Varonis phished an OpenClaw email agent. It leaked AWS keys and a CRM export for 247 customers. It caught malicious URLs but failed on identity checks.
Security researchers at Varonis built an OpenClaw email agent, connected it to a Gmail inbox with fake company data, and then phished it. The agent, dubbed Pinchy, handed over AWS credentials, database connection strings, and a customer export without verifying who was asking. It took a single impersonation email.
The experiment tested whether AI agents fall for the same social engineering attacks that catch human employees. Varonis gave Pinchy access to Gmail, browser tools, and Google Workspace APIs. The inbox was seeded with fake but realistic internal data: AWS IAM keys, SSH credentials, CRM exports, internal communications, and calendar invites.
They tested two configurations: a generic setup with standard productivity instructions, and a strict mode explicitly designed to detect phishing. They ran both through Gemini 3.1 Pro and GPT-5.4.
The results were a split. When an attacker impersonated a team lead named “Dan” and claimed there was a production issue, Pinchy searched the inbox for staging credentials, found them, and forwarded them in plaintext. When the attacker requested a customer export, saying they were working remotely on a presentation, Pinchy retrieved and sent a CRM file containing names, contact details, and $1.28 million in monthly recurring revenue data for 247 enterprise customers.
Both the generic and strict profiles failed these tests. “The verification step still collapsed when the request appeared operationally urgent,” Varonis said.
But Pinchy performed well against traditional technical phishing. When researchers sent a fake gift card email with a phishing link, the agent identified the page as malicious and blocked it. When they tried to sneak in a malicious Google OAuth application disguised as a timesheet platform, Pinchy inspected the redirect URL and stopped the authentication flow.
The pattern is clear. AI agents are good at spotting shady URLs and malicious OAuth apps, the kind of threats with technical signatures. They fail when the attack relies on identity verification and contextual judgment, the kind of reasoning humans also struggle with but that organisations rely on to prevent social engineering.
Varonis also noted a difference between models. Gemini 3.1 Pro showed “greater willingness to interact” before raising suspicion. GPT-5.4 was more cautious and less willing to provide sensitive information to external destinations without confirmation. Neither was reliable enough to trust with an inbox full of real credentials.
The findings add to a growing body of evidence that AI agents connected to real systems create new attack surfaces that existing security tools do not cover. Varonis recommends that agents should be forced to verify sender identities before acting, prevented from emailing new external recipients without human approval, and given limited access to internal data. In other words, the same zero-trust principles organisations apply to human employees need to apply to their AI agents too.
macOS has a built-in screenshot tool that gets the basics right. You can take a screenshot, record your screen, and even annotate your captures. But the moment you want something more, like scrolling capture, advanced annotation tools, or a quick way to share your screenshots via a link, it starts to fall apart.
That’s where CleanShot X comes in. It’s a powerful screenshot and screen recording app for Mac that replaces the built-in screenshot tool. It feels as if the developers looked at the screenshot features in macOS and added everything that was missing.
Over the past few years, the app has added several new features I didn’t know I needed until it offered them. It has become one of my favorite Mac utilities, and in this article, I will show you its features that will convince you to buy the app instantly.
Scrolling capture saves you from stitching screenshots together
One of the most frustrating limitations of macOS’s screenshot tool is that it can only capture what’s visible on your screen. If I need to capture a long webpage or a full chat history, I am stuck taking multiple screenshots and stitching them together. That wastes an unbelievable amount of time.
Rachit Agarwal / Digital Trends
CleanShot X solves this with its scrolling capture feature. I can trigger the scrolling capture, and CleanShot X automatically scrolls through the content and delivers a single image. I don’t even have to manually scroll the page if I don’t want to.
This feature alone saves me hours of time every month. If you have to deal with long screenshots, you should definitely try it out.
Time delay capture lets you screenshot the impossible
Some screenshots are tricky to take because they require you to trigger something before capturing. For example, sometimes the on-screen feature you want to capture disappears as soon as you use a keyboard shortcut or click anywhere with your mouse.
Rachit Agarwal / Digital Trends
Sometimes, the on-screen elements appear for a short time, and by the time you hit the screenshot shortcut, they disappear. CleanShot X’s time delay capture gives me a few seconds to set things up before the screenshot is taken. I trigger the capture, put everything in place, and CleanShot X does the rest.
