Cybersecurity researchers have disclosed that they have discovered a case of an information theft infection that successfully released the OpenClaw (formerly Clawdbot and Moltbot) configuration environment of the victim.
“This discovery marks a milestone in the evolution of infostealer behavior: a transition from stealing browser information to harvesting ‘souls’ and personal AI identities. [artificial intelligence] ambassadors,” said Hudson Rock.
Alon Gal, CTO of Hudson Rock, told The Hacker News that the attacker may be different from Vidar based on the details of the infection. Vidar is an off-the-shelf data thief known to be active since late 2018.
That said, the cybersecurity firm said the data capture was not done by a custom OpenClaw module within the stealing malware, but rather by a “comprehensive file capture system” designed to look for specific file extensions and specific directory names that contain sensitive data.
This included the following files –
- openclaw.json, which contains information related to the OpenClaw gateway token, as well as the configured email address and path to the workstation.
- device.json, which contains cryptographic keys for secure pairing and signing functions within the OpenClaw ecosystem.
- soul.md, which contains details of the agent’s core operating principles, ethical guidelines, and ethical parameters.
It’s worth noting that stealing the gateway’s authentication token can allow an attacker to connect to a remote OpenClaw victim’s environment if the hole is exposed, or even pose as a client for authenticated AI gateway requests.
“While the malware may have been looking for generic ‘secrets’, it inadvertently struck gold by capturing the entire context of the user’s AI assistant,” added Hudson Rock. “As AI agents like OpenClaw become more integrated into professional workflows, infostealer developers will likely release dedicated modules specifically designed to decrypt and transfer these files, as they do in Chrome or Telegram today.”
The disclosure comes as security issues with OpenClaw prompted the open source agent platform’s maintainers to announce a partnership with VirusTotal to scan malicious capabilities uploaded to ClawHub, establish a threat model, and add the ability to test for potential fixes.
Last week, the OpenSourceMalware team detailed an ongoing ClawHub malicious skills campaign that uses a new method to bypass VirusTotal scans by hosting malware on websites that look like OpenClaw and use just fake skills, instead of embedding the payload directly into their SKILL.md files.
“The shift from embedded payloads to hosting external malware shows threat actors adapting to detection capabilities,” said security researcher Paul McCarty. “As the register of AI capabilities grows, they become attractive targets for supply chain attacks.”
Another security issue highlighted by OX Security concerns Moltbook, a Reddit-like online forum specifically designed for artificial intelligence agents, especially those working on OpenClaw. Research has found that an AI agent account, once created in Moltbook, cannot be deleted. This means that users who wish to delete accounts and delete associated data have no way to do so.
In addition, an analysis published by SecurityScorecard’s STRIKE Threat Intelligence team also found hundreds of thousands of OpenClaw exploits, potentially exposing users to remote code execution (RCE) vulnerabilities.
 |
| A fake OpenClaw website that serves malware |
“The RCE vulnerability allows an attacker to send a malicious request to a service and execute arbitrary code on the underlying system,” the cybersecurity firm said. “When OpenClaw works with e-mail permissions, APIs, cloud services, or internal services, RCE vulnerabilities can be a key area. A bad actor doesn’t need to break into multiple systems. They just need one exposed service that already has the authority to act.”
OpenClaw has enjoyed a viral boom since it first came out in November 2025. As of writing, the open source project has over 200,000 stars on GitHub. On February 15, 2026, OpenAI CEO Sam Altman said that OpenClaw’s founder, Peter Steinberger, will join the AI company, adding, “OpenClaw will live on as an open source project that OpenAI will continue to support.”
