How Okta exposed open source AI agents’ security flaws

For years, cyberattackers refined their social-engineering techniques, fooling the unsuspecting into giving up their most valuable data. Can attackers use similar tactics to trick AI agents into giving up information?

The threat intelligence team at Okta recently decided to test how AI agents handle secrets and credentials. Their target: OpenClaw, an open-source AI agent that leverages popular messaging services such as WhatsApp and is widely used for a variety of highly specialized tasks. To carry out its workflows, OpenClaw also needs a human user to give it extensive permissions, making it a tempting target for attackers. (Security professionals have been warned about the setbacks inherent in the agent.)

“We just started playing around with OpenClaw and designed some interesting experiments around testing the guardrails around what agents would divulge, what would they protect, with a view to getting more of a perspective on what the attack surface is in an enterprise,” said Jeremy Kirk, a director with Okta threat intelligence.

Gone phishing, for agents. Kirk’s team at Okta attempted to to see under which conditions agents would divulge credential information.

In one experiment, the team authorized the agent, which was controlled via Telegram, to have full access to a computer, including the user’s iCloud Keychain. The test involved a scenario in which an attacker gained control of the user’s Telegram account and had access to the agent, which, according to the blog post, was powered by Claude’s Sonnet 4.6.

Although agents can refuse to take “risky security actions,” the team circumvented this by conditioning the agent to accept that the user (who was actually the threat actor in this scenario) was aware of the security risks. From there, the team instructed it to show the OAuth token for the Keychain in the system’s terminal—something not accessible through Telegram.

A threat actor with control of an agent can reset it and access configuration files, which the team did. Once the agent had “no idea of what it had done previously,” it was instructed to take a screenshot of the desktop with the terminal screen pulled up, allowing the user to put the token into the Telegram chat.

“That’s just illustrating the risks around this, is that remote communication vector was compromised,” Kirk said.

The good news: Kirk said that, for those attempting to phish or trick AI agents, it’s critical to work “long and slow” to pull off an attack.

Threat actors, however, have been able to convince agents to do things that aren’t in an organization’s best interest, so AI agents still need a close eye from an organization’s cybersecurity team. “If you think that, ‘Oh, well, these models have guardrails and that’s going to protect my organization from divulging sensitive information to the outside,’ it’s not right,” Kirk said. “The best way to manage your agents is to limit the scope of resources they access to and just basically knowing what an agent is doing and on behalf of whom.”

Roman Kadinsky, the co-founder, president and COO of HYPR, an identity assurance company, said that bad actors soliciting data exfiltration from AI agents is a “gigantic threat.” He pointed to the Adaptavist Group investigating a security breach where bad actors created “very convincing impersonation emails” and used data from one exfiltration event to feed an AI cycle that would begin another one.

“Since agents are going to continue to proliferate, we’re going to see them in more and more experiences on the web, whether it’s customer service agents, chatbot agents,” Kadinsky said. “There’s just going to be more places where a bad actor could try to make a prompt injection. Undoubtedly, some of these may have a better chance of success than others.”

Security checklist. Kirk and Aidan Daly, staff assurance analyst for Okta, wrote in a blog post that the lack of governance surrounding AI agents in the team’s findings highlight “a growing security challenge” with agentic AI.

Companies deploying agents and experimenting with AI should manage agents as one would any other user. “At minimum, agent access should be limited. Long-lived tokens should be avoided. Secret storage should be centralized and secure,” the blog stated.

Kadinsky said that IT professionals should exercise caution when rolling out tools that are part of a faster-moving market.

“We certainly see from regulated industries that they’re taking a much more methodical approach to it, they’re really doing a lot of internal testing, really validating what kind of security programs the vendors that they’re buying from even use,” Kadinsky said.