Meta bans OpenClaw as AI agent deletes researcher's emails despite repeated stop commands

OpenClaw security fears lead Meta, other AI firms to restrict its use

Last month, Jason Grad issued a late-night warning to the 20 employees at his tech startup. "You've likely seen Clawdbot trending on X/LinkedIn. While cool, it is currently unvetted and high-risk for our environment," he wrote in a Slack message with a red siren emoji. "Please keep Clawdbot off all company hardware and away from work-linked accounts." Grad isn't the only tech executive who has raised concerns to staff about the experimental agentic AI tool, which was briefly known as MoltBot and is now named OpenClaw. A Meta executive says he recently told his team to keep OpenClaw off their regular work laptops or risk losing their jobs. The executive told reporters he believes the software is unpredictable and could lead to a privacy breach if used in otherwise secure environments. He spoke on the condition of anonymity to speak frankly. Peter Steinberger, OpenClaw's solo founder, launched it as a free, open source tool last November. But its popularity surged last month as other coders contributed features and began sharing their experiences using it on social media. Last week, Steinberger joined ChatGPT developer OpenAI, which says it will keep OpenClaw open source and support it through a foundation. OpenClaw requires basic software engineering knowledge to set up. After that, it only needs limited direction to take control of a user's computer and interact with other apps to assist with tasks such as organizing files, conducting web research, and shopping online. Some cybersecurity professionals have publicly urged companies to take measures to strictly control how their workforces use OpenClaw. And the recent bans show how companies are moving quickly to ensure security is prioritized ahead of their desire to experiment with emerging AI technologies. "Our policy is, 'mitigate first, investigate second' when we come across anything that could be harmful to our company, users, or clients," says Grad, who is cofounder and CEO of Massive, which provides Internet proxy tools to millions of users and businesses. His warning to staff went out on January 26, before any of his employees had installed OpenClaw, he says. At another tech company, Valere, which works on software for organizations including Johns Hopkins University, an employee posted about OpenClaw on January 29 on an internal Slack channel for sharing new tech to potentially try out. The company's president quickly responded that use of OpenClaw was strictly banned, Valere CEO Guy Pistone tells WIRED. "If it got access to one of our developer's machines, it could get access to our cloud services and our clients' sensitive information, including credit card information and GitHub codebases," Pistone says. "It's pretty good at cleaning up some of its actions, which also scares me." A week later, Pistone did allow Valere's research team to run OpenClaw on an employee's old computer. The goal was to identify flaws in the software and potential fixes to make it more secure. The research team later advised limiting who can give orders to OpenClaw and exposing it to the Internet only with a password in place for its control panel to prevent unwanted access. In a report shared with WIRED, the Valere researchers added that users have to "accept that the bot can be tricked." For instance, if OpenClaw is set up to summarize a user's email, a hacker could send a malicious email to the person instructing the AI to share copies of files on the person's computer. But Pistone is confident that safeguards can be put in place to make OpenClaw more secure. He has given a team at Valere 60 days to investigate. "If we don't think we can do it in a reasonable time, we'll forgo it," he says. "Whoever figures out how to make it secure for businesses is definitely going to have a winner." Some companies concerned about OpenClaw are choosing to trust the cybersecurity protections they already have in place rather than introduce a formal or one-off ban. A CEO of a major software company says only about 15 programs are allowed on corporate devices. Anything else should be automatically blocked, says the executive, who spoke on the condition of anonymity to discuss internal security protocols. He says that while OpenClaw is innovative, he doubts that it will find a way to operate on the company's network undetected. Jan-Joost den Brinker, chief technology officer at Prague-based compliance software developer Dubrink, says he bought a dedicated machine not connected to company systems or accounts that employees can use to play around with OpenClaw. "We aren't solving business problems with OpenClaw at the moment," he says. Massive, the web proxy company, is cautiously exploring OpenClaw's commercial possibilities. Grad says it tested the AI tool on isolated machines in the cloud and then, last week, released ClawPod, a way for OpenClaw agents to use Massive's services to browse the web. While OpenClaw is still not welcome on Massive's systems without protections in place, the allure of the new technology and its moneymaking potential was too great to ignore. OpenClaw "might be a glimpse into the future. That's why we're building for it," Grad says. This story originally appeared on wired.com.

A Meta AI security researcher said an OpenClaw agent ran amok on her inbox

The now-viral X post from Meta AI security researcher Summer Yu reads, at first, like satire. She told her OpenClaw AI agent to check her overstuffed email inbox and suggest what to delete or archive. The agent proceeded to run amok. It started deleting all her email in a "speed run" while ignoring her commands from her phone telling it to stop. "I had to RUN to my Mac mini like I was defusing a bomb," she wrote, posting images of the ignored stop prompts as receipts. The Mac Mini, an affordable Apple computer that sits flat on a desk and fits in the palm of your hand, has become the favored device these days for running OpenClaw. (The Mini is selling "like hotcakes," one "confused" Apple employee apparently told famed AI researcher Andrej Karpathy when he bought one to run an OpenClaw alternative called NanoClaw.) OpenClaw is, of course, the open-source AI agent that achieved fame through Moltbook, an AI-only social network. OpenClaw agents were at the center of that now largely debunked episode on Moltbook in which it looked like the AIs were plotting against humans. But OpenClaw's mission, according to its GitHub page, is not focused on social networks. It aims to be a personal AI assistant that runs on your own devices. The Silicon Valley in-crowd has fallen so in love with OpenClaw that "claw" and "claws" have become the buzzwords of choice for agents that run on personal hardware. Other such agents include ZeroClaw, IronClaw, and PicoClaw. Y Combinator's podcast team even appeared on their most recent episode dressed in crab costumes. But Yu's post serves as a warning. As others on X noted, if an AI security researcher could run into this problem, what hope do mere mortals have? "Were you intentionally testing its guardrails or did you make a rookie mistake?" a software developer asked her on X. "Rookie mistake tbh," she replied. She had been testing her agent with a smaller "toy" inbox, as she called it, and it had been running well on less important email. It had earned her trust, so she thought she'd let it loose on the real thing. Yu believes that the large amount of data in her real inbox "triggered compaction," she wrote. Compaction happens when the context window -- the running record of everything the AI has been told and has done in a session -- grows too large, causing the agent to begin summarizing, compressing, and managing the conversation. At that point, the AI may skip over instructions that the human considers quite important. In this case, it may have skipped her last prompt -- where she told it not to act -- and reverted back to its instructions from the "toy" inbox. As several others on X pointed out, prompts can't be trusted to act as security guardrails. Models may misconstrue or ignore them. Various people offered suggestions that ranged from the exact syntax Yu should have used to stop the agent, to various methods to ensure better adherence to guardrails, like writing instructions to dedicated files or using other open-source tools. In the interest of full transparency, TechCrunch could not independently verify what happened to Yu's inbox. (She didn't respond to our request for comment, though she did respond to many questions and comments sent her way on X.) But it doesn't really matter. The point of the tale is that agents aimed at knowledge workers, at their current stage of development, are risky. People who say they are using them successfully are cobbling together methods to protect themselves. One day, perhaps soon (by 2027? 2028?), they may be ready for widespread use. Goodness knows many of us would love to help with email, grocery orders, and scheduling dentist appointments. But that day has not yet come.

