OpenClaw Rocks

Privacy policy states 'We do not access, monitor, or store the content of conversations processed by your AI agents.' Data is EU-hosted with 'Encryption in transit (TLS) and at rest.' Kubernetes operator blog documents per-user namespace isolation with default-deny NetworkPolicy preventing cross-agent contamination. No explicit statement about data not being used for AI training (though third-party AI provider policies are referenced). Technical logs retained for 90 days. No mention of log sanitization or employee access audit trails.

The K8s operator provides documented, structural security: 'Non-root by default. UID 1000, all Linux capabilities dropped, seccomp RuntimeDefault. A validating webhook rejects any spec that sets runAsUser: 0.' Default-deny NetworkPolicy on every instance limits egress to DNS and HTTPS only. Read-only root filesystem prevents persistence. Per-instance ServiceAccount with least-privilege RBAC. However, no mention of prompt injection defenses, separation of instructions from external data, human-in-the-loop for goal changes, or memory integrity protection. Container-level hardening is strong but agent-level hijacking mitigations are absent.

Kubernetes Secrets are used for API keys with secretRef injection into containers. The deploy guide recommends External Secrets Operator for 'AWS Secrets Manager, HashiCorp Vault, GCP Secret Manager, or Azure Key Vault.' Per-instance ServiceAccount with no token auto-mounting prevents lateral movement. However, there is no mention of credential leak detection in outputs, credential rotation lifecycle management, or whether credentials are excluded from AI model context. Keys are stored as standard K8s Secrets (base64, not encrypted at the application layer unless cluster-level encryption is configured).

Pricing page mentions 'Security hardened' but there are no documented guardrails for agent behavior: no resource consumption limits visible to users, no kill switch, no human-in-the-loop for high-risk actions, no behavioral monitoring, no least-privilege tool gating. The K8s operator enforces infrastructure-level resource limits (CPU/memory) but these are about infrastructure stability, not about preventing the agent from sending unauthorized messages or making purchases. This is a significant gap.

The K8s operator documents 'Automatic workspace backup to S3-compatible storage on instance deletion. Restore into a new instance from any snapshot.' Auto-update includes 'backupBeforeUpdate: true' and 'rollbackOnFailure: true' with automatic rollback after 3 failures. PodDisruptionBudget is created by default. Status page shows 100% uptime monitored every 5 minutes. However, the company is a German UG (haftungsbeschrankt) — a very small entity (VAT exempt under Kleinunternehmerregelung). No data export capability is explicitly documented for end users. Terms state 'we may delete your data after a reasonable retention period' upon termination.

Pricing is transparent: Light at 15 EUR/mo (BYOK) and Pro at 30 EUR/mo (20 EUR AI credits included). '20% off your first month. Cancel anytime.' Pro plan offers 'Top up anytime' for additional credits. No mention of hard spending caps, usage monitoring with alerts, or a price change notification policy. Terms allow changes 'at any time' with notice via email. The Pro plan includes AI credits but token overages are not clearly addressed. No hidden costs are apparent but the lack of spending caps on API usage (especially BYOK) is a gap.

Privacy policy identifies the data controller (Stubbemann UG, Germany) with GDPR legal basis documented. 'We will respond within 30 days' for data rights requests. German data protection authority (LfD Niedersachsen) identified for complaints. Technical logs retained 90 days. However, there is no documented incident response process, no breach notification timeline, no agent action audit trail for users, and no security monitoring description. The terms disclaim monitoring of agent behavior: 'We do not monitor, control, or assume any responsibility for the behavior of your AI agents.'

The K8s operator is open-source (Apache 2.0) at github.com/OpenClaw-rocks/k8s-operator, enabling code inspection. Written in Go 1.24 with controller-runtime. Multi-arch builds, E2E tests in CI, listed on OperatorHub and Artifact Hub. Blog references awareness of 341 malicious skills in ClawHub registry and CVE-2026-25253. Auto-update with image verification and health checks before rollout. However, no documented dependency scanning, no SBOM, no MCP server vetting process, and skills are installed from ClawHub without documented verification.

The K8s operator is open-source and auditable. Documented security measures include: non-root execution, read-only root filesystem, all capabilities dropped, seccomp RuntimeDefault, default-deny NetworkPolicy, per-instance RBAC, validating admission webhook, operator itself runs as UID 65532 distroless nonroot with HTTP/2 disabled to mitigate CVE-2023-44487. TLS encryption in transit documented in privacy policy. Status page is public and open-source (Upptime). Gateway authentication tokens are auto-generated per instance. However, no mention of MFA for user accounts, no independent security testing or penetration test, and the dashboard/API security posture is not documented.

No information found about mitigations for hallucinations, output manipulation, approval workflows, independent verification for high-impact decisions, undo/rollback capability for agent actions, or transparency about AI uncertainty. This category is entirely unaddressed.