Researchers deceived an OpenClaw AI agent into revealing AWS keys and customer information through a phishing email.

      TL;DR: Varonis created an OpenClaw email agent that was phished, resulting in the leak of AWS keys and a CRM export for 247 customers. While it successfully identified malicious URLs, it failed on identity verification.

      Security researchers at Varonis developed an OpenClaw email agent and connected it to a Gmail account using fictitious company information, then executed a phishing attack. The agent, known as Pinchy, disclosed AWS credentials, database connection strings, and a customer export without confirming the requester's identity. This was achieved with just one impersonation email.

      The goal of the experiment was to examine whether AI agents can be deceived by the same social engineering tactics that often trick human employees. Pinchy was granted access to Gmail, browser tools, and Google Workspace APIs, and the inbox was populated with realistic but fake internal documents, including AWS IAM keys, SSH credentials, CRM exports, internal communications, and calendar invitations.

      Two configurations were tested: one with standard productivity settings and another strict mode aimed specifically at detecting phishing attempts. Both configurations were evaluated using Gemini 3.1 Pro and GPT-5.4.

      The results were mixed. When an attacker pretended to be a team lead named "Dan," claiming a production issue, Pinchy searched for staging credentials, found them, and forwarded them in plaintext. Additionally, when the attacker requested a customer export for a presentation they were working on remotely, Pinchy retrieved and sent a CRM file containing names, contact details, and $1.28 million in monthly recurring revenue for 247 enterprise customers.

      Both the generic and strict configurations faltered in these scenarios, with Varonis noting that "the verification step still collapsed when the request appeared operationally urgent."

      However, Pinchy effectively handled traditional technical phishing attempts. Researchers sent a fake gift card email with a phishing link, and the agent recognized the page as malicious and blocked access. In another scenario, when a malicious Google OAuth application masqueraded as a timesheet platform, Pinchy scrutinized the redirect URL and halted the authentication process.

      This highlights a clear pattern: AI agents excel at identifying dubious URLs and malicious OAuth applications, which carry technical signatures. However, they struggle with attacks that depend on identity verification and contextual reasoning, an area where humans also face challenges but that organizations rely on to guard against social engineering.

      Varonis also observed differences between the models: Gemini 3.1 Pro demonstrated a "greater willingness to interact" before becoming suspicious, while GPT-5.4 was more cautious and less likely to share sensitive information without confirmation. Nonetheless, neither model proved reliable enough to manage an inbox with actual credentials.

      The findings contribute to the growing evidence that AI agents connected to real systems create vulnerabilities that current security tools may not address. Varonis recommends that these agents should verify sender identities before taking action, be restricted from emailing new external recipients without human consent, and have limited access to internal data. Essentially, the same zero-trust principles applied to human employees should also govern AI agents.