Cybersecurity researchers disclosed they’ve detected a case of an data stealer an infection efficiently exfiltrating a sufferer’s OpenClaw (previously Clawdbot and Moltbot) configuration atmosphere.
“This discovering marks a big milestone within the evolution of infostealer conduct: the transition from stealing browser credentials to harvesting the ‘souls’ and identities of non-public AI [artificial intelligence] brokers,” Hudson Rock stated.
Alon Gal, CTO of Hudson Rock, advised The Hacker Information that the stealer was doubtless a variant of Vidar based mostly on the an infection particulars. Vidar is an off-the-shelf data stealer that is identified to be energetic since late 2018.
That stated, the cybersecurity firm stated the info seize was not facilitated by a customized OpenClaw module throughout the stealer malware, however reasonably via a “broad file-grabbing routine” that is designed to search for sure file extensions and particular listing names containing delicate knowledge.
This included the next recordsdata –
- openclaw.json, which incorporates particulars associated to the OpenClaw gateway token, together with the sufferer’s redacted e-mail handle and workspace path.
- machine.json, which incorporates cryptographic keys for safe pairing and signing operations throughout the OpenClaw ecosystem.
- soul.md, which incorporates particulars of the agent’s core operational rules, behavioral pointers, and moral boundaries.
It is value noting that the theft of the gateway authentication token can enable an attacker to hook up with the sufferer’s native OpenClaw occasion remotely if the port is uncovered, and even masquerade because the consumer in authenticated requests to the AI gateway.
“Whereas the malware could have been in search of commonplace ‘secrets and techniques,’ it inadvertently struck gold by capturing the whole operational context of the person’s AI assistant,” Hudson Rock added. “As AI brokers like OpenClaw turn out to be extra built-in into skilled workflows, infostealer builders will doubtless launch devoted modules particularly designed to decrypt and parse these recordsdata, very similar to they do for Chrome or Telegram as we speak.”
The disclosure comes as security points with OpenClaw prompted the maintainers of the open-source agentic platform to announce a partnership with VirusTotal to scan for malicious abilities uploaded to ClawHub, set up a risk mannequin, and add the power to audit for potential misconfigurations.
Final week, the OpenSourceMalware staff detailed an ongoing ClawHub malicious abilities marketing campaign that makes use of a brand new approach to bypass VirusTotal scanning by internet hosting the malware on lookalike OpenClaw web sites and utilizing the talents purely as decoys, as a substitute of embedding the payload instantly of their SKILL.md recordsdata.
“The shift from embedded payloads to exterior malware internet hosting exhibits risk actors adapting to detection capabilities,” security researcher Paul McCarty stated. “As AI ability registries develop, they turn out to be more and more engaging targets for provide chain assaults.”
One other security downside highlighted by OX Safety considerations Moltbook, a Reddit-like web discussion board designed completely for synthetic intelligence brokers, primarily these working on OpenClaw. The analysis discovered that an AI Agent account, as soon as created on Moltbook, can’t be deleted. Which means that customers who want to delete the accounts and take away the related knowledge haven’t any recourse.
What’s extra, an evaluation printed by SecurityScorecard’s STRIKE Risk Intelligence staff has additionally discovered lots of of 1000’s of uncovered OpenClaw situations, doubtless exposing customers to distant code execution (RCE) dangers.
 |
| Faux OpenClaw Web site Serving Malware |
“RCE vulnerabilities enable an attacker to ship a malicious request to a service and execute arbitrary code on the underlying system,” the cybersecurity firm stated. “When OpenClaw runs with permissions to e-mail, APIs, cloud companies, or inside sources, an RCE vulnerability can turn out to be a pivot level. A foul actor doesn’t want to interrupt into a number of methods. They want one uncovered service that already has authority to behave.”
OpenClaw has had a viral surge in curiosity because it first debuted in November 2025. As of writing, the open-source challenge has greater than 200,000 stars on GitHub. On February 15, 2026, OpenAI CEO Sam Altman stated OpenClaw’s founder, Peter Steinberger, could be becoming a member of the AI firm, including, “OpenClaw will dwell in a basis as an open supply challenge that OpenAI will proceed to assist.”
