Infostealers Begin Targeting OpenClaw AI Agent Configuration Files, Stealing Gateway Tokens and Cryptographic Keys

Information-stealing malware has been caught exfiltrating configuration files from OpenClaw, the rapidly growing open-source AI agent platform, in what researchers describe as the first observed case of infostealers targeting AI agent infrastructure.

"This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI agents," Hudson Rock said.

What Was Stolen

The infection, attributed to a likely Vidar stealer variant, captured three critical OpenClaw files through a broad file-grabbing routine rather than a dedicated OpenClaw module:

openclaw.json — Contains the OpenClaw gateway authentication token, the victim's email address, and workspace path. A stolen gateway token could allow an attacker to connect to the victim's local OpenClaw instance remotely if the port is exposed, or masquerade as the client in authenticated requests to the AI gateway.

device.json — Contains cryptographic keys used for secure pairing and signing operations within the OpenClaw ecosystem.

soul.md — Contains the agent's core operational principles, behavioral guidelines, and ethical boundaries — effectively the AI agent's identity and instruction set.

Why This Matters

OpenClaw has surged to over 200,000 GitHub stars since its November 2025 debut and is increasingly integrated into professional development workflows. AI agents running on OpenClaw often have permissions to access email, APIs, cloud services, and internal resources. Compromising an agent's authentication tokens doesn't just steal credentials — it gives attackers a pre-authorised entry point into every service the agent can reach.

Hudson Rock warned that as AI agents become more embedded in workflows, infostealer developers will likely release dedicated parsing modules specifically designed to decrypt and extract OpenClaw data, mirroring how existing stealers already target Chrome, Telegram, and cryptocurrency wallets.

Broader OpenClaw Security Concerns

The infostealer finding arrives alongside a series of escalating security issues across the OpenClaw ecosystem:

SecurityScorecard's STRIKE team has identified hundreds of thousands of exposed OpenClaw instances vulnerable to remote code execution. An exposed instance with permissions to email, APIs, or cloud services becomes a pivot point requiring only one exploited service to compromise downstream resources.

The OpenSourceMalware team documented an ongoing campaign targeting ClawHub — OpenClaw's skill registry — using lookalike websites to host malware while uploading decoy skills to bypass VirusTotal scanning. The technique shifts from embedding payloads directly in skill files to external malware hosting, demonstrating threat actor adaptation to detection capabilities.

In response, OpenClaw's maintainers announced a partnership with VirusTotal to scan ClawHub skill uploads, established a formal threat model, and added auditing capabilities for misconfigurations.

Recommendation

Organisations deploying OpenClaw should treat agent configuration files with the same sensitivity as SSH keys and API credentials. Restrict file system permissions on openclaw.json and device.json, avoid exposing OpenClaw ports to the internet, and monitor for unauthorised access to agent configuration directories. Audit the permissions granted to AI agents — particularly access to email, cloud APIs, and internal resources — and apply the principle of least privilege. Review ClawHub skill installations against known malicious indicators and update to the latest OpenClaw version with VirusTotal scanning enabled.