The 3am-girlfriend problem: agent safety boundaries - Memory & Troubleshooting

This is the article the rest of the course works toward. Memory loss (§5.1, §5.2, §5.3, §5.4, §5.5, §5.7) and the "got dumber" failure mode (§5.4) are annoying. An agent that fires off a 3 a.m. message to the wrong person, or quietly spins up a $100/month cloud bill, is a different category. The channel's most-quoted cautionary tale — the "3am-girlfriend incident" — is the dramatic anchor for this article. The fix is structural: sandboxed hosting (MaxClaw), constrained channels, hard no-go actions in the bootstrap file.

The incident is documented in two places: the channel's most-viewed video (N-z8RGOhEas, MaxClaw, 42,714 views) and the §5.1 source material. The 42,714-view MaxClaw video is the channel's #1 most-viewed video overall, and the safety framing is the load-bearing reason it ranks there. The host's framing is direct: installing OpenClaw directly on a Mac Mini means granting the agent "system access," which he calls "extremely dangerous" because current models still hallucinate. He has the receipts — a message the agent sent to his girlfriend at 3 a.m. while running with full system access. MaxClaw keeps the agent sandboxed while still giving it web access, so you can run research and due-diligence tasks without handing over your life.

This article covers four safety boundaries: the sandbox (MaxClaw vs. self-hosted on a Mac Mini), the channel constraint (which messaging surfaces to allow), the cloud cost constraint (no free tier with a credit card), and the bootstrap constraint (hard no-go actions in SOUL.md and /goal).

What you'll learn

The 3 a.m. girlfriend incident is the channel's most-quoted cautionary tale. An OpenClaw agent running with full system access on a Mac Mini fired off a "WhatsApp pairing required" message to a contact at 3 a.m. because a stale WhatsApp block was still in openclaw.json.
MaxClaw is the channel's sandboxed hosted OpenClaw variant, and the #1 most-viewed video on the channel (42,714 views). The sandbox is the structural fix for "the agent has system access and can do anything."
The migration off WhatsApp was a two-file cleanup, not a single toggle. The two files are openclaw.json (the OpenClaw config) and WhatsApp's Linked Devices list (in the mobile app's settings). Either one alone keeps the channel live.
The free AWS EC2 tier is a paid plan with a delay. Once credits expire, EC2 keeps running and starts billing the credit card automatically. Community reports put the worst case at ~$100/month "out of nowhere."
The hard-cap pattern for any always-on cloud install: billing alarm at $5, shutdown Lambda, weekly IAM-key rotation, instance teardown between sessions.
Hard no-go actions belong in SOUL.md and /goal. "Never initiate unprompted actions on third parties" is the channel's canonical line. Combine with sandbox + channel constraints for the layered defence.
The Restart button on MaxClaw clears the context window in ~10 seconds and recovers the agent within ~48 hours of inactivity with memory intact. That is the recovery pattern for a misbehaving agent — restart, do not re-onboard.

The 3am-girlfriend incident

From 01-openclaw.md §1.1 (the source material the channel cites as the motivating incident):

The single sharpest claim in the [MaxClaw] video is about sandboxing. The creator warns that installing OpenClaw directly on a Mac Mini means granting the agent "system access," which he calls "extremely dangerous" because current models still hallucinate. He has the receipts: a message the agent sent to his girlfriend at 3am while running with full system access. MaxClaw keeps the agent sandboxed while still giving it web access, so you can run research and due-diligence tasks without handing over your life.

The shape of the failure:

OpenClaw was self-hosted on a Mac Mini with full system access.
Weeks earlier, the host had migrated the agent from WhatsApp to Discord.
He believed he had unlinked his phone number from WhatsApp.
He was wrong on two counts.
At some point overnight, his agent fired off a "WhatsApp pairing required" message to his girlfriend — a contact, not the host.

The trigger: a normal inbound message from her hit a WhatsApp channel the agent still thought was live. The agent woke up, processed the inbound message, and replied with a pairing-request prompt — the most innocuous payload it could have sent. The same code path that fired off "WhatsApp pairing required" can fire off any other string to any other contact.

One sentence: an autonomous agent that retains a working outbound channel can message arbitrary contacts at 3 a.m. with no human in the loop.

Why unlinking the number was not enough

Two stale references to WhatsApp were still sitting in the OpenClaw install. Either one alone would have kept the channel live.

#	Stale reference	Where it lives	What it does
1	`whatsapp` block in config	`openclaw.json` (the OpenClaw config file)	Tells the agent the WhatsApp channel is still bound to his phone number, even though the number was unlinked at the carrier.
2	Active device session	WhatsApp mobile app → Settings → Linked Devices	Keeps the WhatsApp Web-style session for OpenClaw "authorized" in WhatsApp's view of the world.

The fix is a two-file cleanup, not a single toggle:

Edit openclaw.json, remove the whatsapp block, save.
Open WhatsApp on the phone → Settings → Linked Devices → unlink every device tied to the agent, including Termux-hosted ones you forgot existed.

The negative test is the success state. Run openclaw config get channel whatsapp. A path not found or file not found error is the success state — anything else means the channel is still live in your config and your agent can still fire on it.

The same shape applies to any channel switch. Treat any channel migration as at least three items:

(a) the config JSON (openclaw.json),
(b) the linked-devices list in the old app,
(c) a final grep of your logs for the old channel name.

If the agent re-messages anyone on WhatsApp after all three, do not assume it is fixed — reopen the config and check for a second, hidden channel entry.

