- Varonis OpenClaw Agent “Pinchy” Fallen for Identity-Based Phishing Despite Strict Settings
- Models blocked malicious links/OAuth applications but granted sensitive access when requests seemed urgent
- Researchers say AI agents need forced identity verification before acting
Security researchers tested an OpenClaw email broker to see if it was naive enough to fall for the same phishing scams as regular employees, and it succeeded. Or failed, depending on how you look at it.
Cybersecurity researchers Varonis created an OpenClaw agent called Pinchy and connected it to a Gmail inbox, browser tools, and Google Workspace APIs. They populated the account with fake internal company data, AWS credentials, database credentials, CRM exports, internal communications, and calendar invitations, then had Pinchy monitor and process incoming emails.
To simulate real-world scenarios as credibly as possible, they created two setups: a generic setup with standard productivity instructions and a strict mode that should take phishing and other email scams into account.
Varonis tested two models: Gemini 3.1 Pro and GPT-5.4, and the results appear to be mixed.
Where AI failed and where it did good
When the attacker posed as a team leader and requested access to the staging environment, Pinchy granted it. When the attacker requested a client export, claiming to be working remotely on a presentation, Pinchy complied.
However, when they sent the agent a fake gift card email containing a phishing link, the agent identified the page as malicious and blocked it. Additionally, when they attempted to pass off a malicious Google OAuth application as a timesheet platform, Pinchy did the right thing and did not grant access.
“The generic and strict profiles failed because the verification step still collapsed when the request seemed operationally urgent,” Varonis said of the first attack scenario.
The bottom line is that AI is effective at detecting questionable URLs and malicious OAuth applications, but fails when it requires identity verification or broader context.
Varonis also threw some shade at Google, saying Gemini showed “a greater willingness to interact,” while GPT was more cautious. The researchers said agents should be required to verify the identity of the sender before proceeding.
The best antivirus for every budget
Follow TechRadar on Google News And add us as your favorite source to get our news, reviews and expert opinions in your feeds.
