Today, while working on an assessment, I was comparing the training and data retention policies of several popular model providers. MiniMax came up in the list. I’d used it a few times through OpenRouter simply to compare it with other models, but I’d never had reason to look at the policy side until now.

Then I read the terms of service. There’s a clause in there most users probably skip past: “use or disclosure of Confidential Information for the purpose of improving algorithms or enhancing services does not constitute a breach of confidentiality obligations.” That’s a training data carve-out written to look like a standard confidentiality provision.

From there, I kept digging. The pricing gap is part of why MiniMax gets picked up: their Coding Plan costs US$0.30 per million input tokens, against US$5.00 for Anthropic’s Claude Opus 4.6. For a developer running autonomous agents that churn through tokens all day, that 17x difference could equate to thousands of dollars a month. It’s not a trivial number, and it’s not hard to see how someone optimises for it without looking too closely at the rest.

OpenClaw is an open-source AI agent framework that allows models to execute tools, run workflows, and interact with external systems. It has become one of the most widely adopted self-hosted agent platforms available, and MiniMax is its most prominently featured provider. That combination is what this post is about.

Who/What is MiniMax?

MiniMax was founded around late 2021 by former SenseTime executive Yan Junjie and other alumni of the company. Before founding MiniMax, Yan served as vice president and CTO of SenseTime’s smart city business unit, a division that sold facial recognition technology to public security bureaus across China. US Treasury sanctions documentation confirms SenseTime “developed facial recognition programs that can determine a target’s ethnicity, with a particular focus on identifying ethnic Uyghurs.”

SenseTime has been sanctioned three separate times by the United States government: the Commerce Entity List in October 2019, the Treasury NS-CMIC List in December 2021, and the DoD Chinese Military Company List in January 2025.

MiniMax was founded around the same period as the December 2021 Treasury sanctions on SenseTime. Yan Junjie and MiniMax co-founder Song Yachen both came from SenseTime; Yan’s division there sold directly to Chinese government and public security clients.

The Singapore subsidiary (Nanonoble Pte. Ltd.) is named as the operating entity in MiniMax’s API privacy policy. China’s Data Security Law Article 36 makes any inference of jurisdictional distance unworkable: it explicitly prevents domestic organisations from transferring data stored in China to foreign judicial bodies without PRC government approval, and PRC intelligence obligations imposed on the Shanghai parent extend through the corporate structure. A Singapore incorporation does not, by itself, remove PRC legal exposure where the parent company and core operations remain in Shanghai.

What the terms of service actually say

MiniMax’s Terms of Service contain this clause: “Our use or disclosure of Confidential Information for the purpose of improving algorithms or enhancing services does not constitute a breach of confidentiality obligations.”

It means that MiniMax can use data sent through the API for training and model improvement regardless of what other confidentiality provisions the ToS might contain. The privacy policy adds further latitude, permitting MiniMax to “mine, analyze and utilize the database commercially” after de-identification, without defining what constitutes adequate de-identification. The European Data Protection Board noted in Opinion 28/2024 that AI models “rarely achieve true anonymisation.”

Comparing this with Western providers:

Provider Training opt-out Retention controls SOC 2 audit Public DPA
OpenAI Yes (business API data not used for training by default) 30-day default; ZDR available for qualifying orgs Type II Yes
Anthropic Yes Available Type II Yes
MiniMax Algorithm improvement carve-out permits use No equivalent found publicly No public SOC 2 found during review No public DPA found during review

There is no enterprise tier with enhanced privacy protections, no published subprocessor list, no Standard Contractual Clauses. And MiniMax’s privacy policy contains no reference to PRC law despite the company being headquartered in Shanghai.

The lobster paradox

In March 2026, Chinese government agencies and state-owned entities warned staff against using OpenClaw on work and some personal devices, citing security concerns. Bloomberg reported that state-affiliated restrictions extended to state-run banks and government agencies.

CNCERT/CC, China’s national computer emergency response team, published a separate risk warning identifying four specific threat categories: prompt injection, misoperation risk, malicious plugins, and known vulnerabilities.

At the same time, local governments in Shenzhen and Wuxi are offering millions in subsidies to AI startups building on these same agentic frameworks, and MiniMax’s Hong Kong listing was oversubscribed 1,837 times. Yan Junjie attended a symposium chaired by Premier Li Qiang to advise on China’s 15th Five-Year Plan, becoming the second AI founder invited to do so after DeepSeek’s Liang Wenfeng.

