Researchers found that an infostealer exfiltrated sensitive OpenClaw configuration files in a recent attack, marking a shift from traditional credential theft to the potential infiltration of autonomous AI agents.OpenClaw open-source AI agents have recently gained massive popularity as a personal and professional assistant. The OpenClaw agents often have extensive access to users’ systems and services to complete tasks autonomously.Hudson Rock reported Monday that an infostealer extracted key files from victims' OpenClaw directory, including openclaw.json, device.json and soul.md, along with additional memory files. Rather than target OpenClaw specifically, the malware obtained the files through a broad sweep for sensitive file extensions, the researchers said.“We expect this to change rapidly. As AI agents like OpenClaw become more integrated into professional workflows, infostealer developers will likely release dedicated modules specifically designed to decrypt and parse these files, much like they do for Chrome and Telegram today,” the researchers wrote.The stolen details could potentially allow an attacker to connect to the victim’s local OpenClaw instance remotely, sign messages as the victim’s device, and gain insight into the victim’s personal or professional life and schedule.The openclaw.json file, which Hudson Rock describes as the OpenClaw agent’s “central nervous system,” contained the victim’s email address, their OpenClaw workspace path and a gateway token “gateway.auth.token,” which attackers could leverage to connect to the local OpenClaw instance if port 18789 is exposed.From the device.json file, the attacker could extract the public and private keys that OpenClaw uses for secure pairing and signing operations, Hudson Rock explained. By using the private key to sign messages on behalf of the victim’s device, the attacker could potentially pass “Safe Device” checks and gain access to paired cloud services.Finally, the “soul.md” and memory files offer an inside look into the OpenClaw agent’s internal instructions, context and what it knows about the user, which could include sensitive personal or professional information, private messages and calendar events.Using a combination of this personal context, tokens and cryptographic secrets, an attacker could potentially “orchestrate a total compromise of the user’s digital identity,” Hudson Rock concluded.“As AI agents move from experimental toys to daily essentials, the incentive for malware authors to build specialized ‘AI-stealer’ modules will only grow,” the researchers said.This incident is one of the first publicly-reported cases of malware exfiltrating sensitive OpenClaw files. Previously, OpenClaw’s official skill registry ClawHub was found to host more than 300 malicious skills spreading keyloggers and the Atomic macOS Stealer (AMOS) malware. OpenClaw has since partnered with VirusTotal to scan the ClawHub marketplace for malicious skills.
AI/ML, Malware, Threat Intelligence, Identity, Application security
Infostealer exfiltrates sensitive OpenClaw files
(Credit: Rokas – stock.adobe.com)
An In-Depth Guide to AI
Get essential knowledge and practical strategies to use AI to better your security program.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
You can skip this ad in 5 seconds