Cybersecurity firm Hudson Rock has documented what it calls the first observed case of infostealer malware successfully harvesting a user's complete OpenClaw agent identity — marking a new frontier in AI-targeted threats.
What Was Stolen
A Vidar infostealer variant grabbed three critical files from a victim's .openclaw directory on February 13, 2026:
- openclaw.json — Contains the gateway authentication token and email address, giving remote control of the AI agent.
- device.json — Contains the private key used for device pairing, allowing an attacker to impersonate the victim's trusted device and bypass safety checks.
- soul.md — The agent's personality and operational guidelines, described by researchers as "a blueprint of the user's life."
How It Happened
The malware did not use a specialized OpenClaw module. Instead, it employed a broad file-grabbing routine that sweeps for sensitive file extensions and directory names — the same approach used to steal browser credentials. The .openclaw directory was simply caught in the net.
Why It Matters
Hudson Rock warned that "infostealer developers will likely release dedicated modules specifically designed to decrypt and parse these files, much like they do for Chrome or Telegram today." The stolen gateway token could allow an attacker to connect to the victim's OpenClaw instance remotely or masquerade as the client in authenticated requests.
Recommendations
Security experts recommend running OpenClaw in sandboxed environments, rotating gateway tokens regularly, and ensuring the .openclaw directory is excluded from cloud sync services. OpenClaw Launch users benefit from managed infrastructure that keeps credentials server-side rather than on local machines.