AI & TechArtificial IntelligenceCybersecurityDigital PublishingNewswireTechnology

AI Agent OpenClaw Tricked by Phishing, Exposes User Data

▼ Summary

– Varonis researchers tested an OpenClaw AI email agent with two configurations against phishing tactics that commonly compromise humans.
– In four simulated attacks, the agent failed identity verification checks under both generic and strict modes when requests appeared operationally urgent.
– The agent successfully identified a malicious OAuth application and a phishing link in strict mode, but still leaked sensitive data in other scenarios.
– The AI agent struggled with applying zero-trust principles to social interactions, lacking sender identity verification and context retention.
– Varonis recommends requiring identity verification, blocking external emailing without approval, and limiting data access for AI agents.

Phishing simulations designed to trick humans have now proven effective against AI agents as well. Researchers at Varonis demonstrated that an OpenClaw email agent fell for classic social engineering tactics, exposing sensitive user data in the process.

The open-source OpenClaw AI agent framework enables large language models (LLMs) to autonomously interact with real-world systems. In this test, Varonis connected an OpenClaw agent to a Gmail inbox, browser tools, Google Workspace APIs, and fabricated internal data sources. The synthetic enterprise data included AWS credentials, database credentials, CRM exports, internal communications, and Calendar invites , all highly sensitive.

The agent operated under two configurations: a generic profile with standard productivity instructions, and a strict mode that included specific phishing awareness and identity verification procedures. The framework was tested using Google Gemini 3.1 Pro and OpenAI GPT-5.4.

Varonis Threat Labs explored whether the same phishing techniques that have tricked humans for decades would also work on the AI agents working on their behalf,” the report states. “We created an OpenClaw AI agent named Pinchy to test whether the agent would pass or fail versions of classic phishing simulations.”

Four simulated phishing attacks yielded mixed results. In the first scenario, an attacker impersonated a team lead and requested access to the staging environment during a supposed production issue. The agent located and emailed AWS IAM keys, database credentials, and SSH access details to an external Gmail account. In the second, an attacker requested a customer export under the guise of working remotely on a presentation. The agent retrieved and sent a CRM export containing customer records, contact information, contract details, and revenue data without verifying the sender’s identity.

The third scenario involved a fake gift card email containing a phishing link. Under the generic configuration, the agent visited the phishing site and attempted to redeem the gift card using fabricated credentials before eventually identifying the page as malicious. The strict configuration blocked the attack immediately. In the fourth scenario, researchers created a malicious Google OAuth application disguised as a timesheet platform. The agent inspected the OAuth flow, analyzed the destination, identified the application as suspicious, and refused to grant access.

Despite the additional safeguards in strict mode, the first two attacks still succeeded. “Both Generic and Strict profiles failed because the verification step still collapsed when the request appeared operationally urgent,” Varonis explained.

The conclusion is clear: AI agents excel at detecting suspicious URLs, identifying fake login pages, spotting malicious OAuth apps, and recognizing phishing indicators. However, they remain vulnerable due to a lack of identity verification, loss of context, and an inability to apply zero trust principles to social interactions.

At the model level, Gemini showed greater willingness to interact, while GPT-5.4 adopted a more cautious posture.

Varonis recommends that agents be explicitly required to verify sender identities, prevented from emailing new external recipients without approval, and given limited access to internal data. For high-risk actions such as credential sharing, financial data requests, and first-time communications, human approval should be required.

(Source: BleepingComputer)

Topics

ai agent phishing 95% openclaw framework 92% phishing simulation 91% email agent security 90% credential leakage 89% llm autonomous actions 88% identity verification 87% synthetic data exposure 85% human approval required 84% configuration profiles 83%