Hackers steal OpenClaw configuration in emerging AI agent threat

Researchers found an infostealer stole a victim’s OpenClaw configuration, marking a shift toward targeting personal AI agents.

Cybersecurity researchers have uncovered a new information stealer that exfiltrated a victim’s OpenClaw configuration environment, previously known as Clawdbot and Moltbot. According to cybersecurity firm Hudson Rock, the case highlights a new shift in infostealer activity, moving beyond stealing browser passwords to targeting the identities, settings, and “digital souls” of personal AI agents.

“Following our initial research into ClawdBot, Hudson Rock has now detected a live infection where an infostealer successfully exfiltrated a victim’s OpenClaw configuration environment.” reads the report published by Hudson Rock. “This finding marks a significant milestone in the evolution of infostealer behavior: the transition from stealing browser credentials to harvesting the “souls” and identities of personal AI agents.”

OpenClaw is an open-source personal AI assistant platform that lets users extend its capabilities by installing community-created “skills.” Formerly known as MoltBot and ClawdBot, it integrates with tools like Claude Code and often runs locally or via messaging apps, allowing skills to automate tasks, but also creating security risks if malicious skills are installed.

The researchers described the incident as a “grab-bag” attack: the infostealer did not use a dedicated OpenClaw module but a broad file-harvesting routine that scooped up sensitive extensions and folders, unintentionally capturing the full operational environment of the victim’s OpenClaw AI agent. Stolen files included openclaw.json with gateway tokens, device.json containing private cryptographic keys, and “soul” and memory files outlining the agent’s behavior and personal context.

“The openclaw.json file acts as the central nervous system for the agent. In this specific case, the attacker retrieved the victim’s redacted email address (ayou...[at]gmail.com), their workspace path, and a high-entropy Gateway Token.” continues the report. “Technical Risk: The exposed gateway.auth.token allows an attacker to connect to the victim’s local OpenClaw instance remotely if the port is exposed, or to impersonate the client in authenticated requests to the AI gateway.”

According to Hudson Rock, this data could allow attackers to impersonate the user’s device, access encrypted services, and effectively compromise the victim’s entire digital identity.

“This case is a stark reminder that infostealers are no longer just looking for your bank login. They are looking for your context. By stealing OpenClaw files, an attacker does not just get a password; they get a mirror of the victim’s life, a set of cryptographic keys to their local machine, and a session token to their most advanced AI models.” concludes the report. “As AI agents move from experimental toys to daily essentials, the incentive for malware authors to build specialized “AI-stealer” modules will only grow.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, OpenClaw)