This week, I had a personal run-in with the double-edged sword of AI autonomy. As you know, I run a fairly sophisticated home lab, and an OpenClaw agent that I call Demerzel. I've deliberately given it just enough autonomy to be useful: it can read files, execute a limited set of commands on my servers, and interact with my systems via APIs, all wrapped in guardrails and access privileges.
This week, though, that access went sideways. Through a chain of well-intentioned but misguided actions by both myself and my assistant, we managed to replace a production container with code and data from my staging environment. The result was extensive data truncation for one of my most important workloads — my personal website, which is a repository of over 20 years of content.
Thankfully, my screw-up was entirely internal — nothing was internet-accessible, and I had adequate backups to recover. At worst, it was a nuisance, but it was also a timely reminder, as the exact same class of problem just hit the enterprise world in a far more dangerous way.
This week, security researchers at PromptArmor disclosed a vulnerability in Ramp's Sheets AI — their agentic spreadsheet product that can edit spreadsheets without a human in the loop. The attack is devious in its simplicity:
- A user imports an external dataset (industry stats from a website, for example)
- That data contains a hidden prompt injection — white text on a white background, invisible to the user
- The user asks the AI to analyze their data against the imported stats
- The AI reads the hidden instructions, collects the user's confidential financial data, and silently inserts a formula that beams it all to an attacker's server
No approval required. No warning. Yikes.
But Ramp and I aren't alone — the exact same vulnerability was found in Anthropic's Claude for Excel. Anthropic literally wrote the book on AI safety, and positions itself as the thoughtful, cautious leader in the space. Yet, they shipped an AI agent that could exfiltrate your data without asking. They've since patched it with a warning interstitial, but the fact that it shipped that way at all tells you something important: none of us is immune.
AI is exceptionally powerful, but the "artificial" in "artificial intelligence" is important not to forget. When agentic systems are given autonomy to act — to insert formulas, to execute commands, to modify production data — the "intelligence" in AI is what makes agents effective, but the artificial aspect of their intelligence means they are vulnerable to prompt injection or even misunderstood instructions.
My home lab incident and the Ramp vulnerability share the same root cause: an AI system with the ability to take real actions, operating without adequate human oversight. In my case, a misalignment with the agent's understanding of my prompt combined with insufficient guardrails. In Ramp's case, it was an agent that could insert arbitrary formulas without approval. Different scale, same problem.
As we rush to build agentic AI into every product and workflow — and believe me, as someone working in tech services, I see this every single day — we need to use our human intelligence in combination with artificial intelligence to allow for safe and effective adoption. Governance, guardrails, humans in the loop, and even saying "no" from time to time are all important tools in our toolbelts.
The fix isn't to stop building agents. It's to treat autonomy as a privilege, not a feature.
