What happened

Cybersecurity researchers reported a live incident in which infostealer malware stole a victim’s OpenClaw AI assistant configuration and identity files, including tokens, cryptographic keys, and contextual memory logs.

These files can contain sensitive authentication tokens, device pairing keys, user identifiers, and the AI assistant’s behavioural definition - effectively the “digital identity” and operational context of the AI agent.

The malware was not custom-built for OpenClaw initially but captured the AI’s data because it operated broadly across file systems. Nonetheless, researchers warn attackers are likely to develop specialised modules to target such AI-powered configurations directly.

Simultaneously, over 300 malicious "skills" (plugins) were discovered on the official ClawHub registry, many designed to install "Atomic Stealer" (AMOS) malware directly onto the user's system.

The incident reflects a shift in malware targeting from conventional user credentials (e.g., browser, email) toward AI agent data, which is increasingly valuable as agents manage workflows, calendars, messages, and personal context.

Why it happened

OpenClaw stores sensitive tokens and keys in local configuration files in plaintext or weakly protected formats, creating potentially high-value targets for malware designed to harvest secrets from automated systems.

OpenClaw’s ecosystem includes third-party extensions and community-submitted “skills” with limited vetting. Previous audits found high rates of malicious or vulnerable plugins, showing systemic supply chain risks.

Infostealer families traditionally focused on passwords and crypto wallets. The shift toward AI agent environments reflects criminal adaptation to new high-value data sources as AI systems become more embedded in personal and professional workflows.

Rapid development and lax review processes in OpenClaw’s ecosystem have contributed to insufficient threat modeling and security auditing, allowing harmful modules and malware to proliferate.