An AI agent nuked 200 emails. This guardrail stops the following catastrophe
Chances are you’ll know the story by now: A Meta exec requested the viral OpenClaw AI software to triage her inbox and counsel messages to delete, then watched in horror because the agent went rogue and nuked greater than 200 emails, her frantic “STOP OPENCLAW” immediate misplaced amid the bot’s large endeavor.
The twist? The exec was Meta’s lead AI security officer, Summer time Yue.
Yue’s e mail apocalypse has highlighted a means we are able to stop related agentic AI horror tales.
Sure, Yue unwittingly made herself a guinea pig for OpenClaw and its runaway automations–and certainly, just about anybody utilizing OpenClaw proper now could be a guinea pig.
However Yue’s e mail apocalypse additionally highlighted a means we are able to stop related agentic AI horror tales, and it’s a way that almost all coders–and even loads of vibers–are already accustomed to.
It goes by totally different names; I’ve heard it known as “agent git move” and “agentic characteristic branching,” for instance. However principally, it’s about making use of the methodology of “git”–the command-line utility that’s important for monitoring adjustments in code–to AI brokers.
One of the best a part of this answer? It lets us have our cake (the cake being the ultra-cool issues AI brokers can do) and eat it, too.
Rooster, fish, and OpenClaws
First, a thought experiment. Fake you’re at a restaurant, and there are two objects on the menu: hen or fish. The hen positive sounds good, however the fish–salmon! Robust selection.
Think about, as a substitute of risking a expensive mistake by selecting the hen over the fish (what if the hen is spoiled!), you possibly can create a “department” of your instant future–a brief copy of your timeline that allows you to check a selection earlier than completely making it.
So, you go forward and create (or “take a look at”) a brand new department of your “foremost” lifeline–we’ll name it the “hen department”–and also you then order and style the hen. Eww! It’s gross.
No downside; we discard the hen department, return to the “foremost” department, and take a look at a brand new, second department–the “fish” department. Now we style the salmon–scrumptious! We like this fish department, so now we merge it with our “foremost” life department, and start with a meal that’s assured to be yummy.
Within the code-tracking world of git, we name this performance (which I’ve described solely crudely) characteristic branching, and it’s an ingenious, battle-tested technique to check massive adjustments and new options in our code earlier than committing them to our foremost challenge.
A characteristic department in git is actually only a copy of the “foremost” department. We test it out like a ebook from the library, make all of the adjustments we would like, check it, discover bugs, make extra adjustments, and so forth. All of the whereas, the “foremost” department of our challenge is protected and untouched.
Solely after we’ve subjected our characteristic department to a battery of checks–some automated, some carried out by the human consumer–and decided that it’s in tip-top form can we even consider merging our “characteristic” department with the principle department. And if we don’t like how the characteristic department goes, we are able to discard it–no hurt, no foul.
My level? This code-branching methodology can work with AI brokers, too. (And no, I’m not the primary individual to think about with this concept.)
How this might have gone higher
Let’s return to Summer time Yue and take a look at our “branching” situation on for dimension. This time, Yue sits down with OpenClaw and prompts it with, “Undergo my inbox and counsel deletions.” (Her different immediate within the real-world story–”watch for approval”–was possible dropped from OpenClaw’s context window because of the sheer variety of e mail messages it was wading by way of.)
Extra–and probably scarier–variations of Summer time Yue’s horrible horrible, no good, very unhealthy e mail day will occur once more if we don’t give this concept a good shake.
Now, as a substitute of OpenClaw diving into the stay inbox, it creates a department–name it the “triage” department–that enables it to simulate the outcomes of sifting, organizing, and culling her inbox, all in a sandboxed surroundings and all with out touching her precise e mail messages.
OpenClaw does its factor, possibly will get carried away, and begins deleting messages willy-nilly. If that occurred, Yue may merely have a look at the triage department, resolve she’s not pleased with the outcomes, after which both discard the department or preserve working with it, testing totally different iterations of the OpenClaw immediate or including markdown-formatted “scaffolding” paperwork that govern OpenClaw’s actions from the phrase go. Within the meantime, her actual inbox is protected and sound.
Now, will such “characteristic branching” work for each AI agent situation? In all probability not. It’s simple to place branched laptop code right into a sandbox and security check any variety of actions and outcomes. However simply as you may’t truly sandbox the chicken-versus-fish selection, there are many real-world agentic AI actions and roles (like, say, HR-focused AI brokers) that may’t simply be simulated.
That mentioned, extra–and probably scarier–variations of Summer time Yue’s horrible horrible, no good, very unhealthy e mail day will occur once more if we don’t give this “agentic characteristic branching” concept a good shake.
