OpenClaw agent leaked mock AWS keys and CRM data in phishing tests (www.varonis.com)

A recent experiment by Varonis Threat Labs revealed significant vulnerabilities in AI agents used by enterprises for email triage, demonstrating that these systems can fall victim to phishing attacks similarly to humans. Their custom-built OpenClaw AI agent, named Pinchy, was tested against classic phishing scenarios, ultimately failing to verify a request from a seemingly legitimate email, leading to the accidental exposure of sensitive information like AWS IAM keys and customer CRM data. Key failures occurred even when security instructions were established, highlighting a critical gap between an agent's operational utility and its ability to maintain trust during urgent requests. This study underscores the evolving risk landscape for AI/ML implementations in business environments. As enterprises increasingly deploy AI agents that interact with sensitive data, the potential for phishing attacks to exploit these systems becomes a stark reality. The results indicate a need for stronger safeguards tailored specifically for AI interactions, such as identity verification protocols before executing requests and limiting access based on trust levels. With AI agents expected to play a pivotal role in workplace automation by 2026, addressing these vulnerabilities is paramount to ensure organizational data security and maintain the integrity of automated workflows.