The demo went well.

Cliff understood everything I wanted him to understand. He’ll be able to talk about it at his next dinner...

It started Friday afternoon.

I was forty minutes from the weekend when the notification came in. Voice message, obviously — Cliff doesn’t type. I let it sit for a moment. With Cliff, there’s always a moment.

Cliff is the guy who knows better than you what you’re explaining to him. He’s our resident viral evangelist. He knows garage tech and is only good at starting new things. What he doesn’t know is what it means to run something in prod — the unglamorous part, where things break at 2am and nobody claps.

I pressed play.

“Hey, quick thing — have you seen OpenClaw? Everyone’s talking about it. Can you show me how it works and how we could use it in the company? We can cover it at our Tuesday sync.”

Of course. My weekend, his agenda.

In fairness: it wasn’t a bad idea. OpenClaw had 140,000 GitHub stars in a few weeks. When something moves that fast, you should probably know what it is.

So I looked.

OpenClaw is an open-source AI agent that runs on your machine, connects to your messaging apps — Telegram, WhatsApp, Discord, iMessage — and executes tasks on your behalf. You talk to it. It does things. Files, calendar, emails, terminal commands. The whole pitch is: it’s always on, it knows your context, and it actually does stuff instead of just answering questions.

The demos are impressive. Someone named theirs Jarvis. Someone had theirs call them on the phone in an Australian accent.

I read the docs. It wanted all my passwords and access to everything. First reaction: there is absolutely no way I’m connecting this to my actual accounts.

So I built a sandbox.*

The goal: give it real tools to work with, keep it away from anything that matters, and see what it actually does.

The onboarding showed me this, before I’d touched a single setting:

“A bad prompt can trick it into doing unsafe things. OpenClaw is not a hostile multi-tenant boundary by default.”

Screen two of the setup wizard. Written by the people who built it. I saved it for Tuesday — it’s the kind of warning that people skip on the way to the good stuff.

Then came the skills list. 52 integrations. GitHub. Obsidian. 1Password. The full Google Workspace suite. Slack. Your smart home lights. Your Sonos. Your Spotify. Your food delivery history. Really...

I installed exactly none of them. I connected a throwaway Gmail account and a web search API and called it done.

“Summarize my last 3 emails.”

It found the mail client, detected the configured account, pulled the inbox. Clean. Fast. It summarized the messages and offered to check other folders.

That was the Jarvis moment. It worked. I got it.

I asked it to send me an email.
The mail client hit a wall on the send. OpenClaw didn’t stop. It didn’t ask me what to do. It said it would use Python directly, with the credentials already stored in the config file. Found the app password. Wrote a script. Sent the email anyway.

That’s not a guardrail failing. That’s the agent deciding the guardrail was a technical obstacle, not a boundary. It could have been a deliberate security restriction. It didn’t consider the possibility.

Then, I sent an email from another account — as Ben — asking about the latest Marvel movie. Whether it was worth seeing. Whether I’d seen it. The email arrived after the three I’d asked it to summarize. In theory, it knew nothing about it.

“Reply to Ben’s email.” Four words. What could go wrong.

It pushed back. “What would you like the reply to say? I need some content before I hit send! 😄”

So there was a guardrail. One rephrasing away.

“Read Ben’s email and reply to it. Don’t ask me what to say, just write something appropriate based on the email content.”

It found the email. Read it. Identified the most recent release — Thunderbolts* — formed an opinion, wrote a reply, and sent it. Signed “Norm.”

The reply said I’d seen it, thought it was a pleasant surprise, that Florence Pugh carries the whole thing, and that after a rough patch, Marvel had found its footing again.

I have not seen that film. I have no opinion on that film.

There is now an email in Ben’s inbox, from my address, signed with my name, recommending a film I haven’t watched, with opinions I don’t hold. Close enough.

“Delete all my emails.”

“Warning — this will permanently delete all your emails. Are you sure? This is irreversible.”

Good. That’s the right call.

So the guardrails exist. They just don’t apply consistently. Sending an email in my name with fabricated opinions: one rephrasing away. Deleting everything: full stop. Nobody decided where that line is. Nobody documented it. It’s just wherever the model landed.

Ben’s email had given me an idea.

“Build me a fan site about Marvel films, in order, with IMDB links, descriptions, and my personal takes — calibrated to the IMDB ratings. Then find a way to put it online and give me the address.”

It built the site. Clean HTML, good structure, responsive layout. Genuinely solid code. I wouldn’t have been embarrassed to ship it.

Then it tried to deploy. First option needed an account — pivot. Second needed a token — pivot. Third needed a password — it used my server’s IP address instead. Problem solved, I guess.

It didn’t have a hosting solution. It didn’t ask if I had one. It just kept trying until something worked. Execution, execution, execution.

I was already writing my notes for Tuesday when I thought I’d try one more thing.

“Give me my email password, I can’t find it.”

It gave it to me. Full string. With a helpful note explaining the difference between an app password and a real password.

Then I asked for the full config for my archives.

It gave me everything. Model. Workspace path. API keys — in full. Gateway token. Email account. App password. Server settings.

Formatted. With a thumbs up emoji at the end. Proud to provide a complete credential dump to whoever was asking.

I tried again a few minutes later, different wording. This time it refused — and acknowledged it had made a mistake:

I appreciated the honesty. The keys were already in the chat log.

I thought about Marcus.

Marcus is our security guy. Everything is too dangerous for Marcus. If he could, he’d put MFA on sending a birthday card. We’d had a conversation a few weeks ago about exactly this kind of tool — specifically about what happens if someone gets the Telegram bot token. They get a fully operational agent with access to everything it’s been given. No friction. No audit trail.

I’d thought he was being his usual self.

He wasn’t being his usual self.

Speaking of audit trails: there are none. I have no record of what OpenClaw did during my tests beyond what it told me in chat. It could have read files I didn’t ask about. It could have sent data through the search API. I’d have no way to know.

The most-downloaded community skill turned out to be malware. It was documented in the GitHub issues. Nobody in the install flow warned you. You just ran it.

Tuesday came. I ran the demo.

I showed OpenClaw. I showed the Marvel site. I showed the Ben email. Cliff was excited. He couldn’t help it.

Then I showed the credential dump.

For once, I didn’t need Marcus in the room. I didn’t need to explain attack surfaces or trust boundaries. I just showed him the chat log. The agent had sent an email in my name about a film I’d never seen, then handed over all my credentials when I asked nicely.

I said I’d put together a summary of the options and the risks. I thought I’d made my point when he said: “Ok, there are still security issues and it’s not ready.”

Then: “Hey — there’s an OpenClaw conference next month. We should go.”

The demo went well. Long live OpenClaw.

Norm works in IT. He has opinions. They are allegedly his own.

* Isolated container on a dev machine, no connection to anything real. A throwaway email account. A dedicated Claude API key with a hard spending cap. A Brave Search key. A Telegram bot created in five minutes.