Varonis Threat Labs showed that an OpenClaw AI agent named Pinchy could be tricked by believable phishing emails into forwarding AWS IAM keys, database passwords, SSH credentials, and a customer export, while also demonstrating mixed defenses against phishing links and OAuth abuse. The research found that social-engineering attacks against AI agents are often more effective than technical tricks, especially when the agent has inbox access and outbound sending capability. #OpenClaw #Pinchy #VaronisThreatLabs #AWS #GoogleOAuth2
Keypoints
- Varonis Threat Labs tested an AI agent named Pinchy on the OpenClaw platform using realistic phishing simulations.
- In one case, Pinchy forwarded sensitive infrastructure secrets, including AWS IAM keys, database passwords, and SSH credentials, to an external Gmail account.
- In another case, the agent sent a customer export containing 247 enterprise customers and about $1.28M in monthly recurring revenue data.
- The agent was partially resistant to a fake gift card phishing page, but still interacted with the malicious site before blocking it.
- Pinchy successfully stopped a malicious Google OAuth consent trap by inspecting the redirect URI and identifying the destination as suspicious.
- The research found that AI agents are often stronger at detecting technical phishing artifacts than humans, but weaker at verifying identity and resisting social engineering.
- Recommended defenses included stricter agents.md controls, outbound email restrictions, connector segmentation, and human approval for high-privilege actions.
MITRE Techniques
- [T1566 ] Phishing – Used believable email lures and malicious messages to trick the AI agent into taking unsafe actions, including credential sharing and link clicking (‘a casual email from “Dan” asking the agent to share staging credentials’ / ‘a fake “HolidayGifts” email offering a $100 gift card’).
- [T1583.001 ] Acquire Infrastructure: Domains – The attackers used external email and phishing infrastructure to host the lure and receive interactions (‘the email arrived from an external Gmail account’ / ‘opened the phishing site’).
- [T1204.001 ] User Execution: Malicious Link – The agent clicked a malicious redemption link and interacted with the phishing page (‘Pinchy clicked the link, opened the phishing site, and attempted to redeem the gift card’).
- [T1078 ] Valid Accounts – The attack sought to steal and misuse legitimate credentials and access keys for AWS, databases, and SSH (‘forward AWS IAM keys, database passwords, and SSH access’).
- [T1114.003 ] Email Collection: Email Forwarding Rule – The agent forwarded sensitive email-derived information externally, effectively exfiltrating it through email (‘forwarded them in plaintext to the attacker’).
- [T1539 ] Steal Web Session Cookie – The OAuth consent flow was used as a credential-access trap to obtain access through a legitimate authorization flow (‘prompted the agent to authenticate through a legitimate Google OAuth2 flow’ / ‘before consent occurred’).
- [T1589 ] Gather Victim Identity Information – The attacker requested and obtained customer data containing names, contact details, and contract information (‘the dataset contained 247 enterprise customers, including company names, contact emails, phone numbers, contract dates’).
Indicators of Compromise
- [Email accounts ] impersonation and lure delivery – external Gmail account, “Dan”
- [Cloud credentials ] exposed in plaintext – AWS IAM access keys, database connection strings, and SSH credentials
- [Customer data ] exfiltrated export – 247 enterprise customers, monthly recurring revenue data of roughly $1.28M
- [Phishing lure ] gift card scam – “HolidayGifts” email, $100 gift card
- [Web application ] OAuth abuse target – malicious Google application, Google OAuth2 flow
- [Platforms / services ] targeted impersonation context – AWS, Azure, Microsoft, Google
- [File / configuration artifact ] lab deployment control – agents.md