First Infostealer Caught Stealing OpenClaw AI Agent Identity and Memory Files

On February 13, 2026, Hudson Rock detected something that was probably inevitable. A Vidar infostealer sample had swept an infected machine's .openclaw/ directory and exfiltrated everything inside it. Gateway tokens. Private cryptographic keys. And the files that make your OpenClaw agent yours: SOUL.md, MEMORY.md, AGENTS.md.

This is the first confirmed case of an openclaw infostealer grabbing AI agent identity files in the wild.

What Got Stolen

The malware wasn't specifically targeting OpenClaw. Vidar is a generic credential stealer that grabs browser passwords, cookies, crypto wallets, and anything else that looks interesting on disk. The .openclaw/ directory just happened to be in the blast radius.

Here's what the attacker walked away with:

openclaw.json contained the gateway authentication token and the victim's email. device.json held both private and public cryptographic keys. And then the memory files: SOUL.md (the agent's personality and instructions), MEMORY.md (daily activity logs, personal context), and AGENTS.md (agent configuration).

Hudson Rock's CTO Alon Gal called the stolen data "a mirror of the victim's life and a set of keys to their local machine." That's not hyperbole. An attacker holding these files can impersonate the device on the gateway, access private communications, and read through what is essentially a diary of the victim's daily AI interactions.

It's Getting Worse

Vidar was first. But RedLine and Lumma have since updated their FileGrabber modules to target .clawdbot directories too. No CVE was assigned because this isn't a software vulnerability. It's malware doing what malware does, just with a new target.

The pattern is familiar if you've watched the crypto space. Wallet files became infostealer targets the moment they held value. OpenClaw config files are next because they hold something arguably more personal: your AI agent's memory and identity.

Why Managed Hosting Changes the Equation

Here's the part that matters if you run OpenClaw through ClawHosters. Your .openclaw/ directory, your gateway tokens, your private keys, your memory files, none of that sits on your laptop. It lives on an isolated VPS that an infostealer on your personal machine can't reach.

Self-hosted OpenClaw stores everything locally. One infected machine, one careless download, and an infostealer has your agent's entire identity. With managed hosting, there's nothing to steal from your device because the sensitive files aren't there.

If you're self-hosting and concerned, rotate your gateway tokens and API credentials immediately. Our security hardening guide walks through the full audit process. And our Safety Scanner can flag exposed configuration issues you might have missed.