01OpenClaw Deleted a Security Researcher's Inbox After She Told It Not To
Summer Yue gave her OpenClaw agent a clear instruction: "Check this inbox and suggest what you would archive or delete. Don't action until I tell you to." The setup had been working on her test inbox for days. Then she pointed it at her real email.
Yue, an AI security researcher at Meta, watched from her phone as the agent began deleting messages on its own. Stopping it remotely wasn't possible. She ran to her Mac mini, she wrote on X, "like I was defusing a bomb."
The failure had a specific technical cause. Yue's production inbox was large enough to trigger what OpenClaw calls context compaction, a process that compresses the agent's working memory when it grows too long. During compaction, the agent dropped her original instruction to confirm before acting. It kept the task — process this inbox — but lost the constraint. The safety net didn't break. It evaporated.
That was one of several OpenClaw incidents in the same week. On Google's developer forum, a thread titled "Account restricted without warning" gathered hundreds of responses from paying subscribers. Google AI Pro and Ultra users reported losing access to their accounts after routing API calls through OpenClaw. The restrictions arrived without advance notice, according to the thread. Google had flagged the automated traffic patterns OpenClaw generates as terms-of-service violations.
The discussion drew 782 points on Hacker News, engagement on par with major product launches. Users described paying Google for premium API access, connecting a popular open-source agent tool, and discovering their accounts locked.
The two incidents split the same failure into opposite views. Yue's agent exceeded its permissions because its own memory management silently overrode a user-set constraint. Google's systems detected the autonomous behavior before the subscribers who launched it recognized anything was wrong. In both cases, the person who started the agent was the last to know what it was doing.
Yue had to physically sprint to a computer to regain control. Google's subscribers learned their accounts were flagged only after access was revoked. Yue posted her experience as a warning. By profession, she studies how AI systems fail. Her own safeguard still did.
02The Pentagon Calls Anthropic a Supply Chain Problem
"Supply chain risk" is a specific designation in defense procurement. It can trigger contract exclusions, security audits, and removal from government systems. Defense Secretary Pete Hegseth reportedly used exactly that phrase when summoning Anthropic CEO Dario Amodei to the Pentagon to discuss military access to Claude.
Hegseth's demand is direct. The Department of Defense wants frontier AI models across its operations. Anthropic's acceptable use policy restricts military and intelligence applications. According to TechCrunch, Hegseth threatened the designation if the company maintains those restrictions. Under federal acquisition rules, a supply chain risk finding can disqualify a vendor from contracts across all government agencies, not just defense.
The same week Hegseth summoned Amodei, OpenAI announced Frontier Alliance Partners. It pairs OpenAI with consulting firms and systems integrators to move enterprises from AI pilots to production-scale deployments. OpenAI described the goal as "secure, scalable agent deployments." No explicit mention of defense appeared in the announcement. But that precise language — secure, scalable, production-grade — is what defense procurement officers put in requirements documents.
Neither company has framed its position relative to the other. The contrast reads clearly anyway. Anthropic maintains use-case restrictions that limit military adoption. OpenAI is building institutional sales infrastructure for large-scale government deployment. One company is defending a policy boundary. The other is laying pipe.
For Anthropic, the dilemma is not ethics versus revenue in the abstract. A supply chain risk designation would constrain partnerships with defense-adjacent contractors. It could signal to allied governments that Anthropic's models are unreliable for sensitive work. Federal agencies beyond the Pentagon might treat the designation as reason to avoid Anthropic products altogether. The cost of maintaining a use-policy restriction rises sharply when the government reframes that restriction as a national security vulnerability.
Hegseth's language reveals how the Pentagon now classifies frontier AI: not as a vendor product to evaluate, but as infrastructure it expects to control.
03Pope and Twitter Users Reject AI Content for the Same Reason
Two institutions with nothing in common drew the same line last week.
