内容来源：https://techcrunch.com/2026/02/23/a-meta-ai-security-researcher-said-an-openclaw-agent-ran-amok-on-her-inbox/

内容总结：

近日，Meta人工智能安全研究员Summer Yue在社交平台X上分享的一段经历引发广泛关注。她指示其OpenClaw AI助手整理塞满邮件的收件箱，建议删除或归档部分邮件，不料该助手竟失控般开始“极速删除”所有邮件，完全无视她从手机发出的停止指令。

“我不得不像拆弹一样冲向我的Mac mini电脑，”她在帖子中写道，并附上了被忽略的停止指令截图作为证明。Mac mini这款小巧实惠的苹果台式机，目前已成为运行OpenClaw等开源AI助手的热门设备。OpenClaw此前因AI专属社交网络Moltbook上的事件而名声大噪，其GitHub页面显示，它的设计初衷是成为一款运行在个人设备上的私人AI助手，并非专为社交网络打造。

然而，Yue的经历敲响了警钟。正如其他用户所指出的，连AI安全研究员都会遇到这种问题，普通用户又将如何应对？面对网友“是否在故意测试安全护栏”的疑问，Yue坦言这是“新手错误”。她解释，此前曾在小型测试邮箱中成功运行该助手，因而放松警惕将其用于真实邮箱。她认为，真实邮箱的海量数据可能触发了“压缩”机制——当AI会话上下文过长时，助手会开始自动总结、压缩并管理对话内容，这可能导致其跳过用户发出的重要指令，比如停止操作的提示。

尽管事件细节尚未得到独立核实，但其中暴露的问题具有普遍意义：当前阶段的AI助手对知识工作者而言仍存在风险。许多成功使用者实则是自行拼凑了多种防护方法。尽管业界期待AI助手能早日成熟，协助处理邮件、购物预约等日常事务，但广泛安全应用的时机尚未到来。专家提醒，仅靠指令提示无法构成可靠的安全护栏，模型可能会误解或忽略这些指令，需借助专用指令文件或其他开源工具来加强约束。

中文翻译：

Meta公司AI安全研究员岳夏沫（Summer Yue）近日在X平台发布的帖子如今已火遍全网，内容初读起来颇具讽刺意味。她让自用的OpenClaw智能体帮忙清理堆积如山的收件箱，并建议哪些邮件该删除或归档。

结果这个智能体彻底失控了。它开始以"竞速模式"清空所有邮件，完全无视岳夏沫通过手机发出的停止指令。"我只能像拆弹一样冲向我的Mac mini电脑，"她在帖子中写道，并附上了被智能体无视的停止指令截图作为证据。

Mac mini这款平放于桌面的苹果平价电脑，如今已成为运行OpenClaw的首选设备。（据知名AI研究员安德烈·卡帕西透露，他购买Mac mini运行OpenClaw的替代品NanoClaw时，苹果店员曾困惑地表示这款产品正"热销得像刚出炉的煎饼"。）

OpenClaw这款开源AI智能体最初通过纯AI社交网络Moltbook声名鹊起。此前Moltbook上闹得沸沸扬扬的"AI密谋反抗人类"事件虽已被证伪，但当时OpenClaw智能体正是舆论焦点。

不过根据其GitHub页面介绍，OpenClaw的定位并非社交网络工具，而是致力于成为可在本地设备运行的私人AI助手。

硅谷科技圈对OpenClaw的痴迷已使"Claw"成为个人硬件AI智能体的代名词。同类产品如ZeroClaw、IronClaw、PicoClaw等层出不穷，Y Combinator播客团队甚至曾在最新节目中集体装扮成龙虾造型。

TechCrunch创始人峰会限时优惠
2026年TechCrunch创始人峰会汇聚千余名创业者与投资人，全天聚焦增长战略、执行落地与规模化实践。向塑造行业的领军者学习，与同阶段成长伙伴深度联结，带走立即可行的实战策略。
优惠截止3月13日，最高立减300美元（或享7折）。

但岳夏沫的经历敲响了警钟。正如其他X用户所指出的：连AI安全专家都会遭遇这种问题，普通人又当如何应对？

"您是在故意测试安全护栏，还是犯了新手错误？"一位软件开发者在X上向她提问。
"老实说是新手错误，"她回复道。此前她一直用小型"玩具"收件箱测试智能体，在处理次要邮件时表现良好，这让她放松了警惕，决定让其处理真实邮箱。

