Cognio Labs

Cognio Labs deploys on the user's own VPS, which inherently limits provider-side data access. The FAQ states 'The VPS is provisioned under YOUR account with your chosen provider... Your data never touches our servers.' However, the provider must have temporary access during setup, and there is no documentation about data handling during the setup process, log sanitization, or whether conversation data is ever transmitted to Cognio's systems. The claim of Docker isolation is mentioned but not technically documented.

The page claims 'Docker isolation, hardened configs' and mentions 'allowlist policies' and 'gateway authentication' in the setup checklist, but provides zero technical detail about how prompt injection is prevented, how code execution is sandboxed within the Docker container, or how memory integrity is protected. The claim that '26% of skills have vulnerabilities' and that they 'vet and configure only secure, tested skills' is marketing language without a published methodology for skill vetting.

The setup checklist includes 'Credential encryption' and the page claims 'Proper secrets management and access controls' and 'encrypted credentials.' However, there is no documentation of what encryption method is used, how credentials are stored, whether they use a secrets manager (e.g., HashiCorp Vault), or how credentials are prevented from leaking into logs. The claim is specific enough to be 'Claimed' but lacks technical depth.

No information found about rate limiting, spending caps, behavioral monitoring, kill switches, or approval workflows for high-risk agent actions. The page describes agents that 'send emails,' 'schedule meetings,' and 'run scripts' but does not address guardrails against unauthorized actions. The agent swarm description emphasizes capability rather than control.

The user-owned VPS model means the user has full control of their data and is not locked into Cognio's infrastructure. The FAQ confirms 'You have full access to everything. Add skills, modify configs, change models.' The setup includes 'auto-restart daemon' suggesting basic availability measures. However, there is no mention of backup procedures, data export tools, or what happens if Cognio Labs shuts down (the user retains the VPS, which is positive but undocumented as a deliberate continuity strategy).

Pricing is clearly documented: '$499 one-time payment' for setup, '$99/month optional maintenance,' and estimated ongoing costs of 'VPS hosting: $5-12/month. AI API usage: $10-70/month.' The page states '100% Satisfaction Guarantee - Full refund if you're not happy with the setup.' Payment via Razorpay and maintenance via Gumroad are clearly listed. This is the most transparent category.

No audit logging, incident response process, breach notification policy, or compliance certifications are mentioned. The Privacy Policy is a generic template with placeholders still visible ('[Your contact number]', '[Company address]') and includes unedited 'Additional Notes for Indian Startup Registration' instructions. The Terms of Service are similarly generic. Governing law is India. The company is 'COGNIO AI TECH PVT LTD' registered in India, but no registration number is provided.

The page claims they 'vet and configure only secure, tested skills' and references the Cisco report about 26% of skills having vulnerabilities. However, there is no published methodology for how skills are vetted, no dependency scanning documentation, no mention of how upstream OpenClaw updates are validated, and no component inventory or SBOM. The mention of 'MCP orchestration' introduces additional supply chain dependencies that are not addressed.

The setup checklist mentions 'Ubuntu server hardening,' 'Firewall configuration,' 'Non-root execution,' 'Gateway authentication,' and 'Allowlist policies.' These are specific named practices but without documentation of implementation details. No mention of MFA, TLS configuration, SSRF protection, or independent security testing. The provider's own website runs on standard Vercel hosting with no special security headers noted. No security audit or penetration test results are referenced.

No information found about hallucination mitigation, approval workflows for agent outputs, output verification, undo/rollback capabilities, or transparency about AI uncertainty. The product page focuses entirely on capability and convenience, with no mention of output reliability or trust safeguards.