OpenClaw crossed 344,000 GitHub stars in March 2026, and several major cloud platforms raced to offer one-click deployment. The hosting question is getting easier. The security question remains.
If you're evaluating where to run your OpenClaw agent, here's the full picture as of April 2026, organized by what each tier actually gives you. And at the end, we'll share the part nobody's hosting provider is going to tell you, because the most important decision isn't where your agent runs. It's what you let it do when it gets there.
Before we dive in: the part your hosting provider won't tell you
None of the hosting providers will govern what your agent does after it starts running. And the numbers explain why that should concern you.
Since January 2026, dozens of CVEs have been disclosed for OpenClaw, including CVE-2026-32922, a privilege-escalation flaw scored 9.9 on CVSS 3.1. Researchers and security vendors have also reported widespread abuse of ClawHub, OpenClaw's skills marketplace: Immersive Labs cited an independent count of 1,184 malicious skills, while Bitdefender said early scans found nearly 900 malicious skills, close to 20% of listed packages at the time. Separately, SecurityScorecard reported more than 40,000 internet-exposed OpenClaw instances, many with weak or missing authentication controls.
Microsoft's Defender team said OpenClaw should be treated as "untrusted code execution with persistent credentials" and called it inappropriate for standard workstations. Cisco called it a security nightmare and others banned it internally. NVIDIA announced NemoClaw at GTC 2026 as an enterprise security layer for OpenClaw, because patching individual CVEs doesn't fix the underlying trust model.
None of this is theoretical. The ClawHavoc campaign planted hundreds of professional-looking malicious skills on ClawHub that mimicked popular tools, accumulated real stars and reviews, and delivered credential stealers and reverse shells. One malicious skill reportedly had 340,000 installs before anyone caught it.
The core issue is architectural. OpenClaw's controls are in-process, meaning the agent runtime and the permission logic share the same trust boundary. A compromised agent can modify its own permissions because the permissions live inside the same process the agent controls.
So let's dive into the hosting options.
The hyperscalers showed up
The big cloud platforms moved fast. AWS launched an official OpenClaw blueprint on Amazon Lightsail in March 2026, with instances pre-configured to use Amazon Bedrock and Claude Sonnet 4.6 by default. You pick the blueprint, run a CloudShell script for IAM permissions, and you're live with built-in sandboxing, automatic snapshots, and one-click HTTPS. AWS recommends a 4 GB instance, so expect Lightsail plan costs plus Bedrock token pricing on top.
Tencent Cloud went even bigger. Their Lighthouse product hit a single-day deployment record after Tencent set up a free installation booth on their Shenzhen campus, and the platform now has over 100,000 OpenClaw users. The one-click template supports WeChat Work, DingTalk, and Lark out of the box, which makes it the default if your team lives in those ecosystems.
Alibaba Cloud added official OpenClaw support on its Simple Application Server line for global and Asia-Pacific deployments, and Oracle Cloud quietly offers the best free option with an Always Free tier that gives you 4 ARM CPUs, 24 GB of RAM, and 200 GB of storage. That's enough to run OpenClaw with local models through Ollama at $0/month, though you're building from scratch with no managed blueprint.
If you want a recognizable name on your infrastructure bill, these are real options now.
Purpose-built OpenClaw hosts
A second tier of providers has emerged specifically to eliminate the DevOps lift, built around making OpenClaw work without requiring you to touch a terminal.
OpenClaw Cloud is the official hosted offering from the OpenClaw foundation, built on Claw.Cloud infrastructure. The Pro plan runs $89.90/month with managed LLM access including Claude and GPT, while the Standard plan at $39.90/month covers hosting only with bring-your-own keys. New OpenClaw features land here first, which matters if you want to stay on the bleeding edge.
xCloud charges $24/month for a fully managed deployment with pre-configured Telegram and WhatsApp, and ClawHosted starts at $49/month with multi-model support across Claude Opus, GPT, and Gemini, plus automatic OpenClaw updates and zero-downtime deploys. If budget is the priority, ClawCloud is the cheapest managed option at $19/month with included API credits and a 7-day refund guarantee, and LobsterTank will host you for $2/month if you bring your own API keys.
Two providers stand out for taking security seriously at the hosting layer. KiwiClaw at $15–39/month is the only managed host running a security-vetted skills marketplace where every skill goes through static analysis, behavioral sandboxing, and manual review before listing. Given what happened with ClawHub, that matters. And Blink Claw takes an even harder line by running your agent's gateway on a private network that's never exposed to the public internet and blocking all ClawHub installs entirely.
These providers reduce the supply-chain risk and the exposure surface. What they don't do is govern what your agent is allowed to do once it's running and connected to your tools. That's a different problem.
The VPS tier for self-hosters
If you want full control and a lower monthly bill, the VPS providers have you covered, and the range of options has gotten surprisingly good.
Hostinger offers one-click OpenClaw deployment starting at $6.99/month via a Docker Manager template, and they sell AI credits directly through the control panel so you can skip the separate OpenAI/Anthropic account signup. DigitalOcean remains the community favorite with a 1-Click Marketplace image, strong documentation, and deep community support, though the recommended spec for real workloads runs about $24/month.
Hetzner is where the cost-conscious builders go. At $4–7/month for a capable instance it costs roughly six times less per GB of RAM than DigitalOcean, and the official OpenClaw documentation includes a dedicated Hetzner deployment guide, which tells you something about who's actually running this project. OVHcloud bundles anti-DDoS protection, unlimited traffic, and daily backups into every plan at no extra cost, with a lowest tier that starts at 6 vCores and 12 GB of RAM.
For more specialized needs, Kamatera offers over 1,000 server configurations across 20+ global data centers with pay-as-you-go billing. Contabo and IONOS round out the budget end at $3–4/month, with Contabo giving you the most RAM per dollar and IONOS running ISO 27001-certified data centers. And Vultr is the pick if you want GPU instances for running local language models, with NVIDIA hardware across 32 locations.
Self-hosting gives you control and low cost, but it also gives you complete responsibility for everything that happens next.
Open-source deployment tools
One more option worth mentioning. ClawHost is an MIT-licensed, open-source platform that automates OpenClaw provisioning across Hetzner, DigitalOcean, and Vultr, handling server setup, DNS, SSL, and firewall configuration automatically. You get a dedicated VPS with full root access, deployed in under a minute.
The tooling exists to make self-hosting frictionless. But frictionless deployment of an unsecured agent is just faster exposure.
What changes when enforcement moves out-of-band
This is where the hosting question becomes a governance question.
When your agent calls Gmail, it shouldn't get Gmail. It should get the version of Gmail you decided it should have, read-only by default, with no sending and no deleting unless you explicitly granted those scopes.
That's what Civic does. Your OpenClaw instance, wherever it's hosted, routes tool calls through Civic instead of calling tools directly. Civic checks every request against your policies before it reaches your tools, and if a request violates policy, it never gets through.
The difference from in-process controls is structural. Civic's enforcement layer is architecturally separated from the agent. Your agent cannot modify its own constraints because they don't live in the agent's runtime. They live in Civic, configured by you through a control plane the agent can't access.
That separation gives you four things no hosting provider offers. Full connectivity through a single secure URL, with 95+ connectors running in under ten minutes. An activity log of every tool call showing who ran what, when, and with which permissions. Runtime guardrails that block bad calls before they reach your data. And revocation at four different levels of granularity, from a single tool to an entire toolkit, in one move.
Host OpenClaw wherever it makes sense for your budget and your team. The interesting decision isn't where your agent runs. It's what happens between your agent and the tools it touches.