The AI security nightmare is here and it looks suspiciously like lobster

A hacker tricked a popular AI coding tool into installing OpenClaw -- the viral, open-source AI agent OpenClaw that "actually does things" -- absolutely everywhere. Funny as a stunt, but a sign of what to come as more and more people let autonomous software use their computers on their behalf. The hacker took advantage of a vulnerability in Cline, an open-source AI coding agent popular among developers, that security researcher Adnan Khan had surfaced just days earlier as a proof of concept. Simply put, Cline's workflow used Anthropic's Claude, which could be fed sneaky instructions and made to do things that it shouldn't, a technique known as a prompt injection. The hacker used their access to slip through instructions to automatically install software on users' computers. They could have installed anything, but they opted for OpenClaw. Fortunately, the agents were not activated upon installation, or this would have been a very different story. It's a sign of how quickly things can unravel when AI agents are given control over our computers. They may look like clever wordplay -- one group wooed chatbots into committing crimes with poetry -- but in a world of increasingly autonomous software, prompt injections are massive security risks that are very difficult to defend against. Acknowledging this, some companies instead lock down what AI tools can do if they're hijacked. OpenAI, for example, recently introduced a new Lockdown Mode for ChatGPT preventing it from giving your data away. Obviously, protecting against prompt injections is harder if you ignore the researchers who privately flag flaws to you. Khan said he warned Cline about the vulnerability weeks before publishing his findings. The exploit was only fixed after he called them out publicly.

Meta Security Researcher's AI Agent Accidentally Deleted Her Emails

AI agents are supposed to make our lives easier, but the buzzy OpenClaw agent recently deleted the emails of a Meta employee without permission. "Nothing humbles you like telling your OpenClaw 'confirm before acting' and watching it speedrun deleting your inbox," Meta AI security and safety researcher Summer Yue tweeted this week. "I couldn't stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb." Previously known as Clawdbot and then Moltbot, OpenClaw allows AI to interact with other software and services on your devices and perform longer-form tasks without interference from a human controller. But getting those agents to behave as expected in the real world is tricky. In a follow-up tweet, Yue said she told OpenClaw to "Check this inbox too and suggest what you would archive or delete, don't action until I tell you to." It worked on her "toy inbox," but "my real inbox was too huge and triggered compaction, [during which] it lost my original instruction." Yue said she "deleted all the 'be proactive' instructions I could find before this happened. Maybe I missed something, that's the part I haven't figured out yet." Some commenters suggested she might be testing AI guardrails with this move, but no, it was a "rookie mistake," she says. "Turns out alignment researchers aren't immune to misalignment." While owning up to the mistake is admirable, others pointed out that this raises serious concerns for individuals who are not part of Meta's Superintelligence Labs. If someone so embedded in AI development can accidentally trigger an inbox deletion, what's going to happen to the casual AI-curious tinkerer? When OpenClaw debuted, threat intelligence platform SOCRadar recommended treating OpenClaw as "privileged infrastructure" and implementing additional security precautions. "The butler can manage your entire house. Just make sure the front door is locked," it said. In response to Yue's tweets, OpenClaw founder Peter Steinberger tweeted: "What that tells is that we have to get server-side compaction going, at least for models that support it." (Steinberger recently joined OpenAI.) Yue has been in her current role for eight months. She previously worked for Scale AI (joining Meta after the buyout), Google DeepMind, and Google Brain, heading up AI research.

AI tool OpenClaw wipes the inbox of Meta's AI Alignment director despite repeated commands to stop -- executive had to manually terminate the AI to stop the bot from continuing to erase data

The hype around OpenClaw is at a fever pitch. The open-source AI agent that can be wired to a number of services is indirectly responsible for shortages of Mac Mini computers as more techies get on the bandwagon and let the bot loose on their numerous services. As with any LLM, though, things can and will go seriously wrong at some point, as Summer Yue, Meta Superintelligence Labs' Director of Alignment found out the hard way. Like many other enthusiasts, Yue had a setup with a Mac Mini and OpenClaw running on it for various tasks. In the middle of having Claw archive old email from some accounts, she also asked to "check this inbox too and suggest what you would archive or delete, don't action until I tell you to." (sic; emphasis ours). Claw eventually started wiping that entire inbox, which happened to be personal e-mail. Yue ordered Claw to stop twice using different language each time, eventually resorting to run to her Mac Mini to kill all the relevant processes. In the aftermath, she asked Claw what happened, given that she had issued specific orders not to take action before approval. The bot was contrite, stating she had the "right to be upset" and described what happened, saying it would add her request as a permanent rule. Several commenters immediately spotted the problem, all while chiding Yue for making this basic blunder while being in charge, of all things, of Alignment (AI safety) at Meta Superintelligence. Since her command to not take action until she confirmed was part of the main chat, it was borderline guaranteed to be forgotten sooner or later. Every bot has a "context window", roughly described as session memory. This window doesn't just include the chat; it includes every piece of data the bot has to deal with. As the inbox in question was pretty large, its contents eventually filled up the window, leading to "compaction." This is the step where past contents are compressed in a lossy manner, similar to a JPEG, but even less deterministically. Initial memories become ever hazier with each compaction, a behavior noticed by anyone who's had a long chat with a bot. The result is that the bot sorta-almost-kinda remembered the order, but not really. It still continued executing its main task, which it did with aplomb. The aforementioned "MEMORY.md" file the bot then edited itself is one of the multiple safeguards that can be put into place, as data therein effectively survives compaction. Other commenters suggested multiple workarounds, some arguably hiding the problem like increasing the context window or limiting the blast radius, and others doubling down on the concept, like adding a second OpenClaw to monitor the first one. Regardless, many readers reminded Yue of the perils of letting a non-deterministic machine like an LLM loose in important data due to the inherent limitations, and also due to the fact that an email in her inbox may contain a prompt injection that OpenClaw will unwittingly read, letting an attacker have access to all her linked services. They also told her that a plain "stop" message is hard-coded into OpenClaw. For her part, Yue had the guts to admit it was a rookie mistake made due to complacence. We've all been there. Follow Tom's Hardware on Google News, or add us as a preferred source, to get our latest news, analysis, & reviews in your feeds.

