The rapid rise of OpenClaw, a locally running agentic AI assistant, has introduced a new class of security risk: malware that targets the assistant itself. Because the framework stores persistent memory, configuration data, and authentication material on the user’s device, it effectively becomes a vault of API keys, tokens, private keys, and sensitive personal context. Security researchers have now observed infostealing malware exfiltrating these files (openclaw.json, device.json, and soul.md) in real-world infections, marking a move from traditional credential theft techniques toward hijacking the inherent identities and capabilities of autonomous agents.[1]
Directory structure on infected machine showing exfiltrated OpenClaw configuration files (Source: Hudson Rock)
In this first in-the-wild instance, the malware did not exploit a vulnerability in the assistant. Instead, it used broad file-harvesting techniques that scan systems for keywords such as “token” and “private key”. This approach allows attackers to capture critical configuration files, including those that enable remote connections, device impersonation, and access to encrypted logs or cloud services. The stolen data could permit full takeover of the agent’s functions, effectively granting bad actors the same authority the assistant holds across email, apps, and online platforms.
Researchers warn that as agentic assistants become embedded in professional workflows, attackers will increasingly develop specialized tooling to parse these environments and weaponize them. Additional findings on this growing attack surface includes exposed instances vulnerable to remote code execution (RCE) and supply chain risks in community “skill” repositories.
In response to these emerging risks, Prompt Security from SentinelOne has introduced ClawSec and OneClaw, designed specifically for the agentic era to provide deep visibility into autonomous agent behavior and harden them from within. These tools help organizations monitor, control, and secure personal AI assistants such as OpenClaw, Nanobot, and Picoclaw before compromised agents can be leveraged as trusted insiders.
This article is shared at no charge for educational and informational purposes only.
Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization. We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC). For questions, comments or assistance, please contact the office directly at 1-844-492-7225, or feedback@redskyalliance.com
Weekly Cyber Intelligence Briefings:
- Reporting: https://www.redskyalliance.org/
- Website: https://www.redskyalliance.com/
- LinkedIn: https://www.linkedin.com/company/64265941
Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122
[1] https://www.sentinelone.com/blog/the-good-the-bad-and-the-ugly-in-cybersecurity-week-8-7/
Comments