OpenClaw is powerful and unusually transparent about some security risks, but missing usable legal pages plus repeated high-impact vulnerabilities make it a lab-only tool for now.
Score Summary
Claim Accuracy3/5
Data & Privacy1/5
Security Posture2/5
Transparency1/5
Key Findings
›Mandatory pre-flight failed: https://openclaw.ai/about and https://openclaw.ai/terms did not return useful readable content, so accountability and legal-use analysis is materially incomplete.
›The official privacy policy at https://openclaw.ai/privacy applies only to the iOS and Android apps and explicitly says it does not cover the gateway, server, AI provider, or other connected services.
›OpenClaw is clearly self-hosted/open source and large in community terms: the repo shows MIT licensing, 358k stars, 31,506 commits, 5k+ issues, and a latest release dated 2026-04-14 at https://github.com/openclaw/openclaw and https://github.com/openclaw/openclaw/releases.
›The project has published security process artifacts: a SECURITY.md/reporting flow at https://github.com/openclaw/openclaw/security, a trust site at https://trust.openclaw.ai/, a formal threat model at https://docs.openclaw.ai/security/THREAT-MODEL-ATLAS, and a formal-verification page at https://docs.openclaw.ai/security/formal-verification.
›Security posture is mixed: NVD/MITRE list multiple 2026 vulnerabilities in auth, origin validation, token handling, and command execution paths, even though several were patched quickly in referenced commits and releases.