Four Tiers of OpenClaw Hosting. Three Have a Security Problem.

OpenClaw launched in November 2025 as Clawdbot, was renamed twice, and by early March 2026 had already accumulated more than 247,000 GitHub stars, with adoption continuing to grow rapidly through the following weeks. In the same period it accumulated 138 documented security advisories, including ClawBleed (CVE-2026-25253), an actively exploited vulnerability that allowed any webpage to silently take over a running agent instance and execute arbitrary shell commands. Security researchers found tens of thousands of OpenClaw instances exposed on the internet, many of them running without authentication. The Chinese government restricted state agencies from using it. Microsoft published a blog post recommending a dedicated VM or separate physical machine if you must evaluate it at all.

None of this has slowed adoption. The demand for always-on AI agents that can handle email, calendar, browser, and API tasks without waiting for a user to prompt them is real, and OpenClaw is the only mature open-source framework that delivers it at this scale. What has happened is that a market has formed around the gap between what the framework does and what deploying it safely requires. That market has split into four tiers with substantially different answers to the security question.

Tier One: Self-Hosted VPS

The cheapest and most common deployment path is a personal VPS from Hetzner, DigitalOcean, or a comparable provider, with OpenClaw installed manually. Hetzner’s smallest ARM instance runs roughly four euros per month and handles a single personal agent comfortably. LLM API costs typically run higher than the infrastructure: moderate usage of Claude or GPT-4 runs $20 to $60 per month on top of hosting, making the total closer to $25 to $65 monthly.

The security posture of a default self-hosted install is poor. ClawBleed affected self-hosted instances specifically because the default configuration bound the WebSocket server to all network interfaces rather than localhost. The OpenClaw project now ships Docker sandboxing support by default, which is the minimum practical mitigation, but configuration hardening requires the user to understand what they are hardening against. Most do not. The exposed instances running without authentication are overwhelmingly self-hosted.

Tier Two: Managed VPS From Traditional Hosting Providers

HostGator, Bluehost, and Hostinger all offer OpenClaw VPS products with one-click deployment through their control panels. The pricing is similar: HostGator and Bluehost start at $3.85 per month on a 2-year term, Hostinger from $5.99 per month for its managed offering. HostGator uses Portainer for container management. All three providers deploy OpenClaw inside Docker containers with baseline security configuration applied at setup.

The security improvement over a raw self-hosted install is real but limited. Containers provide process isolation, and the one-click images apply baseline configuration that prevents the most obvious default exposure problems. The critical limitation is that these are self-managed products: keeping OpenClaw patched as advisories are disclosed is the customer’s responsibility, and most customers in this tier are not tracking the advisory feed. HostGator and Bluehost are both Newfold Digital brands and their products are structurally identical.

On April 16, Bluehost added GatorClaw on top of this infrastructure: a visual no-code interface aimed at small businesses that want agents without writing configuration. Since launch, Bluehost’s VP of Product Management Sean Dundon has confirmed the specific controls GatorClaw enforces: credential isolation in an encrypted vault outside the agent context, scoped permissions, audit logging, and approval gates for high-risk actions. Two gaps were acknowledged directly: outbound network interception is not implemented, and deep semantic prompt-injection detection on inbound content is not in place. Policy enforcement is in-process rather than out-of-process, which places GatorClaw structurally closer to the managed VPS tier than to NemoClaw’s architectural model. Bluehost is evaluating ephemeral micro-VMs for higher-risk workloads, but that is not the general product today.

The core security argument for GatorClaw compared to a raw self-hosted install remains intact: it shifts patch management and configuration hardening to Bluehost, addresses the operational failure mode that produces most real-world incidents, and ensures non-technical users are not exposed to a default-insecure setup. For an SMB that otherwise would have installed OpenClaw on a raw VPS and forgotten about it, that gap is not trivial. webhosting.today has published a full Q&A with Dundon on GatorClaw’s security architecture and roadmap.

