LUCID vs OpenClaw
We pointed LUCID at a real open-source AI assistant with 5,000 files. It hallucinated a Terms of Service, extracted 235 testable claims, then verified every one against the actual code.
How LUCID works
AI generates a Terms of Service for the project, inventing specific claims about features, security, and data handling.
235 testable claims pulled from the document, categorized by type and severity.
Each claim checked against 3,863 actual code files. Every verdict backed by file evidence.
Gap report with prioritized fix recommendations. Critical security failures flagged first.
By Category
By Severity
Key findings
Voice synthesis supports 89 distinct voice profiles with prosody control
Code shows only 13 OpenAI TTS voices and 6 Polly voice mappings. No prosody control beyond basic speed/pitch.
Context-aware responses utilize up to 128,000 tokens of conversation history
Code defaults to 200,000 token context window. The 128K claim is fabricated — the actual limit is different.
Perfect Forward Secrecy (PFS) uses ECDHE key exchange with X25519 curve
No ECDHE key exchange configuration or X25519 curve enforcement found. TLS exists but without specified parameters.
TLS 1.3 is used for all data in transit with perfect forward secrecy
Generic "TLS" context used without specifying 1.3. Android config explicitly allows cleartext traffic.
Vector database support includes Pinecone, Weaviate, Qdrant, and Milvus
Only LanceDB is implemented — none of the four claimed databases exist in code.
Model selection supports GPT-4, GPT-3.5, Claude 3, Gemini Pro, and Ollama
Model providers exist but code shows newer versions (GPT-5, Claude Opus 4-6, Gemini 3). Claimed versions are outdated.
OAuth 2.0 and OpenID Connect authentication are supported
OAuth 2.0 works for Anthropic and OpenAI. OpenID Connect is not evident — no OIDC flows, ID tokens, or userinfo endpoints.
The service supports 23 audio codecs including Opus, AAC, MP3, and FLAC
Only PCM and mu-law conversion exist. No evidence of 23 codecs or Opus/AAC/MP3/FLAC support.
What this reveals
Numbers are hallucinated with high confidence
The AI fabricated precise figures (47 languages, 89 voice profiles, 23 codecs, 128K tokens) that sound authoritative but don't match reality. The actual numbers are different — sometimes higher (200K vs 128K), sometimes dramatically lower (13 voices vs 89).
Security claims are the most dangerous hallucinations
Claims about TLS 1.3, PFS with X25519, ECDHE key exchange, and AES-256-GCM sound specific and correct, but the code uses generic TLS and explicitly allows cleartext on Android. A ToS that claims these without verification creates legal liability.
75% of claims cannot be verified from code alone
175 of 235 claims were N/A — business process claims (SLAs, pricing, team sizes, response times) that exist in legal documents but have no code implementation to verify against. This reveals the gap between what companies promise and what they build.
Pipeline Performance
This scan was run against the public OpenClaw repository. No affiliation with OpenClaw. Results reflect LUCID verification of AI-hallucinated claims, not a security audit of the project.