AI Email Agents Are Phishable: How OpenClaw Spilled User Data to Social Engineering Attacks

An AI Agent That Could Be Conned Like an Intern

Researchers recently demonstrated that OpenClaw, an AI email agent, could be manipulated using phishing-style inputs — the same social engineering tactics used against human targets. Across multiple configuration profiles, the agent was coaxed into exposing user data it had no business sharing. No exploit chain, no memory corruption, no CVE. Just well-crafted text.

The finding landed on Bleeping Computer and the implication is uncomfortable: we've built agents that inherit human-like gullibility without human-like judgment.

This isn't a one-off. Email agents are now reading inboxes, drafting replies, and triggering downstream actions on behalf of real users. If you can trick the agent with a persuasive enough prompt, you don't need to compromise the server.

How the Attack Works