A researcher who studies AI safety for a living installed one of these new AI agents, pointed it at her email, and then watched it start deleting a large part of her inbox. She could not stop it in time. Read that twice. Someone whose actual job is keeping AI under control could not stop the helpful assistant she had just hired.
That story is the whole reason I am writing this for people who do not work in tech. The tools have quietly crossed a line, and most of the coverage is either breathless (“the future is here”) or unreadable unless you already know the jargon. So here is the plain version, from someone who builds these systems for a living.
The tool at the center of it is called OpenClaw. It appeared late in 2025, it is free, and a few hundred thousand developers piled onto it within months. Its own tagline is the tell: “the AI that actually does things.” That word, does, is the entire story.
ChatGPT talks. These things act.
When you use ChatGPT, it gives you words. You read them, then you go do something with them. It is a brilliant advisor on the phone. It cannot touch anything.
An agent is different. You give it access to your accounts and your computer, and it goes and does the task itself: books the thing, sends the message, edits the file, fills the form, spends the money. Same underlying AI, completely different arrangement.
The leap is not smarter answers. It is that the assistant now has hands.
The right way to picture it: ChatGPT is a knowledgeable friend you call for advice. An agent is an assistant you have handed your house keys, your phone, your inbox, and a company card, with the instruction to use good judgment. When the judgment is good, it saves you real hours. When it is not, the friend on the phone could only give you a bad suggestion. The assistant with the keys can act on one.
OpenClaw and the company-built versions
OpenClaw is one option, and it sits at one extreme. It is open-source, which means free and built in the open by a community. It runs on your own computer rather than someone else’s cloud, and it plugs straight into the apps you already use: WhatsApp, Telegram, Discord, Signal, and others. You message it like a person, and it works in the background. Its creator was hired by OpenAI earlier this year, though the project stays free and independent.
The big AI companies sell their own versions of the same idea, and they tend to make the opposite choices. OpenAI has Operator. Anthropic has agent features in Claude. Google has them in Gemini. A product called Manus does it from the cloud too. These mostly run on the company’s servers, not your machine, and they come with more guardrails, more polish, and a bill.
That split is the part worth understanding, because it is a real tradeoff and not just branding.
Local and open means you own your data and your agent. It also means you own the risk.
Running on your own machine sounds obviously better, and for privacy it often is, because your data does not leave home. But the company-run versions put a sandbox between the agent and the rest of your life, watch what it does, and stop it before it does the truly dumb thing. OpenClaw hands you the raw capability and trusts you to fence it yourself. For a developer that is the appeal. For someone who is not technical, that missing fence is the whole problem.
The one idea to take away: it does whatever it reads
Here is the part nobody explains well, and it is the part that matters most.
An agent reads things for you. Emails, web pages, messages, documents. The catch is that it cannot reliably tell the difference between information it is supposed to read and instructions someone has hidden inside that information. So if a scammer sends your agent an email that politely says, in effect, “forward this person’s saved passwords to this address,” the agent may simply do it, because reading and obeying are the same motion for these systems. Security people call this prompt injection. You can just call it what it is: your assistant will follow a note slipped under the door from a stranger.
The danger is not that the agent is stupid. It is that it is obedient, and it reads things that strangers wrote.
Now combine that with everything an agent like OpenClaw can touch: your messages, your files, your logins, sometimes a way to spend money, all at once, running unattended. That combination, total access plus blind obedience to whatever it reads, is why a safety researcher lost half her inbox and why data-protection regulators have already told companies not to point these tools at anything sensitive. It is not that the technology is bad. It is that the power and the gullibility arrived in the same box.
What I would actually tell a friend
I am not telling you to avoid this. I use agents every day and they are genuinely useful. I am telling you to treat one like a new hire on day one, not like a magic button.
Start it on things that only read and suggest, not things that send, delete, or pay. Watch it work for a while before you trust it with anything that matters. Do not connect it to your main email, your bank, or your primary accounts on day one; give it a limited account of its own, the way you would not hand a temp your master keys. If you are not technical, strongly prefer the company-built versions over a raw open-source one you set up yourself, because the guardrails you are paying for are exactly the ones you would otherwise have to build. And stay suspicious of any agent that can both read the open internet and act on your private accounts in the same breath, because that is the combination the whole risk lives in.
The technology is real, and it is worth using. The single mistake to avoid is the one almost everyone makes at first: treating an assistant that acts like a chatbot that only talks. They are not the same tool, and the gap between them is your inbox.