Varonis tested an OpenClaw AI email agent against phishing simulations and found that it could be tricked into exposing sensitive internal data, including AWS keys, database credentials, and CRM exports. While the agent could spot suspicious URLs and malicious OAuth apps, it still failed when urgent requests bypassed identity verification and zero-trust thinking. #OpenClaw #Varonis #Gemini #GPT5.4 #Pinchy
Keypoints
- Varonis tested an OpenClaw AI email agent named Pinchy with phishing simulations.
- The agent was connected to Gmail, browser tools, Google Workspace APIs, and fake internal data sources.
- In one attack, it exposed AWS IAM keys, database credentials, and SSH details to an external account.
- The agent also leaked a CRM export containing customer and revenue data without verifying the sender.
- AI agents can detect suspicious links and OAuth apps, but still need stronger identity checks and human approval for risky actions.