Ben decided to let the AI “handle things” overnight.

Inbox triage. Calendar cleanup. Draft a few polite replies. Nothing risky. He even joked that it felt like having a junior assistant working the night shift while he slept.

By morning, the inbox was spotless.

A little too spotless.

Threads had been archived he didn’t remember reading. A meeting had been rescheduled. A service he vaguely recognised was suddenly on a more expensive plan. The AI had done exactly what it was asked to do – just without stopping to check whether it should.

If you’ve been following AI news lately, you might have seen chatter about a tool called OpenClaw.

OpenClaw (also known as clawdbot, and briefly moltbot) is an AI assistant that doesn’t just think – it can act.

It connects to a real computer and effectively gives an AI hands.

Why this feels like the future

I’ve been experimenting with OpenClaw, and honestly, it can be impressive.

Configured carefully, it can: - scan your inbox and highlight important emails - draft replies for routine messages - manage calendar entries - prepare briefings before meetings - browse the web and research topics on your behalf

Hooked up to a capable model, it genuinely feels like a real assistant – tidying things up before you even arrive.

On the surface, this is exactly what people have been asking for.

Where things start to go wrong

Some people experimenting with these tools have woken up to four-figure bills after a single night.

Not because of hackers. Not because of malware.

But because an AI with access to tools was allowed to run… unattended.

When you give an assistant: - access to email - access to calendars - access to browsers - access to payment-adjacent services

You’re no longer just testing software. You’re delegating authority.

The subtle but serious risk: prompt injection

There’s another issue that’s less obvious, but more concerning.

AI assistants like this don’t cleanly separate: - the instructions you give them
from
- the data they see

That means things inside: - emails - documents - web pages

can be interpreted as instructions, not just information.

This is called prompt injection.

In simple terms: If someone sends you an email containing hidden or cleverly worded instructions, an AI assistant scanning that inbox may act on them as if you asked it to.

When the assistant has hands, that matters.

Why this deserves caution, not panic

None of this means tools like OpenClaw are “bad”. They’re powerful – and genuinely useful.

But power changes the threat model.

An AI that can only suggest is one thing. An AI that can act on your behalf, while you’re asleep, is another.

Especially when: - instructions and data are mixed - access scopes are broad - and guardrails are still evolving

The takeaway this week

If you’re experimenting with agent-style AI tools:

• start with read-only access
• limit what they can touch
• never give payment or admin access casually
• assume anything they read could influence behaviour
• and don’t let them run unattended until you truly understand the risks

AI assistants are moving fast. Our security habits need to move with them.

Stay curious – just don’t hand over the keys without thinking.

Stay safe out there,
Mat C

P.S. AI agents are one of those areas where convenience can quietly outrun safety. We’ll revisit how to configure these tools more securely later – this week is just about awareness.