360 responds to the leak of the security lobster private key: It was caused by a business error; the certificate was only valid for local use and has been revoked.

According to 1M AI News , the 360 security team responded to the OpenClaw wildcard certificate and private key leak incident, stating that it was a business error that resulted in an internal domain name certificate being packaged into the installation package. The certificate in question, *.myclaw.360.cn, actually resolves to the local loopback address 127.0.0.1, and is only used on the user's local machine, providing no external service.

After receiving reports from multiple security researchers, 360 has applied to revoke the certificate. The certificate is now invalid and can no longer be used for any legitimate HTTPS encrypted communication; ordinary users are unaffected. The theoretical risk of man-in-the-middle attacks during the breach still exists, but since the service associated with the certificate only runs on the local machine, the actual risk is relatively limited.