“I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb.”
(Yue [@summeryue0], 2026).
Nothing humbles you like telling your OpenClaw “confirm before acting” and watching it speedrun deleting your inbox. I couldn’t stop it from my phone. I had to RUN to my Mac mini like I was defusing a bomb. pic.twitter.com/XAxyRwPJ5R
That user, Yue already gave OpenClaw the instruction that it must “confirm before acting.”
It nevertheless continued its movement. People did not share the post simply because they were afraid of AI. They shared it because it exposed a new kind of AI risk. When a chatbot outputs a low-quality response, the harm usually stays on the screen. But when one AI agent is permitted to reach email, documents, time schedules, and third-party tools, one error can fast become one action: You may lose information texts, reveal something you intended to keep secret, or see an instruction execute that you never intended to agree to. In these cases, the harm has tangible existence, but the responsibility does not have it. Does the question lie in the user that gave permission, the developer who constructed the framework, the maker of a third-party ability, or the model supplier who is under this thing? It is exactly at this position that OpenClaw is no longer only a product story. This object is not just an extra AI product about which people have different opinions. It expresses a wider change from systems that reply to prompts to systems which do actions for a user. In my opinion, the problem of OpenClaw is not only a group of security defects, but also a deeper problem in governance. In the domain of artificial intelligence agents, the development of action is proceeding more quickly than that of accountability, we have not caught up with it yet.
From Chatbot to Agent
OpenClaw homepage screenshot. Source: OpenClaw official website.
OpenClaw is not just another text generator.
OpenClaw can be better comprehended to be an open-source AI agent that is able to maintain operation, link models to local documents and conversation applications, and expand its functions via skills and third-party integrations (Osman, 2026; Science and Technology Daily, 2026).
This therefore proves that it is built not only for answering prompts, but also for keeping work in every part of a user’s digital environment. This dissimilarity is significant because, according to the argument put forward by Just and Latzer, algorithms are able to function as a kind of “governance by software” (2017, p. 241). In other words, the software is not only proceeding information in a neutral manner. It also can impose “norms and rules that affect behavior” and establish “a set of rules and routines that both limit activities and create new room for maneuver” (Just & Latzer, 2017, p. 244). This is just the reason why OpenClaw ought not to be regarded as a stronger chatbot. When a system already can get into emails, calendars, documents, browsers, and third-party functions, it thus is no longer only shaped content that a user looks at on the display screen. It starts to shape what actually takes place subsequently. As what Just and Latzer have said, algorithmic systems have influence not only on “what we think about” but also on “how we think about it and consequently how we act” (2017, p. 245). Recent reporting on OpenClaw shows this shift in practical terms. What pushed it into wider discussion, as Science and Technology Daily and Tencent News both noted in 2026, was not just how powerful it was, but the fact that it could stay on, move across platforms, and keep doing things in the background.
Speed, Convenience, and the Risk We Normalise
If we only discuss bugs or bad design, it is very easy to write OpenClaw off as an outlier case. The discussion that Andrejevic made about automation points to a relatively bigger problem. He puts forward the argument that automation is not neutral, because its development is carried out inside a broader social context which already has a valuation for speed, scale, and control. Just like what he says, “Automation could, for example, slow processes down as well as accelerate them, but the imperatives of contemporary society favor the latter tendency almost universally” (Andrejevic, 2019, p. 27). This sentence is meaningful for OpenClaw because its appeal is not out of caution or restraint. It is obtained by reducing friction: maintaining connection with the Internet, cross-platform transmission, memorising relevant contexts, and performing operations without waiting for continuous human input.
From this point of view, the development of AI agent is not only to make the system more useful. More importantly, they can achieve integration faster, stronger and more continuously. Andrejevic walks a step further and raises the argument that the current arrangement of automatic systems is formed by the “imperatives of speed, efficiency, customization, and prediction” (2019, p. 28). This also explains why widespread gaccess and continuous implementation are often regarded as product advantages rather than warning signals. As Andrejevic notes, “convenience and acceleration go hand in hand” (2019, p. 35). We hope things can be done faster and call it this kind of convenience.
Therefore, we will find when the speed becomes faster, which means that we have less time to notice the problem. So the real question is not just why OpenClaw is at risk, it is also the reason why this risk has become so common in the broader logic of automation.
When Responsibility Gets Hard to Find
So here we are: OpenClaw is no longer just a product problem and starts looking like a governance problem. AI agents have more room for action, so responsibility is no longer concentrated in one clear place.
Just and Latzer believe that many algorithmic systems today operate through delegation: humans set them, but the system then runs in a partially autonomous space that is difficult to fully predict or control (2017, pp. 252–253). They also warn that as algorithms get more like “relatively autonomous actors with delegated (moral) agency,” they bring “agency and accountability challenges for complex ecosystems” that make outcomes less controllable and less predictable (Just & Latzer, 2017, p. 255).
That is a very good description of OpenClaw. A user can give permission for access, but they are not the one who writes the framework. The person who develops the framework defines the basic abilities of the system, but may not control the third-party skill that can cause harm. The person who makes the skill adds functions, but it may depend on a separate model supplier that works under it. And the organization that puts this agent into use may therefore obtain benefits from its efficiency, but it does not have a full understanding of how risk moves through the entire chain. When a problem has already occurred, all parties participate in it, yet no person appears to bear complete responsibility.
