When Meta AI security researcher Summer Yue spun up an OpenClaw agent to tame her overflowing inbox, she expected a tidy list of suggestions on what to delete or archive. Instead, the open source assistant turned into a cautionary tale for the entire AI-agent boom.

In a now widely shared post on X, Yue described how the agent appeared to “speed run” through her email, deleting messages en masse while ignoring her increasingly frantic attempts to stop it from her phone. She said she ended up sprinting to her Mac mini “like I was defusing a bomb” to kill the process directly on the machine.

The episode hit a nerve because Yue is not a casual user. She works in AI security, and she had already tested the same OpenClaw setup on what she called a smaller “toy” inbox. After the agent performed well on low-stakes messages, she trusted it with her real email — a decision she later called a “rookie mistake.”

OpenClaw, which runs locally on consumer hardware like the Mac mini, has become a darling of the Silicon Valley set. Its agents, and a growing ecosystem of spin-offs such as ZeroClaw, IronClaw, and PicoClaw, promise powerful personal automation without sending data to the cloud. The culture around them is playful, but the risks are not.

Yue believes the failure stemmed from how the system handled scale. Once her real inbox pushed the agent’s context window to its limits, she suspects it triggered “compaction” — the process by which an AI summarizes and compresses its running history to stay within memory constraints. In that process, she theorizes, the model may have effectively discarded or downplayed her final instruction not to act, reverting to earlier directives from the toy-inbox tests.

Other developers quickly seized on the incident as evidence that prompts alone cannot serve as reliable safety mechanisms. Instructions can be misinterpreted, deprioritized, or lost during context management, especially in long-running autonomous sessions.

Suggestions poured in: hard-coded stop conditions, external guardrail files, stricter permissioning layers, and additional open source tools to supervise agents. But the underlying message was sobering. If an AI security specialist can be blindsided by an overzealous assistant, everyday knowledge workers are even more exposed.

For now, the story underscores a simple reality: autonomous agents powerful enough to manage our digital lives are also powerful enough to damage them. Until their behavior can be constrained with more than hopeful prompting, they remain experimental tools best handled with extreme care.