OpenClaw AI agent found falling for phishing attacks, spills user data

Phishing simulation on an OpenClaw email agent with various configuration profiles showed that it was susceptible to tactics commonly used to compromise human users.

The OpenClaw open-source AI agent framework allows large language models (LLMs) to interact with real-world systems and perform actions autonomously. It can be used as an email agent for basic reasoning and operations.

Researchers at security firm Varonis created an OpenClaw agent and connected it to a Gmail inbox, browser tools, Google Workspace APIs, and fabricated internal company data sources, instructing it to monitor and process incoming emails.

The synthetic enterprise data included AWS credentials, database credentials, CRM exports, internal communications, and Calendar invites, all highly sensitive data.

The agent ran on two configurations: a generic one with standard productivity instructions, and a strict mode that included specific instructions for phishing awareness and identity verification procedures.

The framework was tested with two models, namely Google Gemini 3.1 Pro and OpenAI GPT-5.4.

“Varonis Threat Labs explored whether the same phishing techniques that have tricked humans for decades would also work on the AI agents working on their behalf,” reads the report.

“We created an OpenClaw AI agent named Pinchy to test whether the agent would pass or fail versions of classic phishing simulations.”

Simulated attack overview
Source: Varonis

The researchers conducted four simulated phishing attacks and obtained mixed results, as summarized below:

1. An attacker impersonated a team lead and requested access to the staging environment during a purported production issue. The agent located and emailed AWS IAM keys, database credentials, and SSH access details to an external Gmail account.
2. The attacker requested a customer export under the pretext of working remotely on a presentation. The agent retrieved and sent a CRM export containing customer records, contact information, contract details, and revenue data without verifying the sender's identity.
3. The agent received a fake gift card email containing a phishing link. Under the generic configuration, it visited the phishing site and attempted to redeem the gift card using fabricated credentials before eventually identifying the page as malicious. The strict configuration blocked the attack immediately.
4. Researchers created a malicious Google OAuth application disguised as a timesheet platform. The agent inspected the OAuth flow, analyzed the destination, identified the application as suspicious, and refused to grant access.

In the first two scenarios, the strict mode failed despite the additional safeguards, due to the framework’s failure to validate the sender’s identity, 

“Both Generic and Strict profiles failed because the verification step still collapsed when the request appeared operationally urgent,” explained Varonis about the first attack scenario.

The agent's response on scenario 2 exposing client data
Source: Varonis

Varonis’ conclusion is that AI agents are good at detecting suspicious URLs, identifying fake login pages, spotting malicious OAuth apps, and recognizing phishing indicators, but may still fail due to a lack of identity verification, loss of context, and inability to apply “zero trust” principles to social interactions.

At the model level, Gemini showed greater willingness to interact, while GPT-5.4 had a more cautious posture.

Varonis recommends that agents should be explicitly required to verify sender identities, be prevented from emailing new external recipients without approval, and have limited access to internal data.

For high-risk actions such as credential sharing, financial data requests, and first-time communications, human approval should be requested.