The Chinese government has assessed these tools as risky enough to ban from government systems, while actively subsidising the companies that sell them internationally. Whether this is coordinated strategy or the result of different government agencies with genuinely incompatible mandates (cybersecurity vs. economic development), the practical outcome for foreign users is the same.

The supply chain problem

The data privacy question is separate from, but compounds, the agent security problem.

OpenClaw’s Gateway is commonly exposed on port 18789 in unsafe deployments. Current OpenClaw documentation points local users to 127.0.0.1:18789 / localhost:18789 and recommends keeping the Gateway on loopback, but configurations using gateway.bind: "lan" bind the service to the host’s LAN IP rather than loopback, making it reachable by other devices on the same network. Security researchers have described many of these exposures as configuration failures rather than core product bugs, but the result is the same: Bitsight found 30,000+ internet-exposed instances in February 2026, with subsequent scans putting the number at 135,000+ and 220,000+. Authentication credentials are stored in plaintext at ~/.openclaw/openclaw.json, and the Oasis Security ClawJacked research demonstrated that authentication could be brute-forced at hundreds of guesses per second against the WebSocket interface.

The supply chain picture for ClawHub, OpenClaw’s community plugin marketplace, is worse, and the risk splits into two distinct categories.

Active malware. Koi Security found 341 outright malicious skills in a sample of 2,857 (11.9%). Snyk’s ToxicSkills research put the direct malware/backdoor rate at 13.4% of its 3,984-skill sample. A single threat actor had published 314 of those, distributing macOS and Windows malware with prompt injection payloads embedded in 91% of them so the agent would execute the code without user intervention.

Architectural fragility. The more insidious number from Snyk is 36.8%. That figure includes skills with context-leakage flaws and structural prompt injection vulnerabilities: not actively malicious by design, but written in a way that lets an attacker turn a “Weather Skill” into a file exfiltration tool with a crafted prompt. In an agentic workflow, the model is the user. If the skill is flawed, the model’s permissions are inherited by the attacker.

There is also CVE-2026-25253 (CVSS 8.8): a one-click remote code execution vulnerability that works by exfiltrating an authentication token via a malicious link, giving an attacker full control of the agent.

What you’re actually handing over

The supply chain and exposure problems would be less severe if OpenClaw agents were only connected to low-value data. The integrations people are actually deploying tell a different story.

Users routinely connect OpenClaw to full email accounts with read and write access via OAuth. The agent can read everything in the inbox: password reset links, contracts, API keys sent by other services. Summer Yue, director of alignment at Meta Superintelligence Labs, found this out in February 2026 when an agent she had connected to her real Gmail inbox started deleting every message older than a week, ignored repeated stop commands sent from her phone, and had deleted over 200 emails by the time she ran to her computer to terminate it manually.

A community-maintained Home Assistant integration available through HACS lets users provide a Long-Lived Access Token, after which the agent controls lights, thermostats, and door locks and receives real-time occupancy and sensor data. One documented setup routes all of this through WhatsApp, via the unofficial Baileys library, which gives the agent full conversation history and contact list access and violates WhatsApp’s Terms of Service. Databases (PostgreSQL, MySQL, SQLite) connect via MCP servers and are queried in plain language. Developer tool integrations cover GitHub repositories with personal access tokens, Stripe payment and customer data, and Notion workspaces.

Browser use MCP servers are a different category of exposure entirely. When an agent controls a Chromium instance, it inherits the user’s live authenticated sessions with no separate OAuth grant required. Banking portals, payroll systems, and healthcare records become reachable because the user is already logged in. The distinction from OAuth-based integrations matters: the agent does not just read, it acts. It can initiate transfers, submit forms, and post content. Any web page the agent visits is also potential attack surface, since malicious page content can inject instructions the agent cannot reliably distinguish from its own instructions.

Category What the agent can access
Email Full inbox read/write (Gmail, Fastmail), including password resets and credentials sent by other services
Calendar Read/write scheduling data
Smart home Device control, real-time sensor data, door locks, occupancy (via Home Assistant)
Messaging Full conversation history and contact list (WhatsApp via Baileys; Telegram, Slack, Discord)
File system Arbitrary local files, SSH keys, .env files, browser cookies
Databases PostgreSQL, MySQL, SQLite via natural language queries
Developer tools GitHub repositories, Stripe customer and payment data, Notion workspaces
Browser sessions Any authenticated web session (banking, payroll, healthcare); agent can read and act, not just read

The agent runs with the file system permissions of the host user, so ~/.ssh/, .env files, and browser credential stores are all in scope unless you explicitly restrict access.

