ClawHosters
by Daniel Samer
5 min read
On February 13, 2026, a Vidar infostealer variant grabbed openclaw.json, device.json, and memory files from a compromised machine. The full credential dump, including LLM API keys, was confirmed by Hudson Rock. Hudson Rock CTO Alon Gal put it bluntly: infostealer developers will probably release dedicated modules to decrypt and parse OpenClaw configs, "much like they do for Chrome or Telegram today."
Your OpenAI key sitting in a JSON file isn't a theoretical risk anymore. It's a target.
The Problem with Plaintext Configs
Most OpenClaw setups store API keys directly in openclaw.json. Open the file, and there's your Anthropic key, your OpenAI key, maybe a Telegram bot token. All in cleartext.
That was fine when OpenClaw was a niche project. But Kaspersky researchers found 42,900 exposed instances in the wild. 15,200 of those were vulnerable to remote code execution. And Koi Security identified 341 malicious skills on ClawHub, with 335 distributing the AMOS infostealer.
The attack surface grew faster than anyone expected. Plaintext config files were already a bad habit. Now they're actively dangerous.
Flashpoint's data makes the scale clear: 1.8 billion credentials stolen in the first half of 2025 alone. That's an 800% year-over-year increase. Infostealers aren't slowing down, and OpenClaw configs are now on the menu.
The Fix: OpenClaw Secrets CLI (v2026.2.26+)
OpenClaw v2026.2.26 shipped with a secrets management CLI that moves keys out of plaintext and into proper secret references. Four commands. That's it.
Step 1: Audit Your Current Config
openclaw secrets audit
This scans your config files and flags every plaintext token. Each key gets one of three labels: OK (already a secret reference), VULNERABLE (plaintext), or UNKNOWN (can't determine). You'll probably see a lot of red on first run.
Step 2: Choose a Secret Provider
openclaw secrets configure
You pick where secrets actually live. Three options:
Environment variables work for most people. Set OPENAI_API_KEY in your shell or .env file and OpenClaw reads it at runtime. Simplest starting point.
File-based storage points to a path on disk. Better for shared deployments where multiple services need the same credentials.
External commands run a shell command and capture stdout. This is how you connect to HashiCorp Vault, AWS Secrets Manager, or 1Password CLI. If you're already using a vault, this slots right in.
The GitHub discussion on provider design has more context on the architecture decisions.
Step 3: Migrate Your Keys
openclaw secrets apply --dry-run
Run the dry run first. It shows exactly what changes will happen without touching your config. When you're ready, drop the --dry-run flag. The tool replaces plaintext values with SecretRef pointers that resolve at runtime.
Step 4: Activate
openclaw secrets reload
This does an atomic swap. If all secrets resolve correctly, the new config goes live. If any reference fails, OpenClaw keeps the last-known-good configuration. You won't accidentally lock yourself out because a secret path has a typo.
What ClawHosters Customers Don't Have to Worry About
If you're running OpenClaw through ClawHosters, none of this applies to you. Managed instances encrypt credentials at rest and inject them into containers at runtime. There's no plaintext config file sitting on a disk somewhere.
Your API keys go into the dashboard, get encrypted, and never exist in a format an infostealer could grab. That's been the architecture from day one, not a retrofit.
For self-hosters who want to understand the full attack surface, our security hardening guide covers everything from Docker daemon config to firewall rules. And if you're still deciding between self-hosting and managed, our pricing page breaks down what each tier includes.