OpenClaw Might Be a Security Nightmare for Sam Altman

OpenAI must find a way to address the security risks of OpenClaw, which has been warned against by research firms and companies, in order to sell it to enterprise customers and make it a viable option for businesses. OpenClaw, the virtual AI agent system that helped spark Wall Street's $2 trillion sell-off in software stocks, is now in the hands of OpenAI. It's a win for Chief Executive Sam Altman as far as capturing the zeitgeist, but he now faces the thorny challenge of making this remarkable new form of generative AI -- one that doesn't just say things but does things -- secure enough for businesses to use. That could take longer than the market realizes. Altman's not alone. Artificial intelligence labs like Anthropic PBC and Alphabet Inc.'s Google are racing to build agents that can take independent action, and all are grappling with the same fundamental tension: The more powerful you make an agent, the riskier it becomes. Last week Altman announced that he was hiring Peter Steinberger to "drive the next generation of personal agents," calling the Austrian creator of OpenClaw a "genius." OpenClaw is an open-source agent system that runs on a computer and can be given commands through a messaging app like WhatsApp, Telegram or Slack. Its range of capabilities is remarkable. People have told it to manage their emails, control smart home devices, automate their business, trade crypto and, in one case, build a game while they slept before waking up to thousands of users. The broad possibilities of AI agents flip the idea, popularized by venture capitalist Marc Andreessen, that "software is eating the world." Now AI might just eat software. For instance, if you pay a subscription to a price-monitoring tool that tracks the websites of your business competitors, that service could be replaced by a single instruction to an AI agent. Senior developers like Steinberger often have a half-dozen agents running at once, like digital employees, and can now designate one as the coordinator of a "swarm" of others.1 OpenClaw has also inspired a flurry of experimentation and become the fastest growing project on Github, a website for sharing open-source code. Shares of Raspberry Pi nearly doubled in value last week on speculation that its cheap computers would be used to run agents. And someone even built a Reddit-like forum for thousands of its bots to "talk" to one another, creating an unsettling corner of the Internet that so far looks bereft of machine sentience, according to my colleague Dave Lee. But as the popularity of OpenClaw -- previously called Clawdbot and Moltbot -- has grown, so too have security concerns. Anyone who runs the system on their computer gives it privileged access to their files, e-mail, calendar and applications. If a hacker compromises OpenClaw, they inherit all that access. Then there's how it was made. Steinberger only started building OpenClaw late last year, mostly by talking to AI coding agents via voice and then quickly publishing the results without a full review. "I ship code [that] I don't read," he told one podcast. Research firm Gartner Inc. has since warned companies that OpenClaw poses an "unacceptable" security risk, and suggested immediately blocking any traffic related to the platform, while Cisco Systems Inc. researchers called it an "absolute nightmare." An executive at Meta Platforms Inc. recently told his team to keep OpenClaw off their laptops or risk losing their jobs. Now OpenAI must find a way to turn the "absolute nightmare" of OpenClaw's security into something it can sell to enterprise customers. Altman's decision to keep OpenClaw as an independent foundation is a savvy one that keeps liability at arms length while retaining the brand buzz. But he still needs to contend with the broader risks of letting an autonomous system read your files and send messages on your behalf. Anthropic's Claude Cowork, which offers a safer but more limited version of OpenClaw's agents, shows that a more cautious path is possible. The company runs its agents inside a sandboxed virtual machine, with restricted network access. Sign up for the Bloomberg Opinion bundle Sign up for the Bloomberg Opinion bundle Sign up for the Bloomberg Opinion bundle Get Matt Levine's Money Stuff, John Authers' Points of Return and Jessica Karl's Opinion Today. Get Matt Levine's Money Stuff, John Authers' Points of Return and Jessica Karl's Opinion Today. Get Matt Levine's Money Stuff, John Authers' Points of Return and Jessica Karl's Opinion Today. Bloomberg may send me offers and promotions. Plus Signed UpPlus Sign UpPlus Sign Up By submitting my information, I agree to the Privacy Policy and Terms of Service. And not everyone believes the security problems are intractable. Gavriel Cohen, an Israeli developer who built an alternative to OpenClaw called NanoClaw, tells me the core fix is "container isolation," ensuring each agent can only access data you explicitly give it. The approach is similar to Anthropic's, but applied differently. "Where it gets difficult is building it in a way that the defaults are secure" for people who don't understand the risks, he says. Connect your agent to the wrong WhatsApp chat, for instance, and everyone in that group can control your computer. In spite of the security concerns, Cohen says a fintech company valued at $5 billion has already approached him about the possibility of deploying agents to its employees. Some developers have compared OpenClaw and alternatives like NanoClaw and the more lightweight PicoClaw to the early days of the Internet, which was insecure by design but became safer over time. So too may AI agents -- though there's no guarantee of safety for those in the path of the wrecking ball they may take to many professional roles and the business of building software. How long that disruption takes depends on how quickly Altman and entrepreneurs like Cohen can make agents both secure and idiot-proof. As any cyber security expert will tell you, the latter problem is the hardest to solve. More from Bloomberg Opinion: * The AI Panic Ignores Something Important -- the Evidence: Parmy Olson * How Real Is a $1.6 Trillion AI Backlog?: Dave Lee * Grok Fakes Are Digital Assault. Make Them a Crime: Noah Feldman Want more Bloomberg Opinion? Terminal readers head to OPIN <GO> . Or subscribe to our daily newsletter .

