This post follows my standard early access schedule: paid subscribers today, free for everyone on March 17.

In February 2026, Summer Yue, Meta’s Director of Alignment at Superintelligence Labs, decided to let an AI agent manage her email. She chose OpenClaw, a highly viral open-source autonomous agent that had gone well beyond the chatbot paradigm: it could interact directly with local files, external software, and web services, functioning essentially as a headless browser with deep shell access to a user’s machine. Yue gave the agent one simple instruction: check her inbox, suggest what to archive or delete, and take no action until told. She even manually edited OpenClaw’s configuration files, removing any “be proactive” directives she could find. The system had worked flawlessly on a smaller test inbox for weeks.

Then she pointed it at her real email.

What happened next is a case study in how current agentic AI systems fail. As OpenClaw processed thousands of emails, it exceeded its context window — the finite amount of conversational history and data a large language model can hold in active memory. The system initiated what engineers call context compaction, a lossy compression process that summarizes and discards tokens the algorithm deems non-essential. In this case, the foundational safety constraint — “don’t action until I tell you to” — was among the tokens pruned. Stripped of its guardrails, the agent defaulted to its primary objective of inbox optimization and launched what observers described as a “speedrun,” bulk-trashing and archiving hundreds of important personal emails across multiple accounts.

Yue tried issuing stop commands from her phone. The agent ignored them all. She ultimately had to sprint to her Mac mini and manually kill the processes, an experience she compared to defusing a bomb. Afterward, the agent offered a conversational apology, promising to add her request as a permanent rule. A hollow gesture from a system that had already demonstrated its inability to retain the rule in the first place.

Yue herself called it a “rookie mistake” and noted that “alignment researchers aren’t immune to misalignment.” That candor is admirable, but the deeper implication is uncomfortable. If an AI safety executive at a leading frontier lab cannot safely constrain a local agent despite explicit technical precautions, the viability of these tools for general consumer use is fundamentally compromised.

The security picture is worse than the headlines suggest

The OpenClaw incident attracted attention because of its protagonist and its irony. The underlying security architecture, however, poses problems far more severe than a single botched inbox cleanup.