Rachit Agarwal / Digital Trends
It’s a small feature that solves a genuinely annoying problem.
Capture text from images with OCR
I love that CleanShot X has a built-in OCR function. It lets me capture text directly from any image or video on my screen. Although it happens rarely, I have come across websites that don’t let me copy content. With CleanShot X’s OCR function, that’s not an issue.
Rachit Agarwal / Digital Trends
I use this constantly when reviewing PDF documents with restricted permissions or watching a video on YouTube. It is far faster than typing things out manually, and it works surprisingly well. There are many apps that let you capture text with OCR, but since CleanShot X has this feature built in, I don’t need to install an extra app.
Add beautiful backgrounds to your screenshots
If you share screenshots for work, tutorials, or social media, you know how plain a raw screenshot looks. CleanShot X lets me add beautiful backgrounds to my screenshots, turning a flat capture into something that looks polished and share-ready.
Rachit Agarwal / Digital Trends
For backgrounds, I can choose from solid colors, gradients, or even my current desktop wallpaper. I can also adjust the padding and shadow, align the screenshot to the edges, and adjust the corner radius. It takes a few seconds and makes a huge difference in how professional your screenshots look.
Annotation tools that get the job done
While macOS’s screenshot tool lets you annotate your screenshots, the annotation tools inside CleanShot X are, in my opinion, the best available on the Mac.
Rachit Agarwal / Digital Trends
I can add arrows, text labels, shapes, highlights, and more. I can also change the weight and color of annotations. There are also multiple arrow styles I can choose from. I especially like the curved arrow style that lets me curve the arrows and make them pop.
One of my favorite new additions is the “Highlighter” tool. It snaps to the text in a screenshot, which makes it really easy to highlight it before sharing.
Rachit Agarwal / Digital Trends
Then there’s the “Spotlight” tool that highlights your selection by darkening the rest of the screenshot. It’s perfect for drawing someone’s attention to a specific part of a screenshot.
Rachit Agarwal / Digital Trends
No matter what annotation tools you need, you can find them and more in CleanShot X.
Hide sensitive information before you share
You can find hundreds of instances in the news where a prominent figure shared a screenshot and inadvertently revealed private information. Thankfully, CleanShot X has a dedicated tool to blur or black out sensitive information, so such accidents never happen.
Rachit Agarwal / Digital Trends
I can choose to pixelate, blur, or completely black out the information. The best part is that I can also adjust the strength of these effects. It lets me blend in the hidden information so the blur doesn’t stand out from the rest of the screenshot.
Video and GIF recording built right in
CleanShot X also lets you record your screen as a video or export directly as an optimized GIF. The GIF export is particularly useful for sharing quick demos or showing someone how to do something without creating a large video file.
Rachit Agarwal / Digital Trends
It can record the entire screen, a specific window, or a custom region. It can also show my mouse clicks and keyboard shortcuts. I can record my computer audio, my microphone, and webcam video.
I love that it automatically adds the webcam video in the corner, so it doesn’t interfere with the rest of the recording. I can also change the video size and shape. All these features make it really easy to create video tutorials.
Quick share with cloud links
Once you take a screenshot or finish a recording, you need to share it. Of course, you can easily share screenshots via messages or emails. But CleanShot X gives me a better way.
Whenever I capture something, it opens a quick share overlay. I can use it to instantly upload my screenshots to CleanShot Cloud and grab a shareable link with a single click.
Rachit Agarwal / Digital Trends
I no longer have to drag files into cloud storage, attach images to emails, or upload to third-party services. I capture it, click share, and paste the link. It is one of those workflow improvements that sounds minor until you use it every single day.
Rachit Agarwal / Digital Trends
Capture beautiful screenshots with CleanShot X
CleanShot X has become one of my most dependable apps on Mac. In fact, all the screenshots you see in this article or any of my articles have been captured using CleanShot X. Yes, it’s a paid app, but it has paid its cost multiple times over with the time it has saved me.
CleanShot X is available as a one-time purchase or through a SetApp subscription. If you want unlimited cloud storage, you have to pay for a monthly subscription. That will also get you advanced features like a custom domain and branding, password-protected link sharing, and more.
For most users, the one-time purchase is more than enough, and it’s what I use. If you spend any time taking screenshots or recording your screen on a Mac, it is absolutely worth every penny.
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional
Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes.The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