Tier Three: Purpose-Built Deployment Tools

A distinct category of products has formed around making OpenClaw easier to deploy without addressing the security architecture fundamentally. The most complete commercial product in this tier is OneClaw, which provides one-click cloud deployment through a web dashboard, a mobile app for remote management, ten or more professional agent templates, and a firewall and VPN deployment tool for hardening instances. OneClaw costs $9.99 per month for managed cloud hosting and the same for a managed version running on your own hardware.

ClawHost, an open-source project by developer Benjamin (GitHub: bfzli), takes a different approach: it automates provisioning of dedicated Hetzner Cloud servers, including DNS via Cloudflare, SSL via Let’s Encrypt, and firewall configuration, all from a browser dashboard. The project has 323 GitHub stars and a hosted service at clawhost.cloud. DigitalOcean offers a one-click Marketplace image described as a hardened production-ready deployment, from $12 per month on a basic Droplet, with $24 per month recommended for multi-channel workloads, and the image maintained by DigitalOcean’s marketplace team rather than the customer. The hardening is vetted and kept current, which is a meaningful improvement over self-managed installs.

Several other providers fill this tier with lower-cost managed deployments and one-click multi-region options, none of which change the underlying persistent-process architecture. Tencent entered the market in March 2026 with ClawPro, an enterprise management platform tested by more than 200 organizations across finance, government, and manufacturing in China, alongside QClaw, a WeChat integration that brought OpenClaw to WeChat’s approximately 1.4 billion monthly active users. Chinese state regulators restricted OpenClaw use in state enterprises the same month, citing security concerns that ClawPro’s compliance layer does not fully resolve.

The shared limitation of everything in tiers one through three is that they are all running OpenClaw as a persistent process. A persistent process with broad credentials and external input is the root condition that produces the security advisory list. Better configuration reduces the attack surface but does not change the fundamental architecture.

Tier Four: Architecturally Different Approaches

Two products take the position that the security problems in the first three tiers are not configuration problems but architectural ones, and address them by changing the runtime model.

Cloudflare published Moltworker in January 2026, a proof-of-concept that runs OpenClaw inside ephemeral Sandbox containers rather than a persistent server. A Cloudflare Worker acts as the API router protected by Zero Trust Access. The OpenClaw runtime executes inside an ephemeral container that is discarded after each task completes. Configuration and state persist via R2 object storage rather than the agent’s local filesystem. If an agent is hijacked or a malicious skill executes, it is trapped inside a container with no persistent access to anything. ClawBleed cannot work against this architecture because there is no persistent WebSocket server to exploit. Cloudflare is explicit that Moltworker is a proof of concept, not a supported product. Running it requires a Workers Paid plan at $5 per month plus usage, and deploying it requires understanding the architecture well enough to maintain it. It is not a product for SMBs. What it demonstrates is what secure-by-architecture OpenClaw hosting looks like, and no commercial product in the market is currently selling that to non-developers.

NVIDIA announced NemoClaw at GTC in March 2026, bundling Nemotron models with the NVIDIA OpenShell runtime and adding policy-based security controls, network guardrails, and a privacy router. NVIDIA’s positioning is that these controls operate independently of the agent’s execution context, limiting what a compromised agent can do or modify. Jensen Huang framed it as “the operating system for personal AI”, and the supported hardware reflects that positioning: RTX PCs, DGX Spark, DGX Station, and professional workstations. Pricing was not disclosed in the announcement. NemoClaw is in early alpha, and detailed technical specifications of the security architecture have not been fully published.

What the Market Is Actually Saying

The tier structure reveals a gap that no commercial product has yet closed for the mainstream market. The providers that have addressed the security architecture problem are either proof-of-concepts aimed at developers or enterprise stacks aimed at GPU hardware. The providers that have built accessible products for small businesses and non-technical users are all running the same persistent-process model with varying degrees of configuration hardening. Microsoft is reported to be building an enterprise alternative with better security controls, expected to surface at Build in June 2026.

For hosting providers, the market map has a visible vacancy: a product with the security architecture of Moltworker and the accessibility of OneClaw does not exist yet at a price point the SMB tier will pay. The companies currently selling managed OpenClaw VPS at $3.85 to $9.99 per month are competing on convenience rather than security. Whether that is what customers in this tier actually want, or whether a significant incident will shift the conversation, is the question the next twelve months will answer.