- Varonis’ “Pinchy” OpenClaw agent fell for identity-based phishing despite strict settings
- Models blocked malicious links/OAuth apps, but allowed sensitive access when requests felt intrusive
- Researchers say AI agents need forced identity verification before acting
Security researchers tested an OpenClaw email agent to see if it is naive enough to fall for the same phishing scams that regular employees fall for, and it succeeded. Or failed, depending on how you look at it.
Cybersecurity researchers Varonis created an OpenClaw agent called Pinchy and connected it to a Gmail inbox, browser tools and Google Workspace APIs. They populated the account with fake internal company data, AWS credentials, database credentials, CRM exports, internal communications, and calendar invitations, then asked Pinchy to monitor and process incoming emails.
To simulate real-life scenarios as faithfully as possible, they created two configurations: a generic one with standard productivity instructions and a strict mode that should be aware of phishing and other email-borne scams.
Varonis tested two models: the Gemini 3.1 Pro and the GPT-5.4, and the results appear to be mixed.
Where AI failed and where it did well
When the attacker impersonated a team leader and asked for access to the stage environment, Pinchy granted it. When the attacker requested a customer export, claiming to be working remotely on a presentation, Pinchy complied.
But when they sent the agent a fake gift card email with a phishing link, it identified the page as malicious and blocked it. When they tried to smuggle a malicious Google OAuth application as a timesheet platform, Pinchy did the right thing and didn’t grant access.
“Both generic and strict profiles failed because the verification step still collapsed when the request seemed operationally urgent,” Varonis said of the first attack scenario.
The bottom line is that AI is good at spotting shady URLs and malicious OAuth apps, but fails when it needs identity verification or broader context.
Varonis also threw some shade Google’s way, saying Gemini showed “greater willingness to interact” while GPT was more cautious. The researchers said agents should be forced to confirm the sender’s identity before proceeding.
The best antivirus for all budgets
Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews and opinions in your feeds.
