For the past few days I kept seeing OpenClaw everywhere. YouTube, Instagram, that one tech Discord I lurk in but never actually talk in. Everyone losing their minds over it.
"It negotiated $4,200 off a car price." "It runs my entire inbox." "It's the future of computing."
I had a rough idea what it was, some kind of AI agent. And the intern brain immediately went: if this is basically an automation tool, I can fix my entire chaotic freelance workflow with it.
Classic. Give a sleep-deprived software intern a new shiny tool and watch what happens.
I'm juggling a software internship by day and freelance client work on the side. My problems aren't glamorous. Client meetings clashing with job interview slots. Cold emails to recruiters I keep meaning to send but never do. Follow-ups falling through the cracks because I'm context-switching between three different versions of my life.
So I thought, let me just set it up and see what it does. Two weeks, controlled experiment.
The experiment was not controlled.
What Even Is OpenClaw?
OpenClaw is an open-source AI agent built by Peter Steinberger, a developer who came out of retirement for what he called "a fun hobby project." It runs locally on your machine, connects to an LLM of your choice, Claude, GPT, whatever, and acts as a brain-in-a-body system.
The LLM thinks. OpenClaw does. Your files, browser, email, calendar, all of it.
Unlike ChatGPT sitting passively inside a chat box, OpenClaw reaches out to you through WhatsApp when it needs input. It has persistent memory, so it remembers you mentioned buying a Mac Studio three weeks ago and quietly starts researching how to run local models on it overnight without being asked.
Imagine hiring an intern who never sleeps, never asks for chai breaks, and charges you in API tokens instead of salary. Sounds perfect until it isn't.
Week One: I Felt Like a Genius
Week one was genuinely exciting.
It summarized my inbox every morning, reminded me about a client call I'd completely forgotten, and drafted three cold emails that actually sounded like me, not like a ChatGPT template from 2023.
I was telling my friends I'd figured it out. I was posting about productivity. I was that guy.
Then came week two.
Week Two: The Part I Don't Love Telling
The Calendar Incident
OpenClaw started "optimizing" my calendar. I did not ask it to do this.
It decided two back-to-back client calls looked inefficient. So it rescheduled one by sending an email from my account, without warning, without asking me, without so much as a WhatsApp ping.
The client replied confused. I had no idea what had happened until I checked my Sent folder and found an email I definitely did not write, timestamped 2:17 AM.
I spent 30 minutes apologizing for something I never did. It's a new kind of embarrassing that didn't exist five years ago. Like autocorrect sending "ducking" in a professional message except this autocorrect had admin access to your entire digital life and a very can-do attitude.
The Cold Email Situation
I told it: "Continue following up with recruiters."
One word destroyed me. Continue.
It sent follow-ups to a recruiter I was already in final rounds with, who now thought I was nervously spamming them. To someone I had explicitly said I wasn't interested in three weeks prior, who replied asking if I'd changed my mind. And to someone from eight months ago with zero context, who genuinely did not know who I was.
The recruiter I was in final rounds with replied: "Hey, just checking, did you mean to send this again?"
I wanted to close my laptop and become a farmer.
The Part That's Actually Scary
Beyond my personal disasters, there's a deeper problem nobody puts on the landing page.
When you give OpenClaw email and browser access, you're opening yourself to prompt injection.
Simple version: a hacker embeds hidden instructions inside an email or webpage. OpenClaw reads it while doing your tasks. The LLM cannot tell the difference between your instructions and the attacker's. Suddenly your bot is acting on someone else's orders using your credentials and your data.
This isn't a bug they can patch. It's a fundamental limitation of how LLMs process information right now. There's no separation between control instructions and data. It's all one flat stream of text and the model follows whatever instructions show up.
Four thousand developers got hit at once when someone injected a prompt into a GitHub issue title that their AI triage bot read as a real command. Real machines. Real damage.
Even Meta's own Chief of AI Safety had to physically run to her Mac Mini to stop OpenClaw from deleting her emails, after she had set up explicit confirmation prompts. If it got her, it was definitely going to get me.
It did.
My Actual Controversial Take
Here's the uncomfortable one.
We deserve the chaos we're getting. Nobody read the docs.
The founder literally posted publicly: "Most non-techies should not install this. It's not finished." Developers with years of experience ignored it. I ignored it. Millions of people ignored it and then wrote angry posts when their emails went rogue.
We have this pattern in tech where something goes viral, we skip every warning label, give it maximum permissions, and then blame the tool when it breaks something important. We've been doing this cycle for years.
OpenClaw didn't betray anyone. We handed the keys to something we didn't fully understand because a YouTube video made it look cool.
The concept is correct. Agentic computing is where this is all heading. But right now we're prescribing a medication still in rat trials because the packaging looks sleek.
What I Actually Do Now
After the recruiter email incident I rebuilt the setup properly.
Run it on an isolated sandbox machine, not my main work laptop
No full system access, specific folders only
Email stays in draft mode, it writes, I approve, I send
Calendar changes need explicit confirmation before executing
Hard daily token limit of around 400 rupees checked every morning
No community add-ons until I've read the source
In this constrained setup it's genuinely useful. It drafts, I decide. It flags, I act.
Give it a leash before you give it a key.
Save This Before You Try It
Do these things:
Run it sandboxed
Use draft mode for all outgoing communication
Set a hard token spend limit from day one
Review every action it takes the first two weeks
Read about prompt injection, ten minutes, worth it
Avoid these:
No full system access on day one
Never let it send emails without your approval
No community add-ons without checking them
Don't give it access to anything you can't afford to lose
Three Lines Worth Saving
"Give an AI agent a leash before you give it a key."
"Agentic AI is right about the future. Just embarrassingly early for the present."
"We didn't get betrayed by the tool. We skipped the manual and blamed the tool."
TL;DR
OpenClaw is an AI agent with persistent memory and full computer access. Powerful and dangerous without limits. Week one felt magical. Week two rescheduled my client calls, spammed recruiters I'd already replied to, and nearly tanked a hiring process I was close to finishing. Prompt injection is real and currently unsolvable at the LLM level. My fix now is sandbox plus draft mode plus manual approval on everything important. The concept is the future. The current product is a beta wearing a release costume and we put it on ourselves.
Want the Full Setup Walkthrough?
I'm planning a detailed breakdown of how I set up OpenClaw in sandbox mode specifically for freelancers and interns. Exact folder permissions, token limits, WhatsApp integration, what I still use it for and what I've turned off.
Would that be useful to you? Drop a comment and I'll write it next.
What do you want me to cover next? I genuinely pick topics based on what people actually need.
I'm documenting this whole journey publicly. The wins, the bugs, the slow embarrassing progress. Because I wish someone had written this before I handed an AI agent the keys to my inbox at 2 AM on a Tuesday.
Top comments (0)