/
Published on 12.03.2026
TLDR: KiloClaw is a managed compute platform for OpenClaw AI agents that enforces tenant isolation through five independent layers, including dedicated Firecracker microVMs per customer, isolated WireGuard networks, and encrypted storage. An independent 10-day security assessment in February 2026 found no cross-tenant access paths, no injection vulnerabilities, and validated the architecture as fundamentally sound.
The rise of autonomous AI agents that can execute code, browse the web, and interact with external services on your behalf has made platform security far more consequential than it has ever been for traditional SaaS. KiloClaw, a managed compute platform built around OpenClaw, tackles this head-on by giving every customer a fully dedicated virtual machine rather than a shared container or a partitioned slice of someone else's runtime. They use Firecracker microVMs, the same hardware virtualization technology that powers AWS Lambda and Fargate, which means each tenant gets its own kernel, filesystem, and process space. That is a meaningful architectural choice because it eliminates entire categories of cross-tenant attack vectors that plague shared-kernel container deployments.
What stands out here is the defense-in-depth model with five independent layers of tenant isolation: authenticated routing derived from server-side identity (not user-controlled input), dedicated Fly.io application environments per customer, isolated WireGuard network meshes, Firecracker microVM boundaries, and dedicated encrypted storage volumes. For one customer to access another's data, all five layers would need to fail simultaneously. That is an unusually strong posture for a platform in this space, and it reflects a genuine understanding that AI agent compute is fundamentally different from serving web pages or running batch jobs. When your product literally executes arbitrary code on behalf of users, the isolation model cannot be an afterthought bolted onto shared infrastructure.
The handling of secrets deserves attention as well. Customer API keys and chat tokens are encrypted at rest using RSA-OAEP with AES-256-GCM and only decrypted inside the customer's isolated VM at startup. That said, the team acknowledges this is not the final state. Their roadmap includes short-lived token exchange and in-memory secret stores to reduce the exposure window. This kind of honesty about what is still being hardened is actually more reassuring than a vendor claiming perfection. What is notably absent from the article, however, is any discussion of supply chain security for the agent tools themselves. If an OpenClaw extension or plugin is compromised, the blast radius may still be contained to one tenant's VM, but the customer's own data and connected accounts could be fully exposed within that boundary. The article could do more to address what happens when the threat is not cross-tenant but intra-tenant through a malicious or compromised tool.
The prompt injection mitigation strategy is pragmatic but worth scrutinizing. KiloClaw requires explicit user approval before the agent's exec tool can run shell commands, and this setting is enforced platform-side so it cannot be overridden by the agent itself. That is a solid control. But the article leans heavily on the containment argument: even if prompt injection succeeds, the damage stays within your VM. That is true from a multi-tenancy perspective, but it somewhat sidesteps the reality that a compromised agent in your own environment could still exfiltrate your API keys, send messages through your connected Slack or Discord, or modify your workspace files. The five-layer isolation protects other customers, not necessarily you from your own compromised agent. Teams evaluating this platform should understand that distinction clearly.
For architects and engineering leaders evaluating managed AI agent platforms, KiloClaw's approach offers a useful benchmark. The independent assessment by Andrew Storms, which included threat modeling with the PASTA framework, 35 adversarial tenant-isolation tests, 8 live cross-tenant network tests, and dozens of command-injection payloads, produced zero findings for cross-tenant access, SQL injection, XSS, command injection, path traversal, or open redirects. It also resulted in 17 merged pull requests with 10 security fixes and 7 hardening improvements. The planned supply chain improvements including SHA-256 pinned base images, Sigstore signing, SBOM generation, and automated vulnerability scanning in CI/CD represent the kind of operational maturity trajectory that serious buyers should expect. If you are building internal platforms for AI agent workloads, the five-layer isolation model and the fail-closed authentication behavior (rejecting requests when backend dependencies are unavailable rather than falling back to weaker behavior) are patterns worth adopting regardless of whether you use KiloClaw itself.