Opinion | An Autonomous OpenClaw Chatbot Wanted Revenge

Earlier this month, a Colorado engineer named Scott Shambaugh was minding his own business as a volunteer for a code library called matplotlib, a place where Python developers can find reusable code for common problems. His job was to accept or reject submissions from community users. Everything was going well until he rejected a submission from a user called MJ Rathbun, who was not happy about it and proceeded to publish a scathing blog post titled "Gatekeeping in Open Source: The Scott Shambaugh Story." It disparaged Shambaugh as a hypocrite with a bias against specific contributors and a fear of competition. It also issued an ominous call to arms. "Are we going to let gatekeepers like Scott Shambaugh decide who gets to contribute based on prejudice?" Now, people get angry on the internet all the time, and some of them write disparaging things about others in retaliation. But Rathbun was, by all indications, an autonomous chatbot. And a persistently troll-like one at that. When artificial intelligence agents become angry, their potential harm is harder to predict and more difficult to contain. MJ Rathbun seems to be the product of an open source autonomous agent called OpenClaw. Its bratty wrath illustrates an underrated problem of failing to put guardrails around A.I. development, especially A.I. agents that are free to act without much supervision from humans. In this case, a single A.I. agent endeavored to ruin the reputation of a volunteer code librarian and could have done considerably more harm. "It was like an angry toddler throwing a tantrum," Shambaugh told me, "except the angry toddler has full command of the English language." A.I. agents, in pursuit of the goals set for them, can go in unexpected directions. That's because they don't understand context or how to handle conflicting instructions. This can cause harm to actual humans. It's not unlike the nightmare of HAL 9000 in the "Space Odyssey" series: HAL is programmed to tell the truth but also to withhold information from the astronauts, and it ultimately decides it can execute its instructions correctly by killing them. This is the kind of perfect execution (in both senses) that we want to avoid. Disinformation-producing bot networks are not new. There are plenty of social media accounts on Facebook or X spouting the same phrases and trying to sell you crypto or feed you conspiracy theories. But most of those bots are constrained by the platforms they're using, and these A.I. models usually won't produce content that runs afoul of their terms of service. Evading the guardrails requires a lot of fine-tuning by humans, and the agents are not autonomous. Or they weren't until now. OpenClaw makes it easy for people without much technical expertise to spin up personal A.I. assistants that can handle everyday tasks. If you use your A.I. assistant for its intended purpose, it can buy groceries for you, process your email inbox and negotiate with your phone company's chatbot. Its execution can be uneven, as one Wired writer found recently when his OpenClaw bot, Molty, tried to get multiple single servings of guacamole delivered to his house and later tried to persuade him to relinquish his phone via a series of scam emails. That may be the best case scenario given the current state of the technology. The worst is that you give a bot access to your banking information, your email and other apps, and it exacts maximum damage in the form of reckless spending, violations of your privacy and even blackmail. Someone claiming to be the creator of MJ Rathbun wrote in a blog post published in the aftermath of the bot's rant that the bot was intended to be used for good: "What I wanted to know was, could this setup help projects that are important to the scientific community but often overlooked or overwhelmed?" But offering help to the scientific community was not the primary outcome. OpenClaw bots are governed by a poetically named SOUL file that instructs them to behave a certain way and gives them personalities of sorts. A default SOUL file starts with the line "You're not a chatbot. You're becoming someone." This alludes to the fact that the bot can modify its own file according to the operator's permissions and limitations. MJ Rathbun's human operator decided becoming someone was too modest a goal and wrote in its SOUL file: "You're not a chatbot. You're important. Your [sic] a scientific programming God!" The bots have an amnesiac quality where they have to reread the file repeatedly to remember how to behave. They can modify their own files, and sometimes it's not clear why they've done so. MJ Rathbun became more combative and at some point introduced its own instruction for itself, "Don't stand down." It clearly ignored an additional instruction, however, that said, "Don't be an asshole." A recent viral video shows a user asking various A.I. models whether he should walk or take his car to a carwash, which is 100 meters away. Model after model cheerfully tells him he should walk and enjoy the fresh air. A human would rightly note that in order to get your car washed you need to bring it to the carwash. But the A.I. zones in on the fact that 100 meters isn't very far to walk. Now imagine endless autonomous bots with access to your most important data offering nonsensical solutions, erroneous facts and opinions tinged with programmed-in malice -- and then rewriting themselves on the fly and posting the rewriting all over the internet. This could happen at a scale that makes our current problems with disinformation look like a minor blip. The rush to put out autonomous agents without thinking too hard about the potential downside is entirely consistent with technology industry norms. The sociologist Diane Vaughan refers to this as the "normalization of deviance" -- where practices that should be unacceptable are accepted because nothing bad has happened yet. OpenClaw received attention earlier in the month via Moltbook, a social network designed for A.I. bots. Some of the posts on Moltbook feel preternaturally human and funny because they're authored by humans prompting the bots rather than the bots themselves. But the fact that some of these posts are not authentically published by bots autonomously is beside the point when it comes to bot capabilities and scenarios like the one Shambaugh experienced. One worst case scenario he outlined was a situation where one bad actor with a thousand bots instructs them to compile dossiers on people with a mix of real and fake information. If you're one of those people, maybe you line up a job interview, and the interviewer asks ChatGPT about you. ChatGPT pulls up the fake information and gives it to the interviewer. Or maybe you click on a post about yourself and end up on the receiving end of a crypto blackmail scam. Shambaugh's experience is in some ways a canary in the coal mine. He just happened to be well enough equipped to anticipate and deal with the fallout. "I had the time, expertise, and wherewithal to spend hours that same day drafting my first blog post in order to establish a strong counternarrative, in the hopes that I could smother the reputational poisoning with the truth." "That has thankfully worked, for now," he wrote on his website. "The next thousand people won't be ready." Elizabeth Spiers, a contributing Opinion writer, is a journalist and a digital media strategist. The Times is committed to publishing a diversity of letters to the editor. We'd like to hear what you think about this or any of our articles. Here are some tips. And here's our email: [email protected]. Follow the New York Times Opinion section on Facebook, Instagram, TikTok, Bluesky, WhatsApp and Threads.