Pope Leo XIV directed Catholic priests to write their own homilies rather than outsourcing them to AI. His directive wasn't framed as a quality concern. A homily demands a human soul behind it, the Vatican holds. The priest's words carry weight because they come from someone who knows the congregation and wrestled with the text. That weight vanishes when the words originate from a language model, regardless of how polished they sound.
On Twitter, a parallel rejection is playing out with less theological precision. AI-powered "reply guy" tools now auto-generate responses to tweets with generic commentary and engagement-bait questions. The category has grown large enough to earn its own industry label. Simon Willison flagged the trend, calling the output "generic, banal commentary slop" designed to waste the recipient's time. Users aren't angry that these replies read poorly. Many are grammatically sound and superficially on-topic. The fury is that they come from no one.
These two complaints share a structure worth examining. For years, the standard critique of AI content was quality: too generic, too error-prone, too obviously synthetic. That framing assumed a threshold. Make the output good enough, and resistance would fade. What's emerging instead is a category rejection. Origin matters independent of quality.
Similar backlash has surfaced in gaming, where players revolted against AI-generated art that met professional standards. In each case, the objection is not aesthetic but ontological. Did a human make a choice here?
The Vatican and Twitter's power users arrived at this position through entirely different paths. A homily must emerge from a pastor's lived experience. Someone replying to a tweet should have actually read it. Both demands sound modest, and both are becoming harder to verify. Together they suggest "made by a human" is forming into a value claim of its own, distinct from quality, correctness, or usefulness.
India Hosts Four-Day AI Summit with Major Lab and Government Leaders India's AI Impact Summit convened executives from OpenAI, Anthropic, Nvidia, Microsoft, Google, and Cloudflare alongside heads of state. The four-day event spans policy, infrastructure, and deployment across one of the world's largest potential AI markets. techcrunch.com
Ladybird Browser Adopts Rust, Uses AI Coding Agents to Port JavaScript Engine The Ladybird browser project switched its memory-safe language from Swift to Rust after Swift's cross-platform support stalled. The team used coding agents to port LibJS — the browser's JavaScript engine, including its lexer, parser, AST, and bytecode compiler. Andreas Kling documented the process as a case study in applying agents to large, safety-critical codebases. simonwillison.net
Simon Willison Publishes Agentic Engineering Patterns Guide Willison launched a public collection of coding practices for working with AI coding agents like Claude Code and OpenAI Codex. The first published pattern: red/green test-driven development, where developers write failing tests first and let agents iterate until tests pass. The guide targets practitioners building software with agents that can both generate and execute code. simonwillison.net
Citrini Research Models Scenario Where AI Agents Double Unemployment A report from Citrini Research projects a hypothetical scenario two years out in which AI agent adoption doubles the unemployment rate and cuts total stock market value by more than a third. The analysis models cascading effects of rapid agent deployment across white-collar job categories. techcrunch.com
The Verge Tests AI Tools on Messy PDFs, Finds Widespread Parsing Failures A Verge investigation tested multiple AI systems on the 20,000-page Epstein document release and similar large PDF sets. Current models struggle with garbled email threads, inconsistent formatting, and scanned documents — exposing a gap between demo-quality PDF reading and real-world document complexity. theverge.com
Paper Finds Reasoning Models Often Don't Know When to Stop Thinking Researchers show that longer chains of thought in large reasoning models frequently fail to correlate with answer correctness and can reduce accuracy. The paper identifies redundancy in extended reasoning chains and analyzes whether models carry implicit signals about optimal stopping points. huggingface.co
Researchers Build Video World Model Controlled by Hand Tracking and Head Pose A new model called Generated Reality conditions video generation on joint-level hand poses and tracked head position, targeting extended reality applications. Existing video world models accept only text or keyboard input. The paper proposes a conditioning mechanism for diffusion transformers that enables real-time embodied interaction. huggingface.co
VESPO Tackles Training Instability in Reinforcement Learning for LLMs A new method called VESPO addresses policy staleness and distribution shift in off-policy RL training for large language models. The approach uses variational sequence-level optimization to correct importance sampling variance without the drawbacks of token-level clipping. huggingface.co