Hackers steal AI agents "souls" in infostealer attack on OpenClaw configurations
"This finding marks a significant milestone: the transition from stealing browser credentials to harvesting the identities of AI agents."
Security researchers have claimed that infostealers are now capable of harvesting the identities of AI agents.
Hudson Rock has published details of an incident in which a malware infection resulted in the exfiltration of a victim's OpenClaw configuration files and workspace.
OpenClaw is an open-source AI agent framework that helps developers deploy and orchestrate agentic workflows. Stealing the config details means attackers can replicate, hijack or abuse the agent’s connected tools and credentials.
The agentic revolution is very much in its early stages, meaning the risk is relatively small right now. But in the future, organisations and individuals that deploy armies of agents will effectively create for themselves a large and ever-expanding attack surface of unparalleled size.
Hudson Rock wrote: "This finding marks a significant milestone in the evolution of infostealer behaviour: the transition from stealing browser credentials to harvesting the ' souls' and identities of personal AI agents."
Hudson Rock said the OpenClaw data wasn’t stolen via a bespoke “OpenClaw module” built into the malware.
Instead, the infostealer used a broad file-grabbing routine — the kind designed to sweep up anything that looks sensitive based on file extensions and directory names, including folders like .openclaw.
By stealing a workspace wholesale, an attacker can do more than just steal credentials - potentially capturing the configuration, secrets, and context needed to recreate or abuse an AI agent.
READ MORE: "It felt like Ultron took over": Cursor goes rogue in YOLO mode, deletes itself and everything else
Agents of change: New threats from old malware
This case may be a sign of things to come. As agent frameworks become more embedded in professional workflows, infostealer developers are likely to add dedicated tooling to identify, parse and exploit agent files in the same way they already target browser profiles, messaging apps and crypto wallets.
Here is what was stolen:
1) openclaw.json
Hudson Rock said the attacker recovered the victim’s email address, a workspace path, and a high-entropy gateway token. Depending on how the environment is exposed, that token could potentially be used to authenticate to the victim’s OpenClaw instance or impersonate the client.
In practical terms, this is closer to pinching a developer’s SSH keys and cloud credentials than "stealing an AI".
2) device.json
More seriously, Hudson Rock said the payload included the device’s private key — the kind of material that should never leave a machine. If abused, it could allow an attacker to sign requests as the victim’s device and potentially bypass trust controls.
3) soul.md (plus memory files)
The attackers also captured files that define the agent’s behaviour and store persistent context, including soul.md, AGENTS.md, and MEMORY.md.
Despite the name, “soul.md” isn’t metaphysical. It’s a plain-text context file that can include the agent’s behavioural rules, operating assumptions and working memory.
In practice, this can reveal how the agent is instructed to act and what it knows about the user’s work, habits and routines.
That means, in the wrong hands, the data is contains is sufficient to recreate the agent’s identity and decision-making style.
Hudson Rock wrote: "This case is a stark reminder that infostealers are no longer just looking for your bank login. They are looking for your context.
"By stealing OpenClaw files, an attacker does not just get a password; they get a mirror of the victim’s life, a set of cryptographic keys to their local machine, and a session token to their most advanced AI models.
"As AI agents move from experimental toys to daily essentials, the incentive for malware authors to build specialised 'AI-stealer' modules will only grow."
Addressing agentic security concerns
In the video above, Steinberger discusses his work to make OpenClaw secure - revealing that every agent "skill" is carefully checked by AI.
At the same time, the "whole security world" is hard at work, taking the project apart, he pointed out.
"It's good because I’m getting a lot of free security research and can make the project better," Steinberger said.
"I wish more people would actually go the full way and send a pull request and actually help me fix it."
The OpenClaw founder said he ended up hiring one security researcher who had been at work since "the beginning", pointing out problems and making pull requests.
Steinberger did admit the threat of prompt injection was "unsolved", but insisted that the latest generation of models has gone through a "lot of post-training to detect those approaches", so they are becoming more robust.
One obvious choice users can make is to deploy a smart and advanced model, which should help to mitigate the risk.
READ MORE: Private sector threat actors are trying to clone rivals' AI models, Google warns
"I warn in my security documentation: don’t use cheap models," Steinberger advised.
"If you use a very weak local model, they are very gullible. It’s very easy to prompt them."
Steinberger spoke out against AI security alarmism which paints the situation "in a worse light" than is strictly true.
He added: "People love attention, and if they scream loudly: 'Oh my God, this is like the scariest project ever.' That’s a bit annoying, because it’s not.
"It is powerful, but in many ways it’s not much different than if I run cloud code with dangerously skipped permissions or Codex in YOLO mode."
He offered this advice to people looking to unleash their own agent(s): "Make sure that you are the only person who talks to it and the risk profile is much, much smaller.
"If you don’t put everything on the open internet, but stick to my rec- recommendations of like having it in a private network, that whole risk profile falls away."
The incident is a reminder that AI agents are becoming a new class of credential container. As more teams run agents locally, infostealers don’t need specialised tooling to do their job - they just need to grab the right folders.