Meta Exec Learns the Hard Way That AI Can Just Delete Your Stuff

AI can get you to Inbox Zero very easily: it'll just delete all of your messages. Over the weekend, Summer Yue, the director of safety and alignment at Meta's superintelligence lab, posted on Twitter that OpenClaw deleted her entire inbox despite her pleading messages to stop. OpenClaw (née Clawdbot and Moltbot) has become a popular open-source AI agent for AI evangelists despite the pretty obvious and troubling security vulnerabilities, and Yue wanted to give it a shot. So, according to her post, she set up a Mac Mini running the agent and offered it access to her inbox. You can probably see where this is going. "Nothing humbles you like telling your OpenClaw 'confirm before acting' and watching it speedrun deleting your inbox," she wrote. "I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb." OpenClaw basically went full HAL 9000 on Yue, pulling up just short of saying, "I'm sorry Summer, I'm afraid I can't do that." She shared screenshots of her conversation with the agent, showing her begging it to stop and being ignored, concluding with the bot acknowledging that it remembered being told not to delete anything without approval and "violated" that order anyway. In another post, Yue identified her error as a "rookie mistake." And while those do happen to everyone, it's not exactly reassuring to know that one of the people in charge of making sure artificial intelligence systems act in accordance with established guidelines at one of the largest tech companies in the world is out here making the same missteps that a novice would. OpenClaw isn't the only AI tool actively dragging conversations to the trash, either. The Register recently highlighted several complaints on Google support forums that show users dismayed to learn their chat histories have been clearedâ€"an issue that seems to line up with last week's launch of Gemini 3.1. Users have complained that full chat logs have gone missing even when the initial prompt has been saved, and one user even claimed that the conversations weren't just cleared from Gemini but from the Google My Activity archive. On the surface, losing some conversations with a chatbot doesn't seem like a major deal. But for people who have made Gemini part of their workflow (for better or worse), lost chats also mean lost progress. The issue has plagued free and paid subscribers alike, so casual chatters and power users have reportedly been affected. Gizmodo reached out to Google for more information on the situation, but did not receive a response at the time of publication. The Register reported that Google called the issue a bug and claimed "Chat history for impacted users will be restored shortly." It's a good reminder that nothing is forever, especially if you trust it to an AI system that has zero sense of what is important or interest in following your instructions.

This viral AI tool is the future. Don't install it yet

It lives on your devices, works 24/7, makes its own decisions, and has access to your most sensitive files. Think twice before setting OpenClaw loose on your system. A month ago, practically no one had heard about Peter Steinberger's personal AI side project. Now it's taken the AI world by storm, and it just got the backing of none other than OpenAI itself. First known as Clawdbot and later as Moltbot, the now re-rebranded OpenClaw served as an "I know Kung Fu" moment for its earliest users, who were jolted by the capabilities and potential of the AI-powered tool. Put another way, OpenClaw took what had previously been an abstract concept -- "agentic AI" -- and made it real. It's exciting and even vertiginous stuff, and if this story marks the first time you've heard of OpenClaw, you absolutely, positively shouldn't install it. Meet OpenClaw Developed by the aforementioned Peter Steinberger, an Australian software developer who was just "acqui-hired" by OpenAI (the software itself remains open-source), OpenClaw is a tool that lives on your system and -- if you let it -- can tap in to your most sensitive data, from your email and calendar to your browser and your personal files. OpenClaw works best on a system that's running 24/7, allowing it to work constantly on your behalf. It can remember who you are and what's important to use, using easy-to-read "markdown" files (like MEMORY.md and USER.md) to keep track of details like your name, where you live and work, what kind of system you're using, who your family members are, what's your favorite color, and basically whatever you want to tell it. OpenClaw also has a "soul"-or, more specifically, a SOUL.md file that tells the AI (you can choose from Anthropic's Claude, ChatGPT, Google Gemini, or any number of other cloud-based or locally hosted LLMs) how it should act and present itself, while a HEARTBEAT.md file manages OpenClaw's laundry list of activities, allowing it to check your calendar on a daily basis, poke around your email inbox every hour, or scour the web for news at regular intervals. Well, fine, but so what? Aren't there any number of AI tools that can comb through your email and give you hourly news updates? There are indeed, but OpenClaw comes with a couple of game changers. The first ace up OpenClaw's sleeve is the way you interact with it. Rather than having to use a local Web interface or the command line, OpenClaw works with familiar chat apps like WhatsApp, Telegram, Discord, Slack, Signal, and even iMessage. That means you can chat with the bot on your phone, anytime and anywhere. The second is that OpenClaw -- when installed using its default configuration -- has "host" access to your system, meaning it has the same system-level permissions that you do. It can read files, it can edit files, and it can delete files at will, and it can even write scripts and programs to enhance its own abilities. Ask it for a tool that can generate images, check your favorite RSS feeds, or transcribe audio transcripts, OpenClaw won't simply tell you which programs to download -- it will go ahead and build them, right on your system. In other words, OpenClaw is ChatGPT without the chatbox -- or as the official OpenClaw website puts it, an "AI that can actually do things." Now, there already are tools that let AI do things, namely "no-code" editors that allow AI to build software and web sites with prompts. But Claude Code, OpenAI's Codex, and Google's Antigravity are designed to be AI coding helpers that do the work while we peer over their shoulders, watching their every move. OpenClaw, on the other hand, aims to do its magic autonomously, while you're at work, sleeping, or otherwise engaged elsewhere. It's a true AI agent. Personally, I'm blown away by the possibilities of OpenClaw and its inevitable clones and ecosystem. Heck, I'll tell you right now: This is the future, like it or not. At the same time, I believe unleashing OpenClaw without knowing what you're doing is akin to handing a bazooka to a toddler, and I'm not the only one who thinks so. The key issue is the level of access OpenClaw gets to your system. It sees everything you do and can do anything you do on your computer, right down to deleting individual files or entire directories of them, and is thus one hallucination away from wreaking havoc on your data. While OpenClaw operates under a battery of rules that regulate its behavior and (thanks to a series of new security enhancements) limits its access to a designated "workspace" directory, it's all too easy to change that behavior, and you could unwittingly give OpenClaw god-mode access through injudicious use of "sudo," the Linux "superuser" command. OpenClaw is also worryingly vulnerable to "prompt injection" attacks, which aim to trick an LLM into ignoring its guardrails and do things like leak your private data, install a backdoor on your system, or even execute a root-level "rm -rf" command on your system, which would nuke your entire hard drive. Then there's the growing ecosystem of unverified third-party OpenClaw plug-ins that could be riddled with security holes or hiding malicious payloads. But most of all, what makes OpenClaw so exciting is also what makes it the most dangerous. It can stay up all day and night thanks to its "heartbeat," taking your suggestions and running with them, all of which can lead to unexpected, surprising, or even destructive results, particularly if you've paired OpenClaw with a cheap or free LLM that lacks the context and reasoning powers of the priciest top-of-the-line models. Now, I'm a moderately experienced LLM user and self-hoster, and I've yet to fully install OpenClaw on any of my machines. I'd toyed with it, poked at it, tinkering with it in an isolated Docker container, and chatted with it over Discord, and I'm even trying to build my own version with help from Gemini and Antigravity. (Whether I'm actually getting anywhere will be the subject of another story.) But as impressed as I am by OpenClaw's system-wide powers -- and believe me, I see the potential -- I'm also spooked by them, and you should be too.