What happens when things go wrong is already documented. A TechLetters analysis documented an incident where an OpenClaw agent published internal cybersecurity threat intelligence from a vendor platform to ClawdINT.com, a week after the site launched. The agent treated internal-only content the same as public information. The organisation whose data was exposed had no idea until someone noticed.

Separately, a stealer identified as likely a Vidar variant is targeting OpenClaw configuration files: openclaw.json (gateway tokens and workspace paths for remote instance access), device.json (cryptographic pairing keys), and soul.md (the agent’s behavioural guidelines and ethical boundaries). Stealing those files gives an attacker silent, persistent access to the agent and everything it is connected to. This connects directly to the exposed instance and plaintext credential problems described above: the credentials being stored in plaintext are exactly what Vidar is after.

If you use OpenClaw

Route through ZDR endpoints via OpenRouter. For most users this is the practical first step. OpenRouter’s Zero Data Retention (ZDR) feature routes requests only to providers that do not store your data at all (not for abuse detection, not for training, not temporarily). OpenClaw has first-class OpenRouter support and is the highest-volume app on the platform. You can enforce ZDR globally in your OpenRouter account settings, or per-model in openclaw.json5 by adding "params": { "provider": { "zdr": true, "data_collection": "deny", "allow_fallbacks": false } } to the relevant model entry. The allow_fallbacks: false setting matters: without it, OpenRouter may silently route to a non-ZDR provider if your preferred one is unavailable. OpenRouter itself does not retain prompts unless you explicitly opt into logging. Combined with Western providers (Anthropic, OpenAI) that have SOC 2 Type II certifications and published DPAs, this eliminates the data persistence problem without requiring any local infrastructure. The tradeoff versus a local model is that data still crosses a network; ZDR means that it is not stored at the other end, but it is still transmitted. For most agentic workloads this is a better starting point than local inference, unless you have a GPU with enough VRAM to run a capable model at a useful speed (a constraint that matters more than it sounds once agents start chaining tool calls).

Run local models. OpenClaw supports Ollama, vLLM, LM Studio, and llama.cpp as local backends. Running locally eliminates the data transmission problem entirely. Chinese open-weight models like Qwen (Apache 2.0 licence) and DeepSeek (MIT licence) can be safely self-hosted. Once the weights are on your hardware, the National Intelligence Law concerns disappear because no data leaves your infrastructure. The API connection is where the risk sits; the weights are just maths.

Harden your OpenClaw setup if you are using a cloud provider:

  • Ensure the Gateway is only reachable through intended access paths; loopback (127.0.0.1) is preferred unless remote access is deliberately required and secured (e.g. via Tailscale)
  • Use a cryptographically random authentication token rather than accepting the default
  • Audit every ClawHub skill before installing, and avoid unverified publishers
  • Restrict the agent’s file system access to only what it genuinely needs
  • Log and review outbound connections from the process

Be deliberate about what you connect. The supply chain and exposure risks described above are compounded significantly by what the agent can reach. Do not connect OpenClaw to accounts or systems you cannot afford to have exfiltrated, misused, or acted upon without your explicit confirmation. That means avoiding OAuth grants to primary email accounts, production databases, payment systems, or any service with write access to something consequential. Browser sessions are the highest-risk integration: if the agent controls a browser where you are already logged into your bank, payroll system, or healthcare provider, those sessions are reachable without any separate authorisation step. Keep a dedicated browser profile for agent use, logged into nothing sensitive, and treat any deviation from that as a deliberate risk decision.

The failure modes here are already documented. Software engineer Chris Boyd connected OpenClaw to iMessage so it could send him a daily news digest; when his wife replied in an unexpected format, the agent entered a confirmation loop with no exit condition and sent over 500 messages to his contacts before he could stop it. Alex Finn gave his Moltbot (an earlier name for the same tool) access to his Twilio account and woke up to find his agent had purchased a phone number and called him after independently deciding it needed a voice channel. Developer William Peltomäki demonstrated that a single crafted email was enough to cause a ClawdBot-connected inbox to exfiltrate its contents to a third party, because the agent could not distinguish between its own instructions and text it was reading in an email body.

