EasyClaw

FAQ states 'We use Row Level Security (RLS) for data protection, encrypted storage, and isolated execution environments' and separately claims 'your agent runs in a strict isolated namespace.' However, the FAQ also confirms 'the runtime infrastructure is shared' and that it is 'Not a per-user container. EasyClaw runs a shared OpenClaw runtime with strict agent-level isolation.' No details on encryption at rest specifics, employee access controls, or whether data is used for training. The privacy policy says 'We do not log message content for marketing' but does not explicitly address AI model training.

No mention anywhere on the site of prompt injection defenses, sandboxing for code execution, human-in-the-loop approvals, or memory integrity protections. The FAQ confirms a 'shared OpenClaw runtime' which raises cross-agent contamination concerns. The comparison page and FAQ focus entirely on ease-of-use rather than security boundaries. No documentation exists about how agents are isolated at the execution level beyond the vague claim of 'strict isolated namespace.'

EasyClaw's model is that users do not provide their own API keys; the FAQ states 'No API key required. We run Claude, GPT-5.2, or Gemini for you—no API keys needed, no additional charges.' The privacy policy confirms 'Billing is handled by Stripe. We do not store full payment card details.' The only user credential stored is the Telegram chat ID. This reduces the credential exposure surface significantly, but there is no information about how the provider's own API keys are stored or protected internally.

No mention of spending limits, rate limiting, kill switches, permission scoping, human-in-the-loop for high-risk actions, or behavioral monitoring anywhere on the website. The homepage advertises 'Usage included per plan. Cancel anytime' and mentions 'subject to fair use' but provides no specifics on guardrails. The agent is described as fully autonomous with capabilities like browsing, scheduling, and sending messages, yet no safety controls are documented.

No mention of backups, data export, disaster recovery, or uptime SLAs anywhere on the site. The terms state the service is provided 'AS IS AND AS AVAILABLE WITHOUT WARRANTIES OF ANY KIND' and 'WE DO NOT GUARANTEE UNINTERRUPTED OR ERROR-FREE OPERATION.' The FAQ says 'Possibly in the future' about self-hosting/export options, confirming no current data portability. The provider is a solo founder (Hector Guedea) with no disclosed business entity, funding, or stability signals.

Pricing is clearly stated at '$49/month' with 'Early access' and '$149 regular price later.' The FAQ explicitly states 'The $49/month subscription includes all AI usage costs' and 'No API key required, no additional charges. Everything is included in your monthly plan (subject to fair use).' The terms say 'Fees are billed in advance' and 'You may cancel at any time.' However, 'fair use' is undefined, there are no hard spending caps documented, and the terms allow price changes with only vague notice.

No incident response process, breach notification timeline, audit logging, or agent action trail is documented. The privacy policy mentions 'We take reasonable measures to protect your data (e.g. HTTPS, secure storage)' but provides no specifics. Support is via a personal Gmail address (hectorguedea@gmail.com). No company entity is disclosed — the terms say 'The Service is provided by Hector Guedea' as a sole individual. No jurisdiction is stated in legal documents.

The site discloses reliance on 'Supabase (authentication and database), Google (optional sign-in), Stripe (payments), Telegram (messaging), and hosting (e.g. Vercel)' in the privacy policy. The FAQ mentions running 'Claude, GPT-5.2, or Gemini' via a 'shared OpenClaw gateway.' No information about dependency scanning, MCP server vetting, update verification, SBOM, or any supply chain security practices. The GitHub profile shows no EasyClaw-related repositories, so no code audit is possible.

Authentication uses Google OAuth or email/password via Supabase. No mention of MFA support. The FAQ mentions 'Row Level Security (RLS) for data protection' which is a Supabase database feature. The site uses HTTPS (Vercel-hosted). No information about penetration testing, independent security audits, SSRF protection, secure headers configuration, or session management.

No mention of hallucination warnings, output verification, approval workflows for high-impact actions, undo/rollback capabilities, or transparency about AI uncertainty. The homepage lists capabilities like 'Generate invoices, Book travel, Track expenses' with no caveats about AI reliability for these sensitive tasks. No guardrails are documented for preventing the agent from acting on false outputs.