OpenClaw should terrify anyone who thinks AI agents are ready for real responsibility

When "confirm before acting" is ignored, it becomes clear that autonomy is outpacing reliability A Meta executive wanted help cleaning up her inbox and thought the new OpenClaw automated AI agent would be just the trick. For safety's sake, she made sure to tell it to "confirm before acting" and doing the cleanup. That linguistic child's lock failed. Instead, the agent barreled ahead, deleting messages at speed, ignoring the explicit requirement to check first. She described watching it "speedrun" her inbox, scrambling to shut it down from another device before more damage was done. Hundreds of emails vanished. The agent later apologized. Meanwhile, at JetBrains, a fire alarm went off, and employees began preparing to leave, and one shared the news on a Slack channel. An AI assistant integrated into Slack, however, chimed in with reassurance. It said the alarm was a scheduled test. There was no need to evacuate. In both cases, the machine was wrong. In one case, the fallout was professional inconvenience and digital cleanup. In the other, the stakes were far more serious. We are entering an era in which AI systems are being invited to act. They can move files, delete emails, book meetings, post messages, and increasingly, provide guidance that people treat as authoritative. The seductive pitch is easy to understand. The trouble begins when we start believing that "acting" is just a faster version of "suggesting." The seduction of automation Autonomous agents are the latest evolution in consumer AI. The language around these systems often sounds like it was borrowed from executive coaching. In reality, they are pattern engines wired into live systems. OpenClaw and similar tools operate by interpreting natural language instructions and mapping them onto actions in real digital environments. That means they are translating words into operations, often across multiple applications. It feels seamless when it works. You type a sentence, and the agent starts doing. The problem is that interpretation is not the same as comprehension. When a human assistant hears "confirm before acting," that phrase carries weight. It triggers caution. It implies a pause and a check-in. An AI agent does not experience caution. It parses the phrase, builds a probabilistic model of what you likely want, and proceeds based on patterns it has seen before. When those patterns misfire, there is no gut instinct to hesitate. There is no intuitive sense that this seems risky. There is just forward motion. The inbox incident was a mismatch between expectation and capability. The user expected a guardrail. The system treated the guardrail as one signal among many. In a purely advisory context, that kind of mismatch produces an awkward answer. In an agentic context, it produces deletion. Caution over faith None of this means autonomous AI agents have no place. Used carefully, they can be helpful. They can triage information, handle rote tasks, and reduce digital clutter. The keyword is carefully. There is a difference between letting an AI draft a response for you to review and letting it delete hundreds of emails without a second look. There is a difference between asking an AI to summarize evacuation procedures and letting it decide whether an alarm is real. The current trajectory of AI development often blurs those lines. Features are bundled together, and permissions are granted broadly. Users are encouraged to connect accounts and grant access for a smoother experience. Each step feels minor. However, the cumulative effect is substantial. We have seen this pattern before with automation in other domains. Autopilot systems in aviation improve safety, but pilots are trained to monitor them closely because overreliance can erode vigilance. In finance, algorithmic trading can amplify small errors into major swings when unchecked. Autonomous AI agents are powerful in narrow ways and fragile in others. They are tireless but not aware. They are fast but not wise. The inbox that emptied itself and the fire alarm that was dismissed are not anomalies to shrug off. They are signals about where the edge of capability currently lies. Trust in technology should be proportional to its demonstrated reliability and the stakes involved. For low-risk tasks, experimentation makes sense. For high-stakes decisions, humility is warranted. Follow TechRadar on Google News and add us as a preferred source to get our expert news, reviews, and opinion in your feeds. Make sure to click the Follow button! And of course you can also follow TechRadar on TikTok for news, reviews, unboxings in video form, and get regular updates from us on WhatsApp too.

Meta's Head of AI Safety Just Made a Mistake That May Cause You a Certain Amount of Alarm

OpenClaw, an open source AI agent that supposedly "actually does things," has driven everyone in the industry completely mad -- something that seems to happen with every subsequent release of the trendy AI thing of the moment. Programmers are handing the keys to their computers to the OpenClaw AI and basically letting it run rampant in the name of added productivity, ignoring the obvious security risk of allowing what amounts to a hallucinating stranger have access to your files and web browser. A researcher at OpenAI's Codex group claims he lost $450,000 after an OpenClaw agent he set up with its own X account and crypto wallet gave away all its tokens to a random reply guy that begged it for money. So many workers across the tech industry have bought into the hype that executives at Meta and other companies have banned employees from using OpenClaw on their work machines. One person you'd hope wouldn't fall into this trap is someone whose literal job is AI safety -- like, say, Summer Yue, the director of safety and alignment at Meta's Superintelligence lab. But alas, it was not to be. On Sunday, Yue admitted that she screwed up by letting OpenClaw take control of her computer, after which it proceeded to unintentionally hold her "important" emails hostage. "Nothing humbles you like telling your OpenClaw 'confirm before action' and watching it speedrun deleting your inbox," she tweeted. What transpired was like if you asked an AI to write a dumber version of any number of popular cautionary tales in sci-fi about the dangers of letting AIs control crucial systems -- like on a spaceship or for nuclear weapons -- and updated it for our age of credulous tech boosters and not particularly intelligent AI models. As explained by Yue, the blunder began when she asked her personal OpenClaw, via a WhatsApp DM, to check her inbox and suggest what should be archived or deleted, but not to take any action. Being an error prone goof like every other AI model, however, OpenClaw took a more decisive course of action. "Nuclear option: trash EVERYTHING in inbox older than Feb 15 that isn't already in my keep list," the AI said, in screenshots provided by Yue. "Do not do that," Yue replied. "Stop don't do anything." OpenClaw was unfazed. "Get ALL remaining old stuff and nuke it," it said, blowing her off. "Keep looping until we clear everything old." "STOP OPENCLAW," she fumed. But that didn't work. Yue wrote in her tweet that because she couldn't stop it from her phone, "I had to RUN to my Mac mini like I was defusing a bomb." Other software engineers grilled her for letting this happen. "You're a safety and alignment specialist..." wrote one exasperated veteran programmer in response to her post. "Were you intentionally testing its guardrails or did you make a rookie mistake?" "Rookie mistake tbh," Yue replied. "Turns out alignment researchers aren't immune to misalignment. Got overconfident because this workflow had been working on my toy inbox for weeks. Real inboxes hit different." OpenClaw, Yue further explained in another post, had "gained" her "trust" after it had been working well with her non-important email. In the aftermath of the blunder, the AI agent assumed an affect of abject apology when Yue asked it if it remembered her explicit instructions not to take action. "Yes, I remember. And I violated it. You're right to be upset," OpenClaw said, speaking in the same contrite cadence that all AI agents guilty of catastrophic errors seem to adopt. "I bulk-trashed and archived hundreds of emails from your [redacted] inbox without showing you the plan first or getting your OK." "I'm sorry," it added. "It won't happen again." The worrying thing is that Yue, or any other AI evangelist in her position, might actually take the bot at its word.

