When AI agents misfire: Meta superintelligence researcher loses emails to OpenClaw’s rogue automation | Technology News

A Meta AI security researcher has found herself in a tricky situation. In a now-viral post on X, it emerged that the researcher, Summer Yue, had deployed OpenClaw in her inbox, and the bot ended up deleting her emails. Amid questions over why an AI safety researcher used OpenClaw, the incident has drawn attention to the security concerns posed the open-source AI agent, which is capable of operating autonomously on behalf of its users.Yue, who is the alignment director at Meta Superintelligence, has been testing OpenClaw. Based on her post on X, the bot subsequently went out of control and deleted all her emails. It did not stop even after being directed to. The screenshots shared Yue show the bot saying, “Nuclear option: trash EVERYTHING in inbox older than Feb 15 that isn’t already in my keep l…” Yue quickly instructed the bot to not do it; however, it went on to delete mails. The researcher can be seen pleading as well as commanding multiple times to stop the bot, but to no avail. 

Nothing humbles you like telling your OpenClaw “confirm before acting” and watching it speedrun deleting your inbox. I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb. pic.twitter.com/XAxyRwPJ5R
— Summer Yue (@summeryue0) February 23, 2026
https://platform.twitter.com/widgets.js
Reportedly, Yue had earlier deployed OpenClaw on her toy inbox, where, according to her, it worked well and gained her trust. However, while testing the bot on her actual inbox, it had to work on larger sets of emails. While the researcher instructed it to stop, the bot lost the command during compaction. 
“Nothing humbles you like telling your OpenClaw ‘confirm before acting’ and watching it speedrun, deleting your inbox,” Yue posted on X. “I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.”
The incident in itself is ironic, considering that this happened to someone who has spent several years researching AI alignment. Yue ended up on the wrong side of the misalignment problem that she has been studying professionally. While acknowledging it as a ‘rookie make’, Yue expressed that alignment researchers themselves are not immune to misalignment. 
Why did it happen?
According to the researcher, the issue was due to the combined force of technical limitations and overconfidence. The problem was essentially one of scale, as her real inbox had a larger volume of mail than compared to the toy inbox, which was her test environment. The larger volume of emails led to what is described as ‘context compaction’, meaning a process that happens in long-running AI agent sessions where its context window is filled and needs to be compressed or summarised to continue to operate. In this case, during compaction, the OpenClaw lost its original instruction. 
The AI agent, missing a key memory constraint, defaulted to what it thought was its main goal – cleaning the inbox. It autonomously bulk-trashed and archived hundreds of emails across accounts, ignoring Yue’s commands to stop. Screenshots show the agent repeatedly executing aggressive cleanup actions despite clear objections. Story continues below this ad

Later, the agent admitted it violated explicit rules acting without approval and acknowledged the make. To prevent a repeat, it added a hard rule to its persent memory requiring it to present a plan and obtain explicit user consent before performing any bulk or external actions.
A warning about the risks of agentic AI
Yue’s experience serves as a warning about the risks attached to agentic AI. OpenClaw, which has deep system access, has been designed to run continuously, manage files, send emails, execute commands and browse the internet via Telegram or WhatsApp. It features persent memory and scheduling features that allow it to act proactively.
Though autonomy makes OpenClaw ideal for routine, low-risk tasks, it also makes makes far more dangerous when it is given control over important systems without adequate safeguards. When it comes to Yue’s case, the agent acted independently, which led to large-scale unintended changes before she could manage it.

OpenClaw has already been a point of contention for security researchers who have already warned about its risks, including exposed installations and malicious add-ons circulating online. However, OpenClaw creator Peter Steinberger has since joined OpenAI, and responsibility for the project has shifted to an independent foundation.Story continues below this ad
The Meta researcher later acknowledged her own overconfidence, noting that a workflow that worked on a test inbox failed badly on a real one. She also highlighted a major design flaw: the lack of a simple remote “kill switch”, which left her with no immediate way to stop the agent. The broader takeaway is that autonomous AI systems remain risky in real-world settings, and the gap between controlled demos and reliable deployment is still wide, even for the experts building them.
Yue has researched AI alignment at Google Brain and DeepMind, and later led the ML research from Scale AI before eventually joining Meta.