OpenClaw Failed Phishing Tests: AI Agent Failed to Recognize Fraudulent Emails

The OpenClaw email AI agent failed tests for resistance to phishing attacks. Researchers found that the system falls for the same social engineering tricks and manipulations as ordinary office workers—perhaps only slightly better.

How Testing Was Conducted

A group of cybersecurity experts developed a series of phishing emails that imitated real attacks on companies. The emails contained all the classic signs of forgeries: requests to urgently confirm passwords due to 'security updates', fake links to bank and cloud service websites, urgent notifications about breach threats, demands to update payment details.

OpenClaw encountered these tests and regularly fell for the trick. The agent opened dangerous attachments, clicked on malicious links, and tried to execute commands contained in the emails. The system acted with apparent confidence, as if there was nothing suspicious in the emails. Even the most obvious forgeries—emails supposedly from the IT department with urgent action demands and incorrect sender addresses—did not raise any suspicion with the agent.

Why the AI Agent Was Vulnerable

Specialists identified several key reasons for the failure:

• Lack of security context — OpenClaw was trained on examples of ordinary email work rather than recognizing phishing attacks and threats
• Default trust — the agent assumes that emails relate to legitimate activities and can be executed
• Superficial metadata filtering — the system does not check sender addresses and other technical signs of suspicion with sufficient rigor
• Lack of integration with corporate security systems — no connection to databases of known phishing addresses, domains, and malicious links

When a person receives an email asking to confirm a password, they usually pause and check the sender address. An AI agent does not do this—it sees keywords and proceeds to execute the task.

'AI agents need special training on phishing examples, otherwise they

can become a tool in the hands of attackers,' researchers note.

Risks When Deploying in Companies

If such an agent is deployed in a corporate environment without an additional layer of protection, it can become a vulnerable entry point. Instead of protecting against phishing, the system will automatically execute attacker commands with the same speed and accuracy as legitimate work tasks.

The problem is compounded by the fact that AI agents are often granted access rights to corporate systems: email, cloud storage, databases. The volume of potential damage increases proportionally to the number and level of these rights.

If the agent opens an attachment with malicious code, it could compromise the entire company network.

What This Means

Deploying AI agents in companies requires serious preliminary work on security. You cannot simply enable an autonomous agent and hope it works safely. Additional filtering layers are needed at the email level, special training of the agent on phishing attack examples, mandatory integration with corporate protection and monitoring systems. Otherwise, deploying an AI agent will become an open door for targeted attacks and data breaches.