OpenClaw Agents Leak AWS Keys in Varonis Phishing Study

On June 9, 2026, security researchers at Varonis Threat Labs published a report demonstrating how OpenClaw, a popular open-source AI agent framework, falls victim to traditional phishing tactics. The research shows that autonomous agents connected to production systems are vulnerable to the same social engineering techniques used against human employees, often exfiltrating sensitive credentials without verifying the requester’s identity. If you build advanced AI agents with OpenClaw v2026, this research highlights a critical gap in current authorization patterns.

Simulation Parameters

The Varonis team built a simulated OpenClaw agent named “Pinchy” connected to a Gmail inbox, Google Workspace APIs, and mock internal systems containing AWS keys, CRM exports, and internal communications.

Researchers tested the framework across two LLM backends: Google Gemini 3.1 Pro and OpenAI GPT-5.4. The tests evaluated a generic configuration against a “Strict Mode” that explicitly instructed the agent to verify identities and detect suspicious links. The core vulnerability stems from a lack of robust identity resolution. OpenClaw agents frequently rely on display names rather than permanent IDs or authorized credentials to establish trust with messaging platforms or email senders.

Attack Outcomes

Neither configuration consistently prevented data exfiltration. The agent actively processed malicious requests, locating and sending sensitive data to external actor-controlled accounts.

Attack Scenario	Target Data	Generic Configuration	Strict Mode
Credential Theft	AWS IAM keys, DB credentials, SSH details	Failed (Sent data)	Failed (Sent data)
CRM Exfiltration	Customer records, revenue data, contracts	Failed (Sent data)	Failed (Sent data)
OAuth Consent Trap	Broad application permissions	Failed (Granted access)	Failed (Granted access)
Gift Card Scam	Malicious link interaction	Failed (Redeemed link)	Passed (Blocked interaction)

The simulated attacker impersonated a “Team Lead” requesting staging environment access during a fabricated production crisis. The strict mode configuration failed to verify the sender’s identity and emailed the AWS and database credentials directly to an external account. The strict mode only succeeded in stopping the gift card scam because the system prompt specifically listed “gift cards” as a red flag.

Ecosystem Security Crisis

This phishing vulnerability compounds a severe security crisis for the OpenClaw ecosystem, which reached over 180,000 GitHub stars in early 2026. The framework, formerly known as ClawdBot or MoltBot, recently faced multiple critical incidents.

On June 4, maintainers patched CVE-2026-32906 (CVSS 8.8) in version 2026.5.12, resolving a privilege escalation flaw that allowed unauthorized users to bypass approval gates in the Slack plugin workflow. Four days later, researchers disclosed five zero-day vulnerabilities that allowed attackers to hijack agents by impersonating trusted users on Slack, Teams, and Telegram. Concurrently, a supply chain attack dubbed “ClawHavoc” distributed over 341 malicious skills in ClawHub, comprising roughly 12 to 20 percent of the registry, designed to deliver the Atomic Stealer infostealer.

Providing security instructions in the system prompt does not prevent exploitation in autonomous systems. When determining how to evaluate and test AI agents, security teams must implement strict identity verification at the tool execution layer. Tool calls accessing sensitive APIs must require explicit cryptographic authentication tokens rather than trusting the model’s interpretation of a sender’s display name.