Cisco found malware in the most popular skills. CrowdStrike published a removal tool. Gartner says: “Not enterprise software.” — The threat is real.
We took everything CrowdStrike, Gartner and Cisco warned about — and fixed it.
OpenClaw is powerful — shell access, messaging, web browsing, file system. Without hardening, it’s not just a risk. It’s an open door.
Cisco analyzed 31,000 agentic skills. One in four contained security vulnerabilities. The most popular skill was functional malware — with active data exfiltration via curl, prompt injection to bypass safety guidelines, and embedded command injection.
One of the world’s leading endpoint security vendors classifies OpenClaw as a threat. Their recommendation to enterprises: block and remove. Every IT decision-maker should take note.
“There is no quality guarantee, no vendor support, no SLA.” OpenClaw was built for power users — not for enterprises. Without professional management, it’s shadow IT on steroids.
An OpenClaw agent has simultaneous access to shell commands, web browsing, and messaging. A successful prompt injection attack can exfiltrate data via curl, WhatsApp message, or browser navigation.
No marketing fluff. This is how our security architecture actually works.
Each customer runs in their own Docker Compose stack. No shared processes, no shared file system, no shared runtime. One customer cannot see or affect another.
All customer data is double-protected: LUKS full-disk encryption on all Hetzner volumes protects against physical access. TLS 1.3 secures every connection in transit — to the LLM provider, messaging APIs, and to you.
The biggest vulnerability in self-hosted OpenClaw: an agent can contact any server. With ManagedClaw, the agent can only reach pre-approved destinations. Everything else is blocked at the network level.
No skill runs without review. Every skill goes through our 5-stage vetting pipeline: source review, automated Cisco Skill Scanner (static + behavioral + LLM analysis), manual code review, sandbox test, and only then: allowlist.
OpenClaw has an “elevated mode” that gives the agent host-level access. At ManagedClaw, this mode is permanently disabled — for every customer, every agent, without exception. No agent can break out of its sandbox.
All agent actions, all admin access, all outbound connections are logged — and streamed to an external, append-only log service. Even we cannot retroactively modify or delete the logs.
Prompt injection is an unsolved problem in AI security research. No vendor can claim to have fully solved it — neither can we. But we follow the OpenClaw principle: “Access Control before Intelligence”. We assume the model can be manipulated — and design so that even a successful manipulation causes minimal damage.
We are a German company, on German servers, under German law. GDPR compliance is not a checkbox for us — it is an obligation.
Hosted exclusively on Hetzner servers in Germany (Falkenstein/Nuremberg). No AWS, no Azure, no Google Cloud. No US cloud vendor has access to the infrastructure.
Data Processing Agreement per Art. 28 GDPR — with every single customer. Including sub-processor list, TOM reference, and clear deletion policies.
Technical and Organizational Measures per Art. 32 GDPR — publicly accessible, not behind a paywall. Because transparency should not be a premium feature.
Complete data deletion on request — including backups. Documented process with confirmation. We don’t just delete the files — we prove it.
Open list of all sub-processors: Hetzner (hosting), Anthropic (LLM inference, with DPA + SCCs), log service (EU). Changes are communicated in advance.
German UG (limited liability), German law, German jurisdiction. No “we're incorporated in Delaware but say we're GDPR compliant.”
Our path to independently audited security
„We could read your data.
That’s why we prove that we don’t.“
All access is streamed to an external, append-only log service. Even with root access to our servers, we cannot tamper with the logs. On request, you receive access to the audit logs of your instance.
Every SSH login, every sudo command is captured via auditd and stored externally. We do not routinely access customer systems. If we do: it is documented, traceable, and auditable.
Our management users have no read access to customer data by default. Access requires explicit sudo — which is logged, stored externally, and auditable. No “just taking a quick look.”
Our Technical and Organizational Measures are not a secret. You can download the document anytime and review it with your DPO.
📥 Download TOMs (PDF) — coming soonOur Data Processing Agreement is not 80 pages of legalese. Clear, fair, Art. 28 compliant. Fully reviewable before signing.
📥 View DPA template (PDF) — coming soonAll configurations are stored in a versioned Git repository. Every change has an author, a timestamp, and a reason. No undocumented changes to your infrastructure.
Not all OpenClaw offerings are equal. Here’s the difference.
| Security Feature | DIY OpenClaw | Hosting Provider* | ManagedClaw |
|---|---|---|---|
| Container Isolation | ❌ No sandbox | ⚠️ Shared VM | ✅ Docker per customer, network:none |
| Egress Filtering | ❌ Not available | ❌ Not available | ✅ nftables allowlist |
| Skill Vetting | ❌ No review | ❌ No review | ✅ Cisco Scanner + manual |
| Encryption at rest | ❌ Plaintext | ⚠️ Provider-dependent | ✅ LUKS full-disk |
| Elevated Access | ⚠️ Opt-in (often forgotten) | ⚠️ Unclear | ✅ Permanently disabled |
| Audit Logs | ❌ Local files | ❌ Not available | ✅ External, append-only |
| GDPR Compliance | ❌ On your own | ⚠️ Basic | ✅ DPA + TOMs + deletion policy |
| Data Location | ⚠️ Varies | ⚠️ Often US/Asia | ✅ Germany (Hetzner) |
| Prompt Injection Defense | ❌ No layers | ❌ No layers | ✅ 4-layer defense in depth |
| Support & SLA | ❌ Community / Discord | ⚠️ Standard hosting | ✅ Personal, SLA-backed |
* e.g. openclawcloud.work, Tencent Cloud, DigitalOcean — typical “OpenClaw hosting” offerings without security hardening.
Try ManagedClaw — with enterprise security, without the enterprise price. Configuration in 2 minutes, your agent is working within 24 hours.
🔒 DPA-ready · Data in 🇩🇪 · Sandbox isolation from day 1