OpenClaw Host

Homepage FAQ: 'Every agent runs in an isolated Docker container. Your API keys and memory are encrypted and never shared.' Privacy policy claims 'isolated encrypted volumes' and they 'do not inspect the logic of your agent's private directory.' No technical specifics — no encryption standards, key management, data retention, log sanitization, or AI training opt-out. Docker container isolation alone is weak without hardening details.

No information on prompt injection defenses, sandboxing, human-in-the-loop, memory integrity, or container escape prevention. Install page references 'security hardening' via 'Every installation goes through a safety check' but zero technical specifics. No separation of instructions from external data or output sanitization mentioned.

FAQ: 'Your API keys and memory are encrypted and never shared.' Privacy policy mentions 'isolated encrypted volumes.' No details on encryption method, key management, credential leak detection, rotation, or whether credentials are excluded from AI model context. BYOK model but no protection details.

No information found on agent guardrails, rate limiting, kill switches, behavioral monitoring, tool gating, or least-privilege. Advertises 'Unlimited Agents' and 'unlimited usage' with no resource consumption limits or spending caps.

Homepage mentions 'Persistent Storage' and 5-agent plan includes 'Safe Volume Backups.' No details on backup frequency, restore procedures, data export, or provider shutdown policy. ToS: service 'as is' with no liability for 'logical data decay, agent downtime.' No SLA except custom enterprise.

Flat-rate pricing clearly displayed: $19/mo (1 agent), $69/mo (5 agents), $99/mo (10 agents). 'All plans include unlimited usage. You provide your own API keys.' Transparent but no price change notification policy, no spending caps, no usage alerts.

No audit logging, incident response, breach notification, or regulatory compliance mentioned. Privacy policy has no GDPR reference. ToS uses themed language ('Terms of Engagement', 'Command Responsibility') obscuring legal substance. No company registration, address, or team info. Contact email is support@myclaw.host.

No information on dependency scanning, MCP server vetting, SBOM, build pipeline security. Deploy page: 'Python, dependencies, and core OpenClaw logic are pre-installed' with no vetting details. No GitHub repos linked.

Login offers Google/Apple OAuth plus email/password, no MFA. Site behind Cloudflare but critical security headers missing (no HSTS, CSP, X-Frame-Options). CORS wildcard 'access-control-allow-origin: *' is a security concern. VPS page claims 'Baked-in security protocols' with zero specifics. No penetration testing.

No information on hallucination mitigation, approval workflows, output verification, undo/rollback, or AI uncertainty transparency.