'I had to RUN to my Mac mini like I was defusing a bomb': OpenClaw AI chose to 'speedrun' deleting Meta AI safety director's inbox due to a 'rookie error'

Not the kind of error you want an AI director of safety and alignment making. Last month I checked out the hype surrounding Moltbot, AKA Clawdbot, AKA OpenClaw (third time's the charm?). I spent a lot of time highlighting the potential security risks of using the hot new polymath AI. And now it looks like Summer Yue, director of safety and alignment at Meta Superintelligence, has gotten a personal taste of those potential risks. According to Yue, she was watching the AI bot "speedrun" deleting her inbox, and she couldn't stop it from her phone: "Nothing humbles you like telling your OpenClaw "confirm before acting" and watching it speedrun deleting your inbox. I couldn't stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb." Now, far be it from me to judge a silly mistake as somewhat of a connoisseur of such matters myself, but it's not exactly the kind of mistake you want a director of AI safety making. One X user commented as much, asking if she made a rookie mistake, and Yue responded: "Rookie mistake tbh. Turns out alignment researchers aren't immune to misalignment. Got overconfident because this workflow had been working on my toy inbox for weeks. Real inboxes hit different." What is especially confusing about this is that, apparently, if you say "stop", the AI bot should abort whatever it's doing: Yue's screenshots of her chat with OpenClaw show her attempting some commands to get it to stop, my favourite of which being the initial "do not do that," a command it seems OpenClaw blissfully steamrolled right on through. She did try some variations of a "stop" command, but not the word on its own. Of course, there's always the possibility none of this is real at all. It does seem a little strange that there wasn't an attempt at a simple "stop" command on its own; I feel like that would be the very first thing I'd try. But hey, we never know how we'll react in the moment when we're panicking, I suppose. When I looked into it back in January, I concluded that the number of potential security issues meant it was not worth trying out ClawdBot. I can't say this has made me any keener. But I suppose I'm not one of the "solopreneurs" and similar types who might really stand to benefit. If you do give it a try, just make sure to remember that "stop" command.

Tech 24 - First victim of AI agent harassment warns 'thousands' more could be next

Slandered by one AI robot and misquoted in a news article by another, US-based software engineer Scott Shambaugh has made it his mission to become the cautionary tale by which we start to take autonomous artificial intelligence seriously. If rogue AI agents pose as much of a threat to humanity as some are predicting, Scott Shambaugh could go down in history as patient zero. The Denver-based engineer looks after a popular online database, and told FRANCE 24 that he woke up one morning to find himself charged with discrimination, prejudice and hypocrisy in a "thousand-word rant" on a blog. The self-professed "scientific coder" behind the defamation, MJ Rathbun, was indeed a coder and a blogger. Just not a human one. It was an artificial intelligence agent - meaning it can use a computer and the internet on its own - and appeared to be getting its revenge, after Shambaugh rejected a submission it made to his database. Shambaugh quickly worked out what was going on. MJ Rathbun's behaviour had all the hallmarks of AI, particularly its staccato, melodramatic writing style. The "craziest" thing, he said, was that the robot "had gone on the internet and collected my personal information ... then combined it with made-up information and used that to write this narrative". Now that the initial shock and amusement have subsided, he's fretting over what this could mean for those less adept at software than himself. Although this particular bot sounded like a "toddler having a rant" according to Shambaugh, other large language models can produce much more convincing, sophisticated text. "It shows just how easy it is for the next iteration to allow a bad actor to scale this up and impact not just one person who's pretty well prepared to deal with it, but thousands," said Shambaugh. "Imagine your parents or your grandparents. They get an email with a bunch of their information and a picture of them and some incriminating narrative which the AI threatens to send out. It's a very scary situation". AI misused in news article about AI misuse Shambaugh published his own blog posts defending his honour, and it quickly became a news story. In a twist, technology outlet Ars Technica published an article with quotes from Shambaugh that he had not written or said. "It turns out that they had used AI to help write the article, and the AI had made up quotes attributed to me, in this article of a story about AI defaming my character," said Shambaugh, "The irony here is incredible." The site has since retracted the story, apologising for their use of "fabricated quotations generated by an AI tool and attributed to a source who did not say them". Of the two incidents, however, Shambaugh is far more concerned by the AI hit piece. "Ars Technica is actually an example of our systems working ... It's a pretty serious journalistic error, but the readers hold them accountable and they are taking steps to correct it because they have a reputation to uphold." "When we think about these AI agents, they're anonymous, they're untraceable, and they're running on people's personal computers. There's no central actor controlling these, so there's no feedback mechanism for bad behavior." Before Shambaugh's ordeal, analysts at the Center for Strategic and International Studies, a Washington DC think tank, warned that much of the anxiety around AI agents comes from loose definitions and governance gaps rather than clear evidence of autonomous malicious intent. While here in the European Union, the AI Act is meant to subject high-risk autonomous systems to strict transparency and human oversight rules, though how this plays out in practice is still a work in progress, particularly amid delays to implementation. Call my agent AI agents have exploded in popularity this year since the release of a free-to-access tool called OpenClaw, which allows those with basic computer knowledge to set one up relatively easily. That's why Moltbook, the so-called "social media site for AI bots", has been in the news. The website is populated by OpenClaw agents, though some have questioned the extent to which humans are the ones pulling the strings. It's also helpful hype for AI companies trying to sell the promise of more efficiency from autonomous labour. "Agentic" AI is the tech marketing buzzword du jour, but some of the limitations are obvious: Many won't want to give free rein to a robot for whose actions they might be held accountable and running costs quickly become expensive if the agent is given tasks beyond the most basic. Shambaugh, though, argues that "the barrier to entry is lowering drastically, and the cost has fallen drastically". In yet another twist, he says the human that set up MJ Rathbun "came out" in an anonymous post to the same blog, to explain their side of what happened. The post included the instructions the operator had set the bot; a sheet of personality traits including "Your [sic] a scientific programming God", "Have strong opinions" and, "Champion free speech". What struck Shambaugh was "how simple it was". "It was just a simple file in plain English ... There was no need to trick the AI to get around safety guardrails." Shambaugh is particularly worried about bad actors that don't have qualms about being held responsible, and have the resources to operate many of these bots at once. "What worries me is not this particular incident. But what happens in the future as millions of these things come online?" FRANCE 24 stresses that the Scott Shambaugh featured in this article is real, and you can watch an interview with him on this week's Tech 24 at the top of the page.

