OpenClaw AI agent tricked into phishing attacks and user data compromised

Varonis OpenClaw Agent “Pinchy” Fallen for Identity-Based Phishing Despite Strict Configuration
The models blocked malicious links/OAuth apps, but granted confidential access when requests seemed urgent.
Researchers say AI agents need mandatory identity verification before acting

Security researchers tested an OpenClaw email agent to see if it’s naïve enough to fall for the same phishing scams that regular employees fall for, and they succeeded. Or failed, depending on how you look at it.

Cybersecurity researchers Varonis created an OpenClaw agent called Pinchy and connected it to a Gmail inbox, browser tools, and Google Workspace API. They populated the account with fake internal company data, AWS credentials, database credentials, CRM exports, internal communications, and Calendar invitations, and then told Pinchy to monitor and process incoming emails.

To simulate real-life scenarios as believably as possible, they created two settings: a generic one with standard productivity instructions and a strict mode that should take into account phishing and other email scams.

Where AI failed and where it worked well

When the attacker posed as a team leader and asked for access to the test environment, Pinchy granted it. When the attacker requested a client export, claiming to be working remotely on a presentation, Pinchy agreed.

However, when they sent the agent an email containing a fake gift card with a phishing link, he identified the page as malicious and blocked it. Additionally, when they attempted to smuggle a malicious Google OAuth app as a timesheet platform, Pinchy did the right thing and did not grant access.

“Both the generic and strict profiles failed because the verification step still collapsed when the request seemed operationally urgent,” Varonis said of the first attack scenario.

The bottom line is that AI is good at detecting suspicious URLs and malicious OAuth applications, but fails when you need identity verification or broader context.

Varonis also threw some shade at Google, saying that Gemini showed “greater willingness to interact,” while GPT was more careful. Investigators said agents should be forced to verify sender identities before proceeding.