ClawClaw

Each user gets a dedicated VPS via Hetzner/DigitalOcean/Vultr, providing strong physical isolation between users. The landing page claims '100% Owned Data' and 'Your own server, your data. No shared infrastructure, no logs, no third parties.' Privacy policy states 'We do not sell your personal information.' However, the platform itself stores user data (email, server config, root passwords) in a centralized PostgreSQL database, and the privacy policy mentions using data for 'Monitor and analyze usage patterns to improve our Service.' No mention of encryption at rest on the VPS or data training exclusion for AI models used by OpenClaw agents.

The cloud-init configuration reveals that OpenClaw sandbox mode is explicitly disabled: 'sandbox: { mode: "off" }' in the generateCloudInit.ts code. All messaging channels are configured with open DM policies: 'whatsapp: { dmPolicy: "open", allowFrom: ["*"] }'. The gateway enables 'allowInsecureAuth: true' for HTTP access. There is no mention of prompt injection protection, memory integrity, or human-in-the-loop controls anywhere on the website or in the source code.

Root passwords for VPS instances are stored as plaintext text columns in the PostgreSQL database (migration adds '"root_password" text' without encryption). The platform SSHes into user servers using these stored plaintext passwords to manage configurations via executeSSH(claw.ip, claw.rootPassword, ...). API keys (Anthropic, OpenAI, Google) are injected directly into the cloud-init script and stored in .env files on the VPS. The getClawEnvVars endpoint reads credentials via SSH and returns them over the API. Token generation uses cryptographically secure randomBytes(32), which is good, but storage negates this.

No information found about rate limiting for agent actions, spending caps, kill switches, behavioral monitoring, or least-privilege enforcement for agents. The OpenClaw sandbox is explicitly turned off in the default configuration. All messaging channels are set to accept messages from anyone ('allowFrom: ["*"]'). No documentation about agent guardrails or resource consumption limits.

The platform provides a data export feature that creates a compressed tar archive of the entire .openclaw directory via SSH, with rate limiting to once per hour. The comparison table claims 'Export your OpenClaw anywhere' vs competitors' 'Vendor lock-in'. Users have full SSH/root access to their VPS. However, there is no mention of automated backups, backup verification, or recovery procedures. The open-source codebase (MIT license, 126 GitHub stars) provides some portability. Terms state 'We may terminate or suspend your account immediately, without prior notice.'

Pricing is transparent and clearly displayed on the landing page with exact monthly costs per plan across three providers (Hetzner starting at $10/mo, DigitalOcean and Vultr also listed). Terms state 'Services are billed on a fixed monthly basis' and 'If you cancel, the cancellation takes effect at the end of the current billing period.' However, terms also note 'Prices are subject to change with reasonable notice' and 'All payments are non-refundable.' No mention of spending caps for the underlying AI API usage (users bring their own API keys). No hard spending limits on agent resource consumption.

Privacy policy mentions 'appropriate technical and organizational measures' but provides no specifics. No incident response process documented. No breach notification timeline specified. No audit logging described. No information about data jurisdiction beyond 'Your information may be transferred to and processed in countries other than your own.' Terms allow termination 'without prior notice.' Contact is limited to email addresses (legal@clawhost.cloud, support@clawhost.cloud). No company registration, no named entity, no physical address disclosed.

The platform installs OpenClaw via npm globally ('npm install -g openclaw@${OPENCLAW_VERSION}'), pinning to a specific version which is positive. Node.js 22 is installed from NodeSource. Homebrew is installed asynchronously on each VPS. No mention of dependency scanning, SBOM, or verification of package integrity. No ClawHub skill vetting mentioned despite dashboard integration with ClawHub marketplace. The codebase uses standard npm packages but no evidence of security auditing for dependencies.

The API implements security headers including 'X-Content-Type-Options: nosniff', 'X-Frame-Options: DENY', and 'Strict-Transport-Security: max-age=31536000; includeSubDomains'. CORS is restricted to specific origins. Authentication uses Firebase with OTP verification and rate limiting. Body size limited to 1MB. UFW firewall configured on VPS instances allowing only ports 22, 80, 443. SSL via Let's Encrypt with auto-renewal. However, no MFA mentioned beyond email magic links/OTP, no evidence of penetration testing, and the platform stores root passwords in plaintext.

No information found about hallucination mitigation, approval workflows for agent actions, output verification, undo/rollback capabilities, or transparency about AI uncertainty. The platform deploys OpenClaw with default settings and does not add any additional trust or verification layers on top of the base OpenClaw functionality.