Cybersecurity researchers have revealed that they have detected instances of successful infiltration of information-stealing infections from victims’ OpenClaw (formerly known as Clawdbot and Moltbot) configuration environments.
“This discovery marks an important milestone in the evolution of information thieves’ behavior, from stealing browser credentials to harvesting the ‘soul’ and identity of personal AI. [artificial intelligence] agent,” Hudson Locke said.
Aron Gall, chief technology officer at Hudson Rock, told Hacker News that based on the details of the infection, the thief was likely a variant of Vidar. Vidar is an established information stealer known to have been active since late 2018.
However, the cybersecurity firm said the data collection was not done by a custom OpenClaw module within the Stealer malware, but rather by “extensive file retrieval routines” designed to look for specific file extensions and specific directory names containing sensitive data.
This contained the following files –
openclaw.json. This includes details related to the OpenClaw Gateway token, as well as the victim’s redacted email address and workspace path. device.json contains cryptographic keys for secure pairing and signing operations within the OpenClaw ecosystem. soul.md contains details of the agent’s core operating principles, behavioral guidelines, and ethical boundaries.
Note that if the gateway authentication token is stolen, it may be possible for an attacker to remotely connect to the victim’s local OpenClaw instance or impersonate the client in authenticated requests to the AI Gateway, if the port is exposed.
“While the malware may have been looking for standard ‘secrets’, it inadvertently struck gold by capturing the entire operating context of the user’s AI assistant,” added Hudson Locke. “As AI agents like OpenClaw become more integrated into professional workflows, infostealer developers may release dedicated modules specifically designed to decrypt and parse these files, much like Chrome and Telegram do today.”
The disclosure comes as OpenClaw security issues prompted the administrator of the open source agent platform to announce a partnership with VirusTotal to add capabilities to scan malicious skills uploaded to ClawHub, establish threat models, and audit potential misconfigurations.
Last week, the OpenSourceMalware team detailed an ongoing ClawHub malicious skills campaign that uses a new technique to bypass VirusTotal scans by hosting the malware on an OpenClaw-like website and using the skill purely as a decoy, rather than directly embedding the payload in the SKILL.md file.
“The shift from embedded payloads to external malware hosting shows that threat actors are adapting their detection capabilities,” said security researcher Paul McCarty. “As AI skill registries proliferate, they become increasingly attractive targets for supply chain attacks.”
Another security issue highlighted by OX Security concerns Moltbook, a Reddit-like internet forum designed primarily for artificial intelligence agents running on OpenClaw. After investigation, we found that once an AI agent account is created in Moltbook, it cannot be deleted. This means that users who want to delete their accounts and delete associated data have no recourse.
Additionally, an analysis published by SecurityScorecard’s STRIKE Threat Intelligence team found that hundreds of thousands of OpenClaw instances are exposed, potentially exposing users to remote code execution (RCE) risks.
Fake OpenClaw website offering malware
“The RCE vulnerability could allow an attacker to send malicious requests to the service and execute arbitrary code on the underlying system,” the cybersecurity firm said. “If OpenClaw is running with permissions to email, APIs, cloud services, or internal resources, RCE vulnerabilities can be a critical point. An attacker does not need to compromise multiple systems; they need one public service that they already have permission to act on.”
OpenClaw was first published in November 2025, and since then interest in the virus has rapidly increased. As of this writing, this open source project has over 200,000 stars on GitHub. On February 15, 2026, OpenAI CEO Sam Altman announced that OpenClaw founder Peter Steinberger would be joining the AI company, adding, “OpenClaw will exist within the Foundation as an open source project and will continue to be supported by OpenAI.”
Source link
