpenClaw should be turned off. After all, if you accidentally provide sensitive data, its memory could still persist long-term."


The third point is the need to clearly understand the functional boundaries. For instance, it prohibits the invocation of medical system interfaces, or only permits the opening of low-risk capabilities such as document querying or administrative assistance.


The fourth aspect is security reinforcement. "We need to deploy security software to prevent security risks, such as prompt injection risks; we also need to establish full-process log auditing; and even achieve one-click shutdown to promptly block any risks that arise," he added.


Finally, there is security and compliance governance. "We must first conduct this security assessment, and if necessary, carry out this medical staff training, then regularly have the administrator perform vulnerability scans and patch updates."


Many security vendors have also started to take action. For example, DBAPPSecurity urgently released the OpenClaw security protection tool — ClawdSecbot, which can scan for OpenClaw vulnerabilities and provide one-click protection. Administrators can formulate security policies to block potential risks associated with OpenClaw.


Experts believe that the growing popularity of AI agents is presenting new demands for the medical safety market: "Currently, traditional EDR software identifies risks based on process behavior. While it can prevent AI from executing certain sensitive commands or prohibit access to specific directories, its ability to identify risks based on intent is becoming increasingly limited. For instance, whether the behavior of a process is triggered by a user, a prompt, or external content such as malicious code, existing security software cannot make that determination."


"The popularity of AI agents, especially edge-side agents like OpenClaw, will be a watershed moment for security. Traditional security solutions are essentially static rules or perimeter defenses, which are becoming less effective in an AI-driven environment. In the future, we may need to enhance behavioral analysis by performing contextual analysis of system instructions, which means analyzing behavioral intent. This will be the direction for the development of security solutions in the AI era," he added.


Experts say that such security solutions capable of meeting the demands of the AI era still pose certain challenges: "We need to consider all risk scenarios and handle massive amounts of data, while also addressing performance issues without excessive system overhead. Additionally, we must ensure the security of the security products themselves. Currently, we are conducting some preliminary work on AI protection with the aim of launching mature AI security solutions as soon as possible."


In conclusion


The explosive popularity of OpenClaw is perhaps worth pondering. It is unexpected that such a high-risk and immature application could spread across the internet as rapidly as a pyramid scheme, and even be openly discussed for introduction into the medical environment, where safety is paramount. While its efficiency improvement is indeed tempting, the widespread disregard for risks seems to be a footnote to the current data security issues in the healthcare sector.


In the foreseeable future, AI agents will continue to gain popularity. This also poses a huge challenge to the security industry, and the medical field, as well as the entire society, will urgently need security solutions that are more in line with the AI era. Of course, no matter how technology changes, what is probably more important is the medical community's reverence for safety. After all, any good security configuration and rules will pale in comparison to human nature.