The Traditional Heist, Updated

Infostealer malware is commodity software. It's not sophisticated. It doesn't exploit zero-day vulnerabilities or use advanced persistent threat techniques. It runs on an infected machine, scans predictable file system locations for valuable data - browser cookies, saved passwords, cryptocurrency wallets, session tokens - packages everything up, and sends it to the attacker. The business model is volume: infect enough machines, steal enough credentials, sell the results in bulk on darknet markets. Vidar, the infostealer identified in this case, is one of several competing products in what amounts to a mature and competitive market for stolen data.

What made Hudson Rock's February 2026 discovery notable wasn't the malware. It was what the malware found to steal.

The OpenClaw File System

OpenClaw, the open-source AI agent platform, stores its configuration and operational data in a workspace directory on the user's local machine. This workspace contains several categories of sensitive files:

Gateway authentication tokens - the credentials that authenticate the OpenClaw client to cloud-based AI services and the OpenClaw gateway. With these tokens, anyone can make authenticated requests to the AI platforms the user has configured, impersonate the user's agent, or remotely access exposed OpenClaw instances.

Cryptographic keys - used for secure operations, including communication between the agent and various services. These keys combined with the gateway tokens provide essentially complete access to the user's AI agent infrastructure.

The soul.md file - a behavioral guidelines document that defines the AI agent's personality parameters, operating rules, and customized instructions. This file tells the agent how to behave, what to prioritize, and what constraints to follow. In other words, it's the agent's identity.

Contextual data - accumulated operational information that may include activity logs, internal notes, calendar entries, and other data the agent has processed or generated during use. This material can contain sensitive information about the user's work, communications, and daily operations.

All of these files are stored in predictable, unencrypted locations accessible to any local process. There are no encryption-at-rest protections, no access controls beyond standard file system permissions, and no runtime integrity checks. If you can read files on the machine, you can read everything OpenClaw stores.

What One Infection Reveals

Hudson Rock identified a live infection - not a proof of concept, not a lab demonstration, but an actual infostealer successfully exfiltrating an actual user's OpenClaw workspace. The Vidar malware scanned the local file system using the same basic technique it uses for everything else: look in known locations for known file types, grab them, send them out.

Hudson Rock characterized the implications in stark terms: "By stealing OpenClaw files, an attacker does not just get a password; they get a mirror of the victim's life, a set of cryptographic keys to their local machine, and a session token to their most advanced AI models."

This is a meaningful escalation over traditional credential theft. Stealing a user's browser password gives you access to one service. Stealing their OpenClaw configuration gives you the ability to operate as their AI agent - with the same permissions, the same access to external services, the same accumulated context about the user's work and life, and the same behavioral configuration that defines how the agent interacts with the world.

An attacker in possession of a stolen OpenClaw workspace could remotely access any exposed OpenClaw instances using the authentication tokens, impersonate an authenticated client making requests to the AI gateway, replay the agent's operational context to understand the victim's work patterns and sensitive information, and potentially recreate the agent's entire operational environment to continue using it indefinitely.

The Identity Theft of AI Agents

Hudson Rock framed this discovery as a milestone: "This finding marks a significant milestone in the evolution of infostealer behaviour: the transition from stealing browser credentials to harvesting the 'souls' and identities of personal AI agents."

The language is deliberately dramatic, but the technical reality supports it. An AI agent configured with deep system access, personalized behavioral rules, authentication tokens for cloud services, and an accumulated working context represents a richer target than a saved password. The agent's identity - its configuration, its context, its access - is more valuable than any individual credential because it encompasses many credentials, plus the operational context that makes them useful.

As AI agents become more deeply integrated into daily work - managing email, scheduling meetings, accessing databases, writing documents, interacting with external services - the value of their configuration files grows proportionally. The soul.md file alone may reveal an organization's internal processes, priorities, and sensitive topics based on what the user instructed the agent to handle.

The Design Problem

The vulnerability here isn't a bug in OpenClaw. It's a design choice. Storing sensitive configuration, cryptographic material, and authentication tokens in unencrypted files in predictable locations is a decision that prioritizes ease of setup and portability over security. For an open-source tool that aims to be accessible to anyone, this makes some sense as a starting point. For a tool that people actually use with real credentials and real data, it's an open invitation to exactly the kind of theft Hudson Rock documented.

Encrypting configuration at rest, using OS-level credential stores (like macOS Keychain or Windows Credential Manager), implementing runtime integrity checks, or simply not storing gateway tokens in plaintext files would all reduce the attack surface. None of these mitigations are exotic or technically difficult. They're standard practice for any application that handles authentication credentials.

OpenClaw's lead developer, in a video discussion of the platform's security posture, noted that every agent "skill" is carefully checked by AI before it runs. But the threat here bypasses the skill system entirely. Infostealers don't interact with the AI agent. They don't exploit prompt injection or tool-use vulnerabilities. They read files from a directory. The sophistication ceiling is remarkably low.

The Market Expands

The significance of this incident extends beyond OpenClaw. As AI agents proliferate - each with their own configuration files, authentication tokens, behavioral rules, and accumulated context - the attack surface for commodity infostealer malware grows automatically. The malware doesn't need to be updated to understand AI agents specifically. It just needs to scan a few more directories.

In the infostealer marketplace, where stolen credentials are sold in bulk, OpenClaw configuration bundles represent a new category of premium inventory. A complete workspace - tokens, keys, soul file, context - is more than a credential dump. It's a skeleton key to someone's AI-mediated digital life, sold to whoever is buying.