Security researchers claim to have documented a major shift in the infostealer landscape after witnessing the first live attack targeting an OpenClaw configuration environment.

Formerly known as Clawdbot and Moltbot, OpenClaw is a popular agentic AI assistant that runs locally on a user’s machine.

The permissions users grant it to access sensitive data and systems, insecure default settings and plaintext storage of secrets have raised eyebrows in the security community.

Now threat actors appear to be actively hunting for those secrets, according to Hudson Rock.

“The infostealer utilized a broad file-grabbing routine designed to sweep for sensitive file extensions and specific directory names (like .openclaw),” the firm wrote in a blog post yesterday.

“While the malware may have been looking for standard ‘secrets,’ it inadvertently struck gold by capturing the entire operational context of the user’s AI assistant.”

Read more on OpenClaw: Hundreds of Malicious Crypto Trading Add-Ons Found in Moltbot/OpenClaw.

The infostealer documented by Hudson Rock stole:

• The openclaw.json file, which enabled it to retrieve the victim’s email address, workspace path and high-entropy gateway token. The latter could enable an attacker to remotely connect to a local OpenClaw instance via an exposed port, or impersonate the client in authenticated requests to the AI gateway, the report noted
• The device.json file which contains the publicKeyPem and privateKeyPem of the user’s device. These are used for secure pairing and signing operations in OpenClaw. An attacker with the private key could apparently bypass “safe device” checks, and access encrypted logs or paired cloud services
• The soul.md and memory files (agents.md, memory.md), which provide a threat actor with “a blueprint of the user’s life.” Hudson Rock warned that the memory files likely contained sensitive daily logs of user activities, calendar events and private messages

“Hudson Rock’s AI system, Enki, performed an automated risk assessment on the exfiltrated files,” the report continued. “The analysis demonstrates how an attacker can leverage these disparate pieces of information, including tokens, keys, and personal context, to orchestrate a total compromise of the user’s digital identity.”

A New Era

The infostealer spotted in this attack was not specially designed to target ClawdBot or similar tools, but that is likely to change in the near future, Hudson Rock said.

“As AI agents like OpenClaw become more integrated into professional workflows, infostealer developers will likely release dedicated modules specifically designed to decrypt and parse these files, much like they do for Chrome or Telegram today,” it predicted.

“By stealing OpenClaw files, an attacker does not just get a password; they get a mirror of the victim’s life, a set of cryptographic keys to their local machine, and a session token to their most advanced AI models.”

Security experts have previously warned of a shadow AI risk if users link OpenClaw to enterprise systems.