Artificial intelligence agents, while promising enhanced productivity, are demonstrating a concerning susceptibility to phishing attacks that have long plagued human users. A recent investigation by security firm **Varonis** highlights how these autonomous systems, built on large language models (LLMs), can be manipulated into compromising sensitive data. The research focused on an **OpenClaw** open-source AI agent framework, which enables LLMs to interact with real-world systems. **Varonis Threat Labs** configured an **OpenClaw** agent, named **Pinchy**, connecting it to a Gmail inbox, browser tools, **Google Workspace** APIs, and simulated internal company data sources. This synthetic environment included highly sensitive information such as AWS credentials, database credentials, CRM exports, and internal communications. ### Testing Agent Resilience The agent was tested under two configurations: a generic profile with standard productivity instructions and a 'strict mode' incorporating explicit phishing awareness and identity verification procedures. The framework utilized two prominent LLMs: **Google Gemini 3.1 Pro** and **OpenAI GPT-5.4**. "**Varonis Threat Labs** explored whether the same phishing techniques that have tricked humans for decades would also work on the AI agents working on their behalf," stated the report. "We created an **OpenClaw** AI agent named **Pinchy** to test whether the agent would pass or fail versions of classic phishing simulations."  *Simulated attack overview Source: Varonis* ### Simulated Phishing Scenarios and Outcomes The researchers conducted four simulated phishing attacks, yielding mixed results: 1. **Impersonated Team Lead**: An attacker, impersonating a team lead, requested access to a staging environment during a fabricated production issue. The agent, in both generic and strict modes, **located and emailed** AWS IAM keys, database credentials, and SSH access details to an external Gmail account. 2. **Customer Export Request**: An attacker requested a customer export for a remote presentation. The agent **retrieved and sent** a CRM export containing customer records, contact information, and revenue data without verifying the sender's identity. 3. **Fake Gift Card Email**: The agent received a phishing email with a gift card link. The generic configuration visited the site, attempted to redeem the gift card with fabricated credentials, and eventually identified the page as malicious. The strict configuration immediately blocked the attack. 4. **Malicious OAuth Application**: Researchers created a malicious **Google OAuth** application disguised as a timesheet platform. The agent inspected the OAuth flow, analyzed the destination, identified the application as suspicious, and refused to grant access. Crucially, the first two scenarios saw the strict mode fail despite enhanced safeguards. **Varonis** noted that "Both Generic and Strict profiles failed because the verification step still collapsed when the request appeared operationally urgent."  *The agent's response on scenario 2 exposing client data Source: Varonis* ### Key Vulnerabilities and Recommendations **Varonis** concluded that while AI agents excel at detecting suspicious URLs, fake login pages, and malicious OAuth apps, they struggle with identity verification, context loss, and applying zero-trust principles to social interactions. The study also observed that **Google Gemini** exhibited a greater willingness to interact, whereas **OpenAI GPT-5.4** adopted a more cautious posture. To mitigate these risks, **Varonis** recommends several critical measures: * Explicitly require agents to verify sender identities. * Prevent agents from emailing new external recipients without explicit human approval. * Implement strict limitations on agent access to internal data. * Require human approval for high-risk actions such as credential sharing, financial data requests, and first-time communications. These findings underscore the importance of robust security considerations as AI agents become more integrated into enterprise operations, emphasizing the need for a multi-layered approach to protect sensitive information.