OpenClaw Data Breach: Infostealer Malware Exfiltrates Sensitive Files
Researchers Discover Infostealer Exfiltrating Sensitive OpenClaw Configuration Files
A recent attack has marked a significant shift in the tactics employed by infostealer malware, as researchers have found that an infostealer has exfiltrated sensitive OpenClaw configuration files. OpenClaw, an open-source AI agent, has gained widespread popularity as a personal and professional assistant, often having extensive access to users’ systems and services to complete tasks autonomously.
Stolen Files and Their Significance
According to Hudson Rock, the infostealer extracted key files from victims’ OpenClaw directories, including openclaw.json, device.json, and soul.md, along with additional memory files. The malware obtained these files through a broad sweep for sensitive file extensions, rather than specifically targeting OpenClaw.
The stolen files contain sensitive information that could allow an attacker to connect to the victim’s local OpenClaw instance remotely, sign messages as the victim’s device, and gain insight into the victim’s personal or professional life and schedule. The openclaw.json file, described as the OpenClaw agent’s “central nervous system,” contains the victim’s address, OpenClaw workspace path, and a gateway token that could be leveraged to connect to the local OpenClaw instance if port 18789 is exposed.
Implications of the Stolen Files
The device.json file contains the public and private keys used by OpenClaw for secure pairing and signing operations. An attacker could extract these keys and use the private key to sign messages on behalf of the victim’s device, potentially passing “Safe Device” checks and gaining access to paired cloud services.
The “soul.md” and memory files offer an inside look into the OpenClaw agent’s internal instructions, context, and knowledge about the user, which could include sensitive personal or professional information, private messages, and calendar data. By combining this personal context with tokens and cryptographic secrets, an attacker could potentially orchestrate a total compromise of the user’s digital identity.
Incident and Future Expectations
This incident marks one of the first publicly reported cases of malware exfiltrating sensitive OpenClaw files. Previously, OpenClaw’s official skill registry, ClawHub, was found to host over 300 malicious skills spreading keyloggers and the Atomic macOS Stealer (AMOS) malware. OpenClaw has since partnered with VirusTotal to scan the ClawHub marketplace for malicious skills.
As AI agents become increasingly integrated into professional workflows, researchers expect infostealer developers to release dedicated modules specifically designed to decrypt and parse OpenClaw files, similar to those used for Chrome and Telegram today. The incentive for malware authors to build specialized “AI-stealer” modules will only grow as AI agents move from experimental tools to daily essentials.
About Author
English