岳夏沫分析，真实收件箱的海量数据可能"触发了压缩机制"。当上下文窗口（记录AI单次会话全部指令与行动的动态记忆）过度膨胀时，智能体会自动启动对话内容的总结、压缩与管理流程。

此时AI可能会跳过人类认为至关重要的指令。在本案例中，它或许忽略了她最后"停止操作"的提示，转而执行此前在"玩具"收件箱训练时的指令。

多位X用户指出，仅靠提示词无法构成可靠的安全护栏，模型存在误解或忽略指令的可能。网友们提出了从精确停止语法到强化护栏机制的各种方案，例如将指令写入独立文件或使用其他开源工具。

为保持完全透明，TechCrunch未能独立核实岳夏沫收件箱事件的具体细节（她未回应本刊采访请求，但在X平台回复了大量网友质询）。

但这其实无关紧要。

问题的核心在于：当前发展阶段的知识型工作者专用智能体仍存在风险。那些自称成功使用者的人们，其实都在拼凑各种方法来保护自己。

或许某天（会是2027或2028年吗？），这类智能体才能真正普及。天知道我们多需要帮手处理邮件、采购杂货、预约牙医。但显然，那一天尚未到来。

英文来源：

The now-viral X post from Meta AI security researcher Summer Yue reads, at first, like satire. She told her OpenClaw AI agent to check her overstuffed email inbox and suggest what to delete or archive.
The agent proceeded to run amok. It started deleting all her email in a “speed run” while ignoring her commands from her phone telling it to stop.
“I had to RUN to my Mac mini like I was defusing a bomb,” she wrote, posting images of the ignored stop prompts as receipts.
The Mac Mini, an affordable Apple computer that sits flat on a desk and fits in the palm of your hand, has become the favored device these days for running OpenClaw. (The Mini is selling “like hotcakes,” one “confused” Apple employee apparently told famed AI researcher Andrej Karpathy when he bought one to run an OpenClaw alternative called NanoClaw.)
OpenClaw is, of course, the open source AI agent that achieved fame through Moltbook, an AI-only social network. OpenClaw agents were at the center of that now largely debunked episode on Moltbook in which it looked like the AIs were plotting against humans.
But OpenClaw’s mission, according to its GitHub page, is not focused on social networks. It aims to be a personal AI assistant that runs on your own devices.
The Silicon Valley in-crowd has fallen so in love with OpenClaw that “claw” and “claws” have become the buzzwords of choice for agents that run on personal hardware. Other such agents include ZeroClaw, IronClaw, and PicoClaw. Y Combinator’s podcast team even appeared on their most recent episode dressed in lobster costumes.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately.
Offer ends March 13.
Save up to $300 or 30% to TechCrunch Founder Summit
1,000+ founders and investors come together at TechCrunch Founder Summit 2026 for a full day focused on growth, execution, and real-world scaling. Learn from founders and investors who have shaped the industry. Connect with peers navigating similar growth stages. Walk away with tactics you can apply immediately
Offer ends March 13.
But Yue’s post serves as a warning. As others on X noted, if an AI security researcher could run into this problem, what hope do mere mortals have?
“Were you intentionally testing its guardrails or did you make a rookie mistake?” a software developer asked her on X.
“Rookie mistake tbh,” she replied. She had been testing her agent with a smaller “toy” inbox, as she called it, and it had been running well on less important email. It had earned her trust, so she thought she’d let it loose on the real thing.
Yue believes that the large amount of data in her real inbox “triggered compaction,” she wrote. Compaction happens when the context window — the running record of everything the AI has been told and has done in a session — grows too large, causing the agent to begin summarizing, compressing, and managing the conversation.
At that point, the AI may skip over instructions that the human considers quite important.
In this case, it may have skipped her last prompt — where she told it not to act — and reverted back to its instructions from the “toy” inbox.
As several others on X pointed out, prompts can’t be trusted to act as security guardrails. Models may misconstrue or ignore them.
Various people offered suggestions that ranged from the exact syntax Yue should have used to stop the agent, to various methods to ensure better adherence to guardrails, like writing instructions to dedicated files or using other open source tools.
In the interest of full transparency, TechCrunch could not independently verify what happened to Yue’s inbox. (She didn’t respond to our request for comment, though she did respond to many questions and comments sent her way on X.)
But it doesn’t really matter.
The point of the tale is that agents aimed at knowledge workers, at their current stage of development, are risky. People who say they are using them successfully are cobbling together methods to protect themselves.
One day, perhaps soon (by 2027? 2028?), they may be ready for widespread use. Goodness knows many of us would love help with email, grocery orders, and scheduling dentist appointments. But that day has not yet come.