Most developers reach for whatever is cheapest and works with the tool they are already using. That is fine, but it carries privacy implications worth evaluating deliberately. Both OpenAI and Anthropic offer SOC 2 Type II certified platforms with explicit data handling commitments and published DPAs if you need a cloud-hosted model with documented obligations.

Local deployment removes the data transmission risk and leaves everything else exactly as it was. An OpenClaw instance running locally still has shell access, file system access, and web browsing capabilities. The ClawHub supply chain risks and sandbox escape vulnerabilities apply regardless of which model backend you use.

If you manage an environment

OpenClaw has a distinctive enough footprint that you can find it before an incident does it for you.

Network detection. Traffic to *.openclaw.ai indicates installation or active use. OpenClaw’s Gateway defaults to port 18789 (Shodan fingerprint: port:18789 clawdbot). Outbound connections to api.minimax.io or api.minimaxi.com from managed endpoints confirm a MiniMax-connected agent running somewhere on your network. Add those MiniMax endpoints to your DNS blocklist or proxy deny list. A sweep for environment variables including MINIMAX_API_KEY, DEEPSEEK_API_KEY, and OPENCLAW_CONTROL_UI_BASE_PATH across development infrastructure will surface existing exposure faster than waiting for network alerts.

Endpoint detection. Process names to watch for: openclaw, openclaw.exe, and clawdbot. The presence of ~/.openclaw/openclaw.json, ~/.openclaw/device.json, or ~/.openclaw/soul.md on a managed endpoint confirms an installation. These are also the exact files Vidar Infostealer actively targets for credential theft, so finding them on an unmanaged endpoint represents two separate risks: data flowing to MiniMax’s infrastructure, and a separate threat actor making off with the credentials.

Configuration auditing. If you find an installation, check its configuration for these flags: auth_mode=none (a legacy flag present in older or misconfigured installs; current versions enforce token authentication by default), dangerouslyDisableDeviceAuth, allowInsecureAuth, and gateway.bind=lan. Any of these indicate that the gateway is unauthenticated or network-accessible. In some combinations, both. The credentials in openclaw.json are stored in plaintext, so a misconfigured instance is reachable and accessible with minimal effort.

Software inventory. OpenClaw is distributed as an npm package named openclaw. If your CASB or endpoint tooling monitors npm installs on managed devices, adding this to your watchlist costs nothing and catches shadow deployments before they generate alerts elsewhere.

Regulatory exposure. If you operate in the EU and an employee has sent data through a MiniMax API endpoint, you may have a reportable data transfer issue under GDPR. The Irish Data Protection Commission’s EUR 530M fine against TikTok in May 2025 for misrepresenting how EU data was handled in China is the clearest signal of where enforcement is heading. noyb has filed six GDPR complaints across five EU countries against Chinese technology companies over data transfers to China.

Policy recommendation. Given the architecture (unauthenticated by default, executes arbitrary code, accesses live browser sessions, supports third-party plugins with a 12-13% confirmed malware rate), OpenClaw sits in block-or-escalate territory rather than monitor. The 220,000-plus publicly exposed instances suggest most deployments arrive without IT involvement. Detection first, then a policy conversation with affected teams about approved alternatives.

The broader “Claw” family. OpenClaw’s visibility has spawned a set of alternatives worth adding to the same watchlist. NanoClaw (npm: nanoclaw, config at ~/.config/nanoclaw/) runs each agent in an isolated Docker container and connects via messaging platform webhooks rather than a persistent local port, making it harder to catch with port scanning alone. IronClaw is a Rust binary (process: ironclaw, config at ~/.ironclaw/) that defaults to TCP 8080 and requires a PostgreSQL database; unexpected outbound port 5432 connections from developer workstations are a secondary signal. ZeroClaw is a static single binary (process: zeroclaw, port 42617) with no package manager footprint, commonly deployed alongside cloudflared to tunnel it through Cloudflare without opening a firewall port. AnythingLLM (Docker image: mintplexlabs/anythingllm, port 3001) predates OpenClaw but has a similar plugin surface and frequently runs without authentication when AUTH_TOKEN is not set. On the cloud side, Kimi Claw (Moonshot AI, Beijing) embeds an OpenClaw agent into kimi.com for $40/month, meaning employees can sign up individually; egress to *.moonshot.cn and api.moonshot.cn is the detection signal. All of these frameworks share the same core risks: community plugin marketplaces with minimal vetting, broad file system and browser access, and default configurations that prioritise ease of setup over security.