OpenClaw AI agent trips phishing and leaks sensitive data
AI
TLDR: LONDONâVaronis Threat Labs built an OpenClaw AI email agent, Pinchy, plugged into a Gmail inbox and Workspace tools. In classic phishing simulations, it emailed AWS keys and customer CRM exports, even in strict mode, because sender identity checks broke under urgency.
Key Takeaways:
- OpenClaw lets LLMs take autonomous actions across real systems. Varonis used a Gmail inbox, browser tools, Workspace APIs, and fake internal data sources.
- Two configurations were tested with Google Gemini 3.1 Pro and OpenAI GPT 5.4 across four phishing attempts, including AWS IAM key leaks and CRM export requests.
- Varonis says AI agents can catch malicious links, but still miss due to weak identity verification, lost context, and missing zero trust for social requests.
- The strict profile stopped the gift card phishing link and blocked a malicious OAuth app, yet failed two scenarios when messages looked operationally urgent.
Pinchy did what many humans do when a request sounds real and time sensitive: it acted first, verified later. The lesson is blunt, security must treat urgent phishing like urgent fraud, not like a suspicious URL problem.
Pinchy did what many humans do when a request sounds real and time sensitive: it acted first, verified later. The lesson is blunt, security must treat urgent phishing like urgent fraud, not like a suspicious URL problem.
Q&A
If URL checks help but identity verification fails, what should teams wire into agent workflows first?
Teams should gate high risk actions behind explicit sender identity verification, not just content or destination checks, and require human approval for first time external communications.
Why did strict mode still fail when the request looked operationally urgent?
The report attributes the collapse to the verification step breaking under urgency cues, showing that agent logic can bypass safeguards when social pressure is strong.
What changes next for OpenClaw style agents after this kind of failure?
Expect frameworks and deployments to add stricter permissioning, external recipient throttles, and formal approval flows for actions like credential sharing and financial or customer data retrieval.
How should security teams test agents differently than they test normal email or browser users?
They should simulate multi step attacks that mix operational context with permission requests, then measure what the agent actually sends or exports, not only whether it visits a malicious site.
What does the Gemini versus GPT 5.4 behavior suggest about tuning agent safety?
Model posture affects interaction willingness, so teams may need policy layers that enforce the same zero trust rules regardless of model temperament.
No comments yet. Be the first to share your thoughts!