MyClaw.ai

About page: 'Your instance is physically separated from others' and 'We can't read your conversations, even if we wanted to' with 'No AI training.' Privacy Policy lists 'Isolated instance environments to prevent cross-tenant data access' and 'Encryption of sensitive data at rest.' All unverified claims with no technical documentation. Privacy Policy acknowledges sharing data with analytics providers; Facebook pixel and Google Analytics present on site.

No information found on prompt injection defenses, sandboxing, human-in-the-loop, memory integrity, or container escape prevention. Tutorials cover only channel connection and self-rescue, zero security documentation.

No documentation on how API keys, bot tokens, or credentials are stored or protected within instances. Privacy Policy covers Stripe payment credentials but says nothing about OpenClaw-specific credentials. No secret vaulting, rotation, or leak detection mentioned.

No rate limiting, spending caps, approval workflows, kill switches, behavioral monitoring, or least-privilege documentation. Homepage demo shows agent autonomously drafting emails, opening PRs, scheduling tweets with no approval steps — maximum autonomy, no documented safeguards.

All plans include 'Daily backups' per Pricing page and Terms ('Daily automated backups'). Terms: 'we do not guarantee that backups will be error-free or that data can always be fully restored.' No data export, tested restores, or backup verification. Pre-launch reservation model adds business continuity risk. No SLA beyond 'target 99.9% uptime.'

Pricing clear: Lite $19/mo, Pro $39/mo, Max $79/mo with annual discounts. Early bird lifetime pricing lock. Terms mention 'AI Balance & Credits' that 'may' be offered — could introduce variable costs. Price changes via 'posting new Terms on this page.' No hard spending caps; Terms allow throttling for 'excessive resource usage.'

Privacy Policy includes breach notification ('notify you and relevant authorities as required by applicable law'), GDPR/CCPA rights, 30-day response commitment. No incident response plan, audit logging, agent action trail, status page, or named jurisdiction. Governing law says only 'applicable law.'

No dependency scanning, MCP vetting, SBOM, build pipeline security, or AI provider policy documentation. Terms mention 'Automated software updates and security patches' with no validation details. Uses Supabase, Stripe, Cloudflare, Vercel, Google Analytics, Facebook pixel with no supply chain risk documentation.

Login offers email/password and Google OAuth, no MFA. HSTS enabled (max-age=63072000), Cloudflare + Vercel. No CSP header, no security.txt, no penetration testing, no bug bounty. Privacy Policy claims 'Regular security assessments and vulnerability scanning' with no evidence.

No hallucination mitigation, output verification, approval workflows, source attribution, uncertainty transparency, or undo/rollback. Homepage demo shows agent confidently providing metrics and making code changes with no verification steps.