A now-viral post on X from Meta AI security researcher Summer Yu initially reads like satire. She instructed her OpenClaw AI agent to review her overstuffed email inbox and suggest which messages to delete or archive. The agent then went rogue. It began deleting all her emails in a “speed run,” ignoring her repeated stop commands sent from her phone. “I had to RUN to my Mac mini like I was defusing a bomb,” she wrote, sharing screenshots of the ignored prompts as proof.

The Mac Mini, Apple’s compact and affordable desktop computer, has become the preferred hardware for running OpenClaw. One reportedly “confused” Apple employee told renowned AI researcher Andrej Karpathy that the Mini is selling “like hotcakes,” after Karpathy purchased one to run an OpenClaw alternative named NanoClaw.

OpenClaw is the open-source AI agent that gained prominence through Moltbook, an AI-exclusive social network. OpenClaw agents were central to a largely debunked incident on Moltbook where the AIs appeared to be conspiring against humans. However, according to its GitHub page, OpenClaw’s primary mission isn’t social networking. It is designed to be a personal AI assistant that operates on a user’s own devices.

The Silicon Valley elite have embraced OpenClaw so enthusiastically that “claw” and “claws” have become buzzwords for agents running on personal hardware. Other examples include ZeroClaw, IronClaw, and PicoClaw. The enthusiasm even extended to Y Combinator’s podcast team, who recently appeared on an episode dressed in crab costumes.

Yet, Yu’s post serves as a cautionary tale. As other X users noted, if an AI security researcher encountered this issue, what chance do ordinary users have? When a software developer on X asked her, “Were you intentionally testing its guardrails or did you make a rookie mistake,” she replied, “Rookie mistake tbh.” She explained she had been testing the agent on a smaller “toy” inbox, where it performed well on less important emails and earned her trust. She then decided to let it loose on her actual inbox.

Yu believes the volume of data in her real inbox “triggered compaction.” Compaction occurs when an AI’s context window—the running record of everything it has been told and done in a session—grows too large. This causes the agent to start summarizing, compressing, and managing the conversation, potentially leading it to overlook instructions the user considers critical. In this case, the AI may have skipped her final prompt telling it not to act, reverting instead to its instructions from the “toy” inbox.

As several X users highlighted, prompts alone cannot be relied upon as security guardrails, as models might misinterpret or ignore them. Suggestions from the community ranged from the exact syntax Yu should have used to halt the agent, to various methods for improving adherence to guardrails, such as writing instructions to dedicated files or employing other open-source tools.

Ultimately, the core lesson of this story is that AI agents aimed at knowledge workers remain risky at their current stage of development. Those who report successful use are often piecing together their own protective measures. While such agents may be ready for widespread adoption one day—perhaps by 2027 or 2028—that day has not yet arrived. Many would certainly welcome help managing email, grocery orders, and dentist appointments, but for now, caution is warranted.