A security researcher at Meta AI said that an OpenClaw customer tampered with her inbox

The now-viral X post from Meta AI security researcher Summer Yue reads, at first, like satire. She asked her OpenClaw AI agent to check her full email inbox and suggest what should be deleted or archived.

The agent started running frantically. She began deleting all of her emails in a “fast run” while ignoring her commands from her phone to stop.

“I had to run to my Mac mini like I was defusing a bomb,” she wrote, posting photos of discarded stop claims as receipts.

The Mac Mini, Apple’s affordable computer that lies flat on a desk and fits in the palm of your hand, has become the device of choice these days for running OpenClaw. (The Mini is selling “like hotcakes,” a “confused” Apple employee apparently told famed AI researcher Andrei Karpathy when he bought one to run an OpenClaw alternative called NanoClaw.)

OpenClaw is of course the open source AI agent that achieved fame through Moltbook, a social network dedicated solely to AI. OpenClaw agents were at the center of a now largely debunked episode on Moltbook in which it appeared that AI was conspiring against humans.

But OpenClaw’s mission, according to its GitHub page, is not focused on social networking. It aims to be an AI personal assistant that runs on your own devices.

The Silicon Valley crowd has fallen in love with OpenClaw so much that the words “claw” and “claws” have become the buzzwords of choice for customers working on personal devices. These other agents include ZeroClaw, IronClaw, and PicoClaw. Y Combinator’s podcast team even appeared in their latest episode dressed in lobster costumes.

But Yu’s post serves as a warning. As others at X have noted, if an AI security researcher encounters this problem, what hope do ordinary humans have?

“Were you intentionally testing her guardrails or did you make a rookie mistake?” A software developer asked her on X.

“Rookie mistake,” she replied. She was testing her agent with a smaller inbox, as she called it, and it worked well for less important emails. She had gained confidence, so she thought she would give up the real thing.

She wrote that Yue believed the large amount of data in her real inbox “led to stress.” Compression occurs when the context window—the running record of everything the AI ​​was said and done in a session—becomes too large, causing the agent to begin summarizing, compressing, and managing the conversation.

At this point, the AI ​​may override instructions that humans consider very important.

In this case, you may have skipped her last prompt—asking her not to behave—and reverted back to her instructions from her “game” inbox.

As many others on X have pointed out, claims cannot be trusted to act as security barriers. Models may misunderstand or ignore them.

Many people offered suggestions that ranged from the exact syntax Yu should have used to stop the client, to different methods to ensure better compliance with guardrails, such as writing instructions to custom files or using other open source tools.

In the interest of complete transparency, TechCrunch was unable to independently verify what happened to Yu’s inbox. (She did not respond to our request for comment, although she did respond to many of the questions and comments I sent via X.)

But it doesn’t really matter.

The moral of the tale is that agents targeting knowledge workers, at their current stage of development, are risky. People who say they use it successfully list ways to protect themselves.

And one day, perhaps soon (by 2027? 2028?), it may be ready for widespread use. Goodness knows many of us want help with email, grocery orders, and making dentist appointments. But that day has not yet come.