# Codex/OpenClaw Runaway Agent Safety Guide

This guide is for Mac operators running local AI agents across many projects.

The warning signs are practical:

- your Mac runs out of memory after reboot
- tmux or terminal sessions auto-restore too many agents
- Mail/Gmail/LinkedIn/browser windows open unexpected compose states
- launchd has old revenue or automation jobs you cannot explain
- agent skills, MCP servers, or shell tools were added without a review
- one agent has access to multiple client workspaces or accounts

If this is already happening, buy the $99 diagnostic:

https://buy.stripe.com/9B6fZhduQ4r42dz7mb3sI1h

If you want templates to fix it yourself, buy the $49 kit:

https://buy.stripe.com/4gMcN59eAbTw7xTfSH3sI1q

## Free Read-Only Scan

Download and inspect the scan script:

https://igorganapolsky.github.io/AI_OpenClaw_Setup_Kits/scripts/mac-agent-risk-scan.sh

Run it locally:

```sh
sh scripts/mac-agent-risk-scan.sh
```

It checks process memory, tmux sessions, custom launch agents, loaded agent-like launchd jobs, Mail Outbox queue size, and OpenClaw/Codex state size. It does not delete, send, post, or change config.

Want me to read the scan output and send same-day prioritized fixes?

Buy the $25 teardown:

https://buy.stripe.com/fZu14n1M81eSbO9fSH3sI1L

Then send redacted scan output to `igor@openclaw.ai` with your Stripe receipt email. Do not send API keys, secrets, private customer data, or full file contents.

## The Failure Pattern

Local agents fail in a predictable way:

1. The operator adds useful tools.
2. The tools gain file, shell, browser, network, email, or payment access.
3. Sessions are restored automatically because the work feels important.
4. The machine accumulates hidden background state.
5. One bad loop turns into memory pressure, duplicate posts, stuck email, or unsafe outbound action.

The fix is not "never automate." The fix is an operating boundary.

## Minimum Controls

Use these before adding more agents:

- one workspace per project or client
- one credential profile per trust boundary
- no automatic restore unless the session has an owner and stop condition
- deny shell/process tools by default
- dry-run mode before outbound work
- explicit approval before sending, posting, deleting, charging, refunding, or pushing production changes
- weekly launchd and listening-port review
- private fulfillment storage for paid assets and client data

## Mac Memory Rule

Do not let terminal/tmux/app restore be the default owner of your AI workload.

For each restored session, write down:

- project
- purpose
- expected memory budget
- maximum concurrent agents
- allowed tools
- stop condition
- recovery path

If you cannot name those, do not auto-restore it.

## Outbound Action Rule

Agents should draft first and send second.

Require approval before:

- email
- public posts
- social DMs
- GitHub comments
- Stripe charges, invoices, refunds, or coupons
- deleting files
- changing production config
- installing new skills or MCP servers

## Skill And MCP Rule

Treat third-party skills and MCP servers as executable supply chain.

Before enabling one, capture:

- source
- version or commit
- requested tools
- filesystem access
- network access
- secrets access
- outbound channels
- rollback command

Then test it in a disposable workspace first.

## What The Paid Kit Adds

The $49 kit includes editable templates for:

- approval policy
- tenant boundary checklist
- skill review worksheet
- launchd audit template
- weekly operator review
- May 2026 research memo

Buy the kit:

https://buy.stripe.com/4gMcN59eAbTw7xTfSH3sI1q

Buy the diagnostic:

https://buy.stripe.com/9B6fZhduQ4r42dz7mb3sI1h