First infostealer malware caught stealing OpenClaw AI agent credentials

Information-stealing malware has been documented stealing OpenClaw configuration files containing API keys, authentication tokens, and encryption keys for the first time.

What happened

According to BleepingComputer, security researchers documented the first in-the-wild instance of infostealer malware successfully exfiltrating OpenClaw configuration files. The attack occurred on February 13, 2026, when a variant of the Vidar infostealer stole files from the ".openclaw" configuration directory on a victim's machine. The malware does not specifically target OpenClaw, but instead executes a broad file-stealing routine scanning for sensitive files and directories containing keywords like "token" and "private key." Stolen files included openclaw.json (containing gateway authentication tokens and email addresses), device.json (containing public and private encryption keys for device pairing and signing), and memory files including soul.md, AGENTS.md, and MEMORY.md (storing persistent contextual data including daily activity logs, private messages, and calendar events). The analysis concluded the stolen data is sufficient to potentially enable full compromise of the victim's digital identity.

The backstory

OpenClaw (formerly ClawdBot and MoltBot) is a local-running AI agent framework that maintains persistent configuration and memory environments on users' machines. The tool can access local files, log in to email and communication apps, and interact with online services. Created by Peter Steinberger, the project launched in 2025 as Clawdbot before rebranding to Moltbot after Anthropic requested a name change, then rebranding again to OpenClaw at the end of January 2026. Since its release, OpenClaw has seen widespread adoption worldwide, with users employing it to manage everyday tasks and act as an AI assistant.

However, the framework has faced security concerns. In early February 2026, security researcher Paul McCarty identified 386 malicious skills on ClawHub (OpenClaw's official skill repository) that delivered information-stealing malware targeting cryptocurrency traders. One attacker accumulated nearly 7,000 downloads before McCarty contacted the OpenClaw team. Days before that discovery, pentester Jamieson O'Reilly exposed vulnerabilities showing misconfigured reverse proxies caused the system to treat all internet traffic as trusted, allowing unauthenticated access to sensitive data. Hudson Rock had predicted infostealer targeting since late January 2026, calling OpenClaw "the new primary target for infostealers."

Going deeper

The specific OpenClaw files stolen by the malware include:

• openclaw.json – Exposed the victim's redacted email, workspace path, and a high-entropy gateway authentication token, which could enable remote connection to a local OpenClaw instance or client impersonation in authenticated requests.
• device.json – Contained both publicKeyPem and privateKeyPem used for pairing and signing. With the private key, an attacker could sign messages as the victim's device, potentially bypass "Safe Device" checks, and access encrypted logs or cloud services paired with the device.
• soul.md and memory files (AGENTS.md, MEMORY.md) – Define the agent's behavior and store persistent contextual data, including daily activity logs, private messages, and calendar events.
  
  

What was said

Diana Kelley, AI expert and CISO at Noma Security, previously told Infosecurity regarding OpenClaw security risks that "when an assistant can act with user-level privileges across files, tokens, networks and infrastructure, a compromised extension becomes delegated execution plus delegated authority." She explained that endpoint-native agents "inherit your privileges and expand your trust boundary to wherever they run."

In the know

Information-stealing malware, or infostealers, are designed to extract sensitive data from infected systems. Traditionally, these malware variants have focused on stealing browser credentials, cookies, and saved passwords. However, as AI agent frameworks like OpenClaw become integrated into daily workflows, they store sensitive authentication credentials and personal data in configuration files on local machines. These frameworks maintain persistent access to email, messaging apps, cloud services, and local files, making their configuration directories good targets for cybercriminals seeking to compromise digital identities.

Why it matters

This attack is the first documented case of infostealers specifically harvesting AI agent credentials and memory files. Unlike browser credential theft, compromising OpenClaw configuration files provides attackers with authentication tokens to multiple cloud services, encryption keys for device impersonation, and memory files containing private conversations and calendar events.

FAQs

What is OpenClaw and how does it work?

OpenClaw is a local AI agent framework that runs on your computer and can access your files, log into apps, and interact with online services on your behalf using stored authentication credentials.

How do infostealers infect computers?

Infostealers usually spread through phishing emails, malicious downloads, compromised software, or infected websites that trick users into running malware on their systems.

What should you do if you suspect that OpenClaw configurations have been compromised?

Immediately revoke all API keys and authentication tokens stored in your OpenClaw configuration, change passwords for connected services, and scan your system with updated antivirus software.