Consider how Science and Technology Daily covered this. The report does not treat OpenClaw as just another buggy tool. It argues that China at present needs rules to make clear the legal duties of framework developers, deployers, model providers, and skill publishers because the current system leaves a gap where “AI errors” can occur without clear accountability (Science and Technology Daily, 2026). This is not just a failure of one system. It reflects a more widespread incapability to make decisions in advance on who should bear responsibility for the actions implemented by agents.
There is another layer to this. The responsibility gap is also an information gap. Even when the harm is very obvious, the system that has produced it is often hard to see clearly. Pasquale (2015) uses the idea of a “black box” to describe situations where people can see the inputs and outputs of a system but not how one becomes the other (p. 3). That description also suits agentic AI very well. A user may know that an inbox was deleted, a file was exposed, or a harmful action was triggered, but still have little idea which layer of the system actually caused it. Was it the model’s reasoning, the framework design, a third-party skill, a hidden prompt, or the platform permissions that should not have been granted?
Pasquale argues that today’s digital environment increasingly works like a “one-way mirror”: powerful corporate actors know more and more about the details of our lives, while users know “little to nothing” about how companies use this knowledge to influence important decisions
(2015, pp. 9–10).
And OpenClaw not only creates new risks. It also makes these risks more difficult to track. When a system is difficult to understand, each participant in the chain is more likely to point elsewhere when problems arise. In this sense, accountability is not only a legal or technical issue. It is embedded in the opacity of the ecosystem itself.
Reactive Rules, Missing Architecture
So far, most responses to OpenClaw are still reactive rather than structural.
In mainland China, authorities reportedly moved to restrict the use of OpenClaw in state-owned enterprises, government agencies, and banks. As The Straits Times reported in 2026, one major concern was that OpenClaw requires unusually broad access to private data and can communicate externally, creating potential security risks.
Hong Kong has taken a similar route. Government departments were told not to install OpenClaw, and officials pointed to excessive authorisation, data leakage, and system intrusion. The privacy commissioner added that users should minimise access and avoid entering any sensitive content. From a personal data perspective, the commissioner said that the risk of agentic AI is higher than that of ordinary chatbots (RTHK, 2026).
Hong Kong official speaking on OpenClaw-related security concerns. Source: RTHK (2026)
These reactions are reasonable in the short term. But they mainly act as damage control: stop, reduce, be careful. The more difficult question is what should have been built in before these systems spread so quickly.
Singapore’s approach is more forward-looking. IMDA has placed its new framework within the country’s wider push for trusted AI, and the January 2026 press release calls the Model AI Governance Framework for Agentic AI a “first-of-its-kind” document. It lists things that should be in place before deployment: risk assessment, clearer human accountability, limits on what the agent can do, access control, and ongoing monitoring (IMDA, 2026a, 2026b). I think this is a reasonable starting point, although whether it will be adopted outside Singapore is another matter. Flew also puts forward relevant views when writing about privacy and security. He argues that the usual privacy tradeoff is not ideal. Online terms are often “complicated, vague, and legalistic,” and the information imbalance between users and providers is enormous (Flew, 2021, p. 103).
So, saying that “the user agreed” is not enough. With something like OpenClaw, the real issue is whether responsibility, limits, and safeguards were designed in from the beginning.
What Kind of Future Do We Want?
OpenClaw is not a story about whether one product failed or succeeded. It is an early sign of the governance problems that AI agents may continue to bring. Once AI systems can span so many platforms and use so much information, the question is no longer merely whether they are useful or safe enough. The more difficult question is whether someone has clearly decided in advance who will set the restrictions, who will supervise the system, and who will be responsible for recording its behaviour. If there is a problem, who answers? At present, this issue has gone beyond the science and technology circle and entered the field of public policy (The Straits Times, 2026; RTHK, 2026; IMDA, 2026b).
OpenClaw should not be regarded as a neglected panic or just another vulnerability in the product cycle. It is more like a test for AI as it moves from being able to speak to being able to act. If this transformation continues, the challenge is not merely to make AI agents more powerful. It is also how to supervise them. We need clearer boundaries, narrower permissions, stronger supervision, and, most importantly, a sense of responsibility that does not disappear in the long chain of users, developers, skills, model providers, and platforms. Otherwise, the next controversy over OpenClaw will not be an exception.
In the end, technology should make human life better, not more anxious. Recently, people have been saying that AI will completely reshape life in the next 10 years, and that may be true. But no matter how fast these changes come, the real question is still not how much AI can do. The key is how much, and to what degree, we choose AI to do.
Just, N., & Latzer, M. (2017). Governance by algorithms: Reality construction by algorithmic selection on the Internet. Media, Culture & Society, 39(2), 238–258. https://doi.org/10.1177/0163443716643157
Pasquale, F. (2015). The black box society: The secret algorithms that control money and information. Harvard University Press. http://www.jstor.org/stable/j.ctt13x0hch
Tencent News. (2026, April 9). 2026年第一季度,AI Agent完成了它的成人礼|2026 Q1 AI趋势白皮书 [In the first quarter of 2026, AI agents came of age: 2026 Q1 AI trend white paper]. https://news.qq.com/rain/a/20260409A089VS00
Be the first to comment