Infostealer malware steals OpenClaw AI assistant data
Infostealer malware steals OpenClaw AI assistant data
Occurred: February 2026
Page published: February 2026
Report incidentđĽ| Improve page đ| Access database đ˘
AI assistant platform OpenClaw has been compromised by malware known as an "infostealer", leading to the removal of critical configuration, identity, cryptographic keys and memory data from OpenClaw AI assistant installations, thereby exposing usersâ private information and enabling impersonation.
Cybersecurity researchers reported a live incident in which infostealer malware stole a victimâs OpenClaw AI assistant configuration and identity files, including tokens, cryptographic keys, and contextual memory logs.
These files can contain sensitive authentication tokens, device pairing keys, user identifiers, and the AI assistantâs behavioural definition - effectively the âdigital identityâ and operational context of the AI agent.
The malware was not custom-built for OpenClaw initially but captured the AIâs data because it operated broadly across file systems. Nonetheless, researchers warn attackers are likely to develop specialised modules to target such AI-powered configurations directly.
Simultaneously, over 300 malicious "skills" (plugins) were discovered on the official ClawHub registry, many designed to install "Atomic Stealer" (AMOS) malware directly onto the user's system.
The incident reflects a shift in malware targeting from conventional user credentials (e.g., browser, email) toward AI agent data, which is increasingly valuable as agents manage workflows, calendars, messages, and personal context.
OpenClaw stores sensitive tokens and keys in local configuration files in plaintext or weakly protected formats, creating potentially high-value targets for malware designed to harvest secrets from automated systems.
OpenClawâs ecosystem includes third-party extensions and community-submitted âskillsâ with limited vetting. Previous audits found high rates of malicious or vulnerable plugins, showing systemic supply chain risks.
Infostealer families traditionally focused on passwords and crypto wallets. The shift toward AI agent environments reflects criminal adaptation to new high-value data sources as AI systems become more embedded in personal and professional workflows.
Rapid development and lax review processes in OpenClawâs ecosystem have contributed to insufficient threat modeling and security auditing, allowing harmful modules and malware to proliferate.
For OpenClaw users: The incident demonstrates that local AI is not inherently "private" if the underlying data is unencrypted and the agent is over-privileged.Â
For organisations letting OpenClaw interface with corporate systems: This creates a new class of supplyâchainâlike risk: compromising an AI agent can expose internal data, credentials, and workflows in one shot. The incident signals a shift in the malware ecosystem: infostealer developers are expected to add dedicated modules to parse AIâassistant files (similar to Chrome or Telegram logins today), accelerating the weaponisation of compromised AI agents and making AIâspecific security standards and audits more urgent.
For policymakers and regulators: AI agents must be treated as highâvalue identity and data hubs, not mere âproductivity tools,â and may need to extend existing rules on secrets management, logging, and breach notification to cover AI configuration and memory stores specifically.
OpenClaw
Developer: Peter Steinberger
Country: Â
Sector: Multiple
Purpose: Personal assistant
Technology: Agentic AI
Issue: Confidentiality; Privacy/surveillance; Security
November 2025. OpenClaw (formerly Clawdbot) debuts and goes viral due to its autonomous "agentic" capabilities.
January 2026. Researchers at Giskard and Token Security warn of widespread misconfigurations and "excessive agency" in OpenClaw deployments.
February 16, 2026. Hudson Rock discloses that Vidar infostealer malware is actively harvesting OpenClaw "soul" and configuration files.
February 17, 2026. The Dutch DPA issues a formal warning against using OpenClaw on devices with sensitive data, labeling it a "Trojan horse."
AIAAIC Repository ID: AIAAIC2207