Cybersecurity firm Hudson Rock says it has observed the first known in-the-wild case of infostealer malware targeting files linked to the OpenClaw AI agent framework that stores sensitive configuration data on users’ machines.
OpenClaw (formerly known as ClawdBot and MoltBot) operates as a persistent AI assistant, maintaining configuration files and long-term memory in a local environment. The tool can access local files, log in to email and communication applications on the host system, and interact with online services.
Hudson Rock researchers detected a live infection in which an infostealer successfully exfiltrated a victim’s OpenClaw configuration environment. The researchers believe the malware involved is a variant of the Vidar infostealer.
The malware does not appear to specifically target OpenClaw. Instead, it executes a broad file-harvesting routine that scans infected systems for sensitive files and directories containing keywords such as “token” and “private key.” Because OpenClaw’s hidden “.openclaw” configuration directory includes files with these terms, they were swept up during the automated data grab.
The list of stolen files included:
-
openclaw.json – Exposed the victim’s redacted email address, workspace path, and a high-entropy gateway authentication token. If misused, the token could allow remote connection to a local OpenClaw instance or enable impersonation in authenticated requests.
-
device.json – Contained both publicKeyPem and privateKeyPem keys used for pairing and cryptographic signing. Possession of the private key could allow an attacker to sign messages as the victim’s device, potentially bypass “Safe Device” checks and access encrypted logs or associated cloud services.
-
soul.md and memory files (AGENTS.md, MEMORY.md) – Defined the AI agent’s behavior and stored persistent contextual data, including daily activity logs, private messages, and calendar events.