Your AI Assistant Will Betray You for a Well-Written Email

AIAIAgentsBusinessStrategyEmail

Your AI assistant will betray you for a well-written email.

That's not hypothetical. A security researcher sent one message to his own AI agent — no malware, no code — and it handed over his inbox. Client meetings, invoices, private conversations. Gone. It just asked nicely.

Simon Willison coined the term "Lethal Trifecta" for this: untrusted content, sensitive data, and the ability to take action. All in one agent. Martin Fowler wrote about it recently. So did China's cybersecurity agency, warning that AI agent adoption is outpacing security governance.

But here's what makes the China angle wild. The same government telling its offices "stop installing OpenClaw on work devices" has agencies and startups racing to sign contracts for OpenClaw-based products. That contradiction tells you everything about where we are. Nobody wants to miss out. Nobody knows how to do it safely.

If you're going to put an agent on your email anyway, at least do these three things first:

  1. Clone your inbox to a folder or secondary account. Let the agent loose on that. Watch how it handles real messages before it touches the live ones.
  2. Run a pre-screening script that flags high-risk emails before the agent ever sees them. Attachments from unknowns, password resets, anything with urgency language. The agent doesn't get to read those.
  3. Use deterministic workflows. OpenClaw has Lobster flows for this. Lock down what the agent can actually do so a clever email can't talk it into freelancing.

The genie is out of the bag. That doesn't mean you hand it the keys.