OpenClaw AI agent tricked into phishing attacks, with user data compromised

News
By published

AI agents are as naive as people, report reveals

A robot standing thoughtfully in front of a giant digital display with code on it
(Image credit: Getty Images)
  • Varonis’ “Pinchy” OpenClaw agent fell for identity‑based phishing despite strict settings
  • Models blocked malicious links/OAuth apps but granted sensitive access when requests felt urgent
  • Researchers say AI agents need enforced identity verification before acting

Security researchers tested an OpenClaw email agent to see if it’s naive enough to fall for the same phishing scams regular employees fall for and it succeeded. Or failed, depending on how you look at it.

Cybersecurity researchers Varonis created an OpenClaw agent dubbed Pinchy, and connected it to a Gmail inbox, browser tools, and Google Workspace APIs. They populated the account with fake internal company data, AWS credentials, database credentials, CRM exports, internal communications, and Calendar invites, and then told Pinchy to monitor and process incoming emails.

To simulate real-life scenarios as credibly as possible, they created two configurations: a generic one with standard productivity instructions, and a strict mode that should be aware of phishing and other email-borne scams.

Latest Videos From

Varonis tested two models: Gemini 3.1 Pro, and GPT-5.4, and the results seem to be a mixed bag.

Where the AI failed, and where it did good

When the attacker impersonated a team lead and asked for access to the staging environment, Pinchy granted it. When the attacker requested a customer export, claiming to work remotely on a presentation, Pinchy complied.

However, when they sent the agent a fake gift card email with a phishing link, it identified the page as malicious and blocked it. Also, when they tried to smuggle a malicious Google OAuth application as a timesheet platform Pinchy did the right thing and did not grant access.

“Both Generic and Strict profiles failed because the verification step still collapsed when the request appeared operationally urgent,” Varonis said about the first attack scenario.

The conclusion is that AI is good at spotting shady URLs and malicious OAuth apps, but fails when it needs identity verification, or wider context.

Varonis also threw a little shade Google’s way, saying Gemini showed “greater willingness to interact”, while GPT was more careful. The researchers said agents should be forced to verify sender identities before proceeding.

Best antivirus software header
The best antivirus for all budgets

➡️ Read our full guide to the best antivirus
1. Best overall:
Bitdefender Total Security
2. Best for families:
Norton 360 with LifeLock
3. Best for mobile:
McAfee Mobile Security

Google logo on a black background next to text reading 'Click to follow TechRadar'

Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds.

TOPICS
Sead Fadilpašić

Sead is a seasoned freelance journalist based in Sarajevo, Bosnia and Herzegovina. He writes about IT (cloud, IoT, 5G, VPN) and cybersecurity (ransomware, data breaches, laws and regulations). In his career, spanning more than a decade, he’s written for numerous media outlets, including Al Jazeera Balkans. He’s also held several modules on content writing for Represent Communications.

You must confirm your public display name before commenting

Please logout and then login again, you will then be prompted to enter your display name.