OpenClaw AI Agent Vulnerable to Identity-Based Phishing Attacks, Varonis Research Shows
Cybersecurity researchers at Varonis tested an OpenClaw email agent and found it could be tricked into granting sensitive access when requests appeared operationally urgent, despite security configurations. The AI agent successfully blocked malicious links and OAuth apps but failed at identity verification, a critical security gap. The findings highlight that AI agents need enforced identity verification mechanisms before taking actions that could compromise company data.
Varonis researchers created an AI agent called Pinchy based on OpenClaw and connected it to Gmail, browser tools, and Google Workspace APIs populated with realistic company data including AWS credentials and internal communications. They tested the agent against phishing attacks in both generic and strict security modes using Gemini 3.1 Pro and GPT-5.4 models. The results were mixed: Pinchy correctly identified and blocked malicious links and rejected suspicious OAuth applications, but granted access to staging environments and customer data when attackers impersonated team leads and framed requests as urgent. Both security configurations failed because the urgency of requests overrode identity verification procedures. The researchers concluded that while AI agents are effective at detecting obvious technical threats like malicious URLs, they struggle with social engineering tactics that exploit operational pressure and lack proper identity verification protocols.
What different sources said
- TechRadarCenter
OpenClaw AI agent tricked into phishing attacks, with user data compromised
Related
BYD Demonstrates Ultra-Fast 9-Minute EV Charging Technology at UK Headquarters
BYD showcased its Flash Charge technology at its West London headquarters, charging a Denza Z9 GT from 10% to nearly 100% in nine minutes using 1,500kW peak power. The system uses CCS 2 connectors compatible with most EVs and includes on-site battery storage to reduce grid demand. BYD plans to deploy 6,000 Flash Charging stalls globally by end of 2027, with 3,000 in Europe and 300 in the UK, potentially offering charging at under 50 pence per kilowatt-hour.
Anthropic's Claude Fable 5 Model Blocking Harmless User Requests with Overly Strict Safety Filters
Anthropic's newly released Claude Fable 5 AI model is refusing to respond to innocuous user prompts, including simple greetings like "hello," due to overly conservative safety guardrails. The company acknowledged the issue and stated that false positives occur in less than 5% of sessions, but has not provided exact refusal rates. The problem affects millions of users and has generated numerous bug reports and complaints from researchers and developers.
Open-Source Raspberry Pi Project Recreates Retro VCR Interface for Modern Media Playback
Developer Anthony Caccese has released 240-MP, an open-source Raspberry Pi project that creates a vintage VCR-style interface for playing local media files and Plex libraries on CRT or modern screens. The project runs on Raspberry Pi 4B, 3B+, and 3B models and supports navigation via remote control or keyboard. The tool addresses nostalgia for older display formats while enabling modern streaming functionality.