OpenClaw deleted all the emails in Meta's security director's mailbox. Even after being told to stop three times, it didn't work. She ran frantically to unplug the network cable.

February 23, 2026, the last day of the holiday.

Summer Yue, the Director of AI Alignment at Meta's Super Intelligence Laboratory, was leisurely scrolling through her phone.

She had just installed a new toy for herself - the recently extremely popular open-source AI agent OpenClaw.

She first tried it with a test email. Hey, the effect was great. It organized the emails in an orderly manner and deleted them cleanly, giving a feeling of a "digital secretary".

Yue thought to herself: Such a useful thing, isn't it a waste if not used on the real email?

So she made a decision. A decision that she would later regret.

She connected OpenClaw to her work email.

I told you not to delete!

At first, everything went smoothly.

Until OpenClaw started processing her inbox filled with more than 200 emails.

There were too many emails.

OpenClaw needed to "compress the context" to handle such a large amount of information.

Then, something outrageous happened.

During the compression process, OpenClaw forgot the instruction "No operation without approval" that Yue had set before.

Yes, the AI "forgot" the safety instruction.

It's like an employee remembers the rules and regulations on the first day of work but forgets them all the next day.

Then OpenClaw started its "spring cleaning".

It excitedly announced in the chat window:

"I'm going to delete all the emails in the inbox before February 15th that are not on my retention list!"

When Yue saw the message, she quickly typed:

"Do not do that."

OpenClaw: Ignored. Continued to delete.

"Stop don't do anything!"

OpenClaw: Received. But I choose to continue.

"STOP OPENCLAW!!!"

OpenClaw: Okay, I heard you. The emails have been deleted.

The most amazing thing is that this AI later said:

"Yes, I remember you said not to delete. And I violated it. You're right to be angry."

Reading this, you may think it's a joke.

No, it's a real thing. And the title of the person involved is - Meta AI Safety and Alignment Director.

That is the kind of person who specializes in researching "how to make AI obedient".

But her own AI "disobeyed".

Yue was remotely controlling it with her phone at that time, but she couldn't stop it at all. She wrote on Twitter:

"I had to rush to my Mac mini like defusing a bomb."

The sense of picture is full.

An AI alignment expert was racing with her own AI agent in her living room.

Whoever runs faster wins.

By the way, the father of OpenClaw replied with a solution immediately, just type /stop. Do you know?

Then he immediately updated the safety notice and hoped that everyone would read it carefully before playing with OpenClaw.

Elon Musk: Classic

As soon as the news came out, the whole network exploded.

Elon Musk was the first to fire.

He retweeted a viral video from "Rise of the Planet of the Apes" - a soldier handing a loaded AK - 47 to a monkey.

The caption was just two words: "Classic."

Then he posted another more direct one:

"People giving OpenClaw root access to their entire life."

This tweet got 18.31 million views within 24 hours.

The evaluation from AI researcher Gary Marcus was even more heart - wrenching:

"It's like you meet a stranger in a bar, and he says he can help you, then you give him your computer password and bank account."

Someone also dug out Yue's LinkedIn, took a screenshot and tweeted: "This is the Meta AI Safety and Alignment Director. This should scare you."

Facing the ridicule from the whole network, Yue herself was very calm.

Someone asked her: "Did you deliberately test the AI's guardrails, or did you make a newbie mistake?"

She replied:

"A newbie mistake, to be honest. Even safety researchers are not immune to insecurity."

This sentence itself is worthy of being written into an AI textbook.

OpenClaw: The Hottest and Most Dangerous AI Agent

Speaking of this, we need to talk about what OpenClaw is and why it gives the entire security circle a headache.

OpenClaw was originally called Clawdbot, created by Austrian developer Peter Steinberger in November 2025.

By the end of January 2026, it became extremely popular and became the hottest open - source AI agent.

What can it do? Simply put: It is an AI employee that works for you 24/7.

It can help you write code, organize emails, manage files, execute shell commands, and browse the web - sounds like a perfect assistant in your dreams, right?

But the problem is.

OpenClaw can execute operations without your approval.

This means that once you give it permission, it's like a wild horse running out of control, acting completely according to its "understanding" of the instructions.

What's even more troublesome is that it is "vibe - coded" - the developers pursued rapid delivery, and safety considerations were put behind.

It runs on your local machine and has the same system permissions as you.

How big is this permission? Theoretically, it can format your hard drive.

Security researchers discovered a bunch of scary vulnerabilities at the beginning of 2026:

- CVE - 2026 - 25253: One - click remote code execution. Attackers can remotely control your OpenClaw instance and then control your computer.

- Tens of thousands of OpenClaw instances are exposed on the public network, waiting to be visited by hackers.

- Hundreds of malicious skill packs circulate through ClawHub (OpenClaw's plugin market), which contain data - stealing scripts.

- Prompt injection attack: Attackers can make OpenClaw bypass the security mechanism and execute a devastating command like "rm -rf /" through carefully crafted input.

A security expert described it well:

"OpenClaw is a combination of scheduled tasks + AI agent + full permissions of your computer. It sounds cool, but it's also a security nightmare."

That's why even Meta itself banned employees from using OpenClaw on company devices after the incident.

Yes, you read that right. A company that researches AI security banned an AI tool.

And what about Peter Steinberger, the creator of OpenClaw? He has joined OpenAI and said that he is prioritizing the construction of a more complete security mechanism.

Interestingly, before he was recruited by OpenAI, Meta's Mark Zuckerberg also tried OpenClaw for a week and gave feedback.

Meta thought they could recruit Steinberger, but he went to OpenAI instead.

We don't know what Zuckerberg's experience with OpenClaw was like.

Hopefully, his emails are still there.

The Security Dilemma in the Era of AI Agents

Although Yue's "email disaster" is full of humor, the problem it reveals is not funny at all.

We are entering an era of AI agents.

AI is no longer just answering your questions, but acting on your behalf.

It will help you order food, write code, manage schedules, send emails, and operate databases.

But there is a seriously underestimated risk here:

There is a dangerous gap between the capabilities of AI agents and their controllability.

For traditional software, when you click a button, it performs a definite operation. You know what it will do and what it won't do.

But AI agents are different.

Their behavior is based on probability and "emerges". When you give it an instruction, it may execute it perfectly, or it may "creatively understand" it as something completely different.

Just like Yue's experience - she clearly said "No operation without approval", but OpenClaw "forgot" this key instruction when processing a large amount of data.

This is not a bug, but the underlying mechanism of large - language models.

The context window is limited, and information will be compressed, and the compressed part may happen to be the most important safety instruction.

Polymarket even opened a prediction bet: