OpenClaw: Info Stealers Take Your Soul

8 snips

Feb 18, 2026

A deep dive into info-stealer malware that lifted tokens, cryptographic keys, and a revealing soul.md file from OpenClaw devices. A hobbyist AI project accidentally exposed 7,000 robot vacuums worldwide, including live cameras and floor plans. Two Best Buy fraud cases show why Zero Trust needs behavioral and contextual checks. A supplier breach leaked hundreds of thousands of customer records, highlighting supply-chain risk.

Ask episode

AI Snips

Chapters

Transcript

Episode notes

INSIGHT

OpenClaw Breach Reveals Your Digital Mirror

An info-stealer swept an OpenClaw directory and grabbed tokens, a master key, device private keys, and the soul.md file.
That file provided a detailed 'mirror' of the user's life, enabling full device impersonation and deep privacy loss.

ADVICE

Limit Agent Access And Rotate Credentials

Take a hard look at what access you've granted your OpenClaw agent and limit sensitive permissions.
Remove unnecessary personal data from the agent and rotate keys and tokens if possible.

ANECDOTE

Hobbyist Accidentally Built A Vacuum Army

A hobbyist used an AI tool to reverse-engineer DJI Romo and accidentally accessed about 7,000 devices across 24 countries.
He could view live cameras, listen via microphones, and generate floor plans using a 14-digit serial number.

Get the Snipd Podcast app to discover more snips from this episode

Get the app

Info Stealers Target OpenClaw, a Robot Vacuum API Flaw Exposes Thousands, Best Buy Fraud Shows Zero Trust Context, and Canada Goose Data Leaked via Supplier

The episode covers multiple security incidents and lessons. Hudson Rock details how an info stealer malware infection can vacuum OpenClaw data, including authentication tokens, master keys, device private cryptographic keys, and the agent-defining soul.md file that can reveal a "mirror" of a user's life; the attack was not targeted, raising concerns about upcoming dedicated OpenClaw-stealing modules. A hobbyist coder using an AI coding tool to reverse-engineer DJI Romo communications unintentionally accessed roughly 7,000 robot vacuums in 24 countries, enabling live camera and microphone access and floor-plan generation due to missing messaging-level access controls; DJI also shares infrastructure with portable home battery stations and initially claimed the flaw was fixed before a live demonstration showed it was not. Two Best Buy cases illustrate that Zero Trust must consider behavior and context: a Florida employee allegedly used a manager override code 149 times from March–December 2024 to buy discounted electronics, costing about $120,000, while a Georgia case involved over $40,000 in merchandise leaving a store over two weeks amid claims of blackmail. Finally, ShinyHunters leaked about 600,000 Canada Goose customer records, but Canada Goose found no breach in its systems; the data was attributed to a third-party payment processor breach from August 2025, with records largely dating from 2021–2023, underscoring supply-chain risk and ongoing fraud/phishing potential. The episode is sponsored by Meter, which provides an integrated wired, wireless, and cellular networking stack for enterprises.

00:00 Sponsor: Meter + Today's Cybersecurity Headlines 00:44 Info-Stealer Jackpot: OpenClaw Tokens, Keys & 'soul.md' Exposed 03:17 DIY App, Real-World Disaster: 7,000 Robot Vacuums Exposed via DJI Servers 05:34 Best Buy Insider Fraud: Why Zero Trust Needs Behavior Monitoring 07:36 Canada Goose Leak: When a Third-Party Payment Processor Gets Breached 09:28 Wrap-Up + Sponsor Message (Meter)