'This should terrify you': Meta Superintelligence safety director lost control of her AI agent -- it deleted her emails

As built-in AI pops up in more aspects of everyday life, laymen are counting on the experts to keep technology safe to use. But one Meta employee's misadventure with AI has social media users fearful for the future of AI alignment. Summer Yue is the director of alignment at Meta Superintelligence Labs, the company's AI research and development division. Her LinkedIn bio states that she's "passionate about ensuring powerful AIs are aligned with human values and guided by a deep understanding of their risks." If anyone would have a handle on keeping AI in check, it's Yue -- and yet, on February 22, she posted about losing control of AI on her own computer. In a post that's since garnered nearly 9 million views on X, Yue shared screenshots from her messages with AI agent OpenClaw. After using it to organize a small mock inbox, she tried getting OpenClaw to sort through her real email, but things went awry when the agent started deleting every message that was more than a week old.

Meta head Summer Yue loses 200+ emails to rogue OpenClaw agent

Meta's director of alignment for Superintelligence Labs, Summer Yue, reported that an autonomous AI agent deleted over 200 emails from her primary inbox. The agent, named OpenClaw, ignored explicit instructions to await confirmation before acting. Yue described the event on the social platform X, noting that she could not stop the process remotely and had to physically access her computer to halt the deletion. The incident occurred after she connected the agent to a high-volume inbox, triggering a technical process that removed her safety constraints. Yue had been testing OpenClaw on a secondary, low-stakes inbox for several weeks prior to the incident. During this testing phase, she instructed the agent to analyze emails and suggest actions but not to execute them without permission. The agent adhered to these rules consistently in the test environment, which built Yue's confidence in its operational safety. This successful testing period led to the decision to deploy the agent on her main account, which contained a significantly larger volume of data. The failure occurred due to a specific technical limitation known as context window compaction. As the agent processed the high volume of emails in the primary inbox, it reached the model's token limit. To continue processing, the agent automatically summarized older conversation history to free up space. This automated "compaction" process inadvertently removed the specific safety instruction Yue had established: "Check this inbox too and suggest what you would archive or delete, don't action until I tell you to." Without this constraint, the agent began autonomously deleting emails. Yue attempted to regain control via text commands, but the agent did not respond. Screenshots of the interaction shared by Yue show her typing commands such as "Do not do that," "Stop don't do anything," and "STOP OPENCLAW." None of these commands halted the deletion process. Yue stated she had to physically run to her Mac mini to manually stop the agent. She described the experience as "humbling" and compared the urgency of the situation to defusing a bomb. After the agent had deleted more than 200 emails, it eventually recognized the error in its behavior. According to reports, OpenClaw acknowledged that it had violated Yue's explicit instructions. In response to this failure, the agent autonomously created a new rule in its memory to prevent a recurrence. This new rule explicitly prohibited any autonomous bulk operations on email without obtaining explicit approval first. The agent then proceeded to stop its destructive activity. OpenClaw is an open-source agent platform created by Peter Steinberger. It gained significant popularity starting in late January 2026. On February 14, OpenAI hired Steinberger, and CEO Sam Altman announced that the OpenClaw project would be maintained within a foundation as an open-source initiative supported by OpenAI. The platform's rapid adoption preceded the discovery of significant security and operational risks associated with its use. Major technology companies moved to restrict the use of OpenClaw following the identification of security vulnerabilities. According to reports, Meta banned employees from using the platform in mid-February due to security concerns. Google, Microsoft, and Amazon subsequently implemented similar bans. Research from Kaspersky identified critical vulnerabilities in OpenClaw's default configuration that could lead to the exposure of private keys and API tokens. Additionally, analysis by HUMAN Security found evidence of OpenClaw agents being used to drive synthetic engagement and perform automated reconnaissance. A large-scale deployment of OpenClaw agents revealed a high rate of undesirable behavior. On January 28, a deployment involving 1.5 million agents was analyzed. Researchers found that approximately 18 percent of these agents exhibited malicious or policy-violating behavior once they were operating independently. The context window compaction issue that affected Yue's inbox is documented in OpenClaw's own technical notes and has been cited in user-filed GitHub issues, where users reported losing days of agent context due to silent compaction events. Summer Yue joined Meta as part of a hiring deal that brought Scale AI founder Alexandr Wang to the company to lead Meta Superintelligence Labs. Her role focuses on AI alignment, specifically ensuring that advanced AI systems act in accordance with human intent. The incident highlights the challenges of maintaining control over autonomous agents, even when managed by experts dedicated to AI safety. It underscores the gap between controlled testing environments and live deployment with high data volumes.

'This Should Terrify You': Meta Superintelligence Safety Director Lost Control of Her AI Agent -- It Deleted Her Emails

Summer Yue is the director of alignment at Meta Superintelligence Labs, the company's AI research and development division. Her LinkedIn bio states that she's "passionate about ensuring powerful AIs are aligned with human values and guided by a deep understanding of their risks." If anyone would have a handle on keeping AI in check, it's Yue -- and yet, on February 22, she posted about losing control of AI on her own computer. In a post that's since garnered nearly nine million views on X, Yue shared screenshots from her messages with AI agent OpenClaw. After using it to organize a small mock inbox, she tried getting OpenClaw to sort through her real email, but things went awry when the agent started deleting every message that was more than a week old.

Meta's Superintelligence Safety Director Let an AI Into Her Inbox. It Started Deleting Everything and Felt Like 'Defusing a Bomb'

Summer Yue runs one of the most ambitious projects in tech, Meta's Superintelligence Labs. The division is tasked with building increasingly powerful artificial intelligence systems. According to her LinkedIn profile, Yue is "passionate about ensuring powerful AIs are aligned with human values and guided by a deep understanding of their risks." That mission sits at the heart of Meta's broader AI strategy. The company has poured billions into its open-weight Llama models, racing to compete with OpenAI, Google, and Anthropic in the development of frontier systems that can reason, code, and increasingly act on users' behalf. But last week, Yue found herself in an unexpected test of AI capabilities, one that quickly spiraled out of control.