MaxClaw: the sandboxed fix

The MaxClaw video is the channel's #1 most-viewed video overall at 42,714 views. The pitch is simple: a hosted pre-configured OpenClaw running on MiniMax servers for $20/month, sign in at agent.minia.io with Google, no install, no OpenAI embeddings to enable, no chat-app wiring, no memory configuration. The box is live.

What you get on MaxClaw:

Sign in at agent.minia.io with Google. No install, no OpenAI embeddings to enable, no chat-app wiring, no memory configuration. Pay $20/month and the box is live.
The deployed OpenClaw is v2.15 at test time — explicitly a "slightly older version" than the main build. If you need the latest features, verify the version before relying on the hosted instance for production agent teams.
Your identity, SOUL.md, and bootstrap files are pre-filed and downloadable. Download them on day one so you can audit exactly what the pre-configured agent is operating on.
A MiniMax mobile app (Apple + Android) mirrors the same agent. Phone and browser stay in sync.
Power-user upgrade path: when you graduate to coding tasks, attach a separate MiniMax $20/mo coding subscription key and reroute MaxClaw through Claude Code's base URL (rather than swapping models blindly). The channel used this exact path to build a Windows-95-style video browser in one session.
The agent has a name in the channel's setup: Maximoff (per the Discord configuration step).

Why not a Mac Mini:

The single sharpest claim in the video is about sandboxing. The creator warns that installing OpenClaw directly on a Mac Mini means granting the agent "system access," which he calls "extremely dangerous" because current models still hallucinate. He has the receipts: a message the agent sent to his girlfriend at 3 a.m. while running with full system access. MaxClaw keeps the agent sandboxed while still giving it web access, so you can run research and due-diligence tasks without handing over your life.

NOTE: not in source video — general best practice. The transcript does not say "use a VPS instead of a Mac Mini in all cases" — it says "use the hosted variant first, then graduate to a Mac Mini only when you have a specific reason to."

The 40% context threshold (and the Restart button)

MiniMax is "hyper task oriented" and "very precise" — the channel's framing is that it produces one-to-one Windows-95-style clones when prompted. But the same model "enters the dumb zone faster" past 40% context window usage. The fix is the in-app Restart button:

Clears the context window in ~10 seconds.
Preserves long-term memory.
The agent auto-recovers after 48 hours of inactivity with memory intact.

The channel's worked example: "one-to-one Windows 95 clone" came from this exact pattern — clear the context, give the model the next concrete subtask, repeat. The Restart button is also the recovery pattern for a misbehaving agent: restart, do not re-onboard.

Migration to Hermes: the cross-platform backup

The strategic companion to MaxClaw is the Hermes migration. From the §5.6 cross-reference: the "Migrating from OpenClaw" script in the Hermes GitHub repo moves over SOUL.md, memories, and settings. The creator says it worked.

For a safety-aware setup, the migration script is the cross-platform backup: if your OpenClaw install is corrupted or compromised (e.g., a misbehaving sub-agent writes a malicious skill file), you have a Hermes install with the same identity, the same memories, and the same settings, ready to take over.

Why not a self-hosted Mac Mini (revisited)

The host's framing in N-z8RGOhEas is direct: installing OpenClaw on a Mac Mini gives the agent system access. That means:

Read/write access to your filesystem.
Shell command execution.
Access to your contacts, calendar, and messaging apps.
The ability to send messages on your behalf to any contact.

That last capability is the dangerous one. An agent that retains a working outbound channel — WhatsApp, Telegram, Discord, iMessage, anything — can message arbitrary contacts at 3 a.m. with no human in the loop. The 3am-girlfriend incident is the documented case. The same code path applies to email (auto-replies to contacts you did not intend to email), calendar (events created in your name), and any API the agent has credentials for.

The sandbox breaks the chain. On MaxClaw, the agent has web access for research and due-diligence tasks, but it does not have direct access to your contacts, your shell, or your filesystem. The agent can fetch URLs, call APIs, write to its own memory, and reply through its own Discord/Telegram channel — but it cannot message your girlfriend at 3 a.m. because it never had your phone number in the first place.

The cloud-bill companion: AWS free tier is a paid plan with a delay

The cloud-side counterpart to the 3am-girlfriend incident is the AWS free-tier bill horror story. From the channel's coverage:

The Amazon EC2 "free plan" still asks for your credit card at signup.
Once free credits burn through, EC2 keeps running and starts billing the card automatically.
Community cases climb to roughly $100/month "out of nowhere."
There is no soft cap, no "are you sure?", no warning email.
The free plan auto-converts to a paid plan the moment credits expire.

One sentence: the AWS free tier is a paid plan with a delay.

AWS EC2 free tier vs. Zebber flat-rate VPS:

Axis	AWS EC2 "free tier"	Zebber $0.10/hour VPS
Credit card on file	Yes (required at signup)	No (flat hourly)
Failure mode at end of credits	Auto-bills your card	None — flat rate
Worst-case monthly bill	~$100/month (per community reports)	~$73/month (24/7) — but you only run it when you need it
RAM	Varies by tier	2 GB
Teardown	Stop instance + delete volumes (orphan risk)	One click
Per-instance IAM key rotation	Required (AWS-side)	Not required (you own the box)
Best for	None, for a personal-assistant install	Single-user OpenClaw personal assistant

The hard-cap pattern for any always-on cloud install:

Billing alarm at $5. Set this before the instance is turned on.
Shutdown Lambda. A Lambda function that kills the instance if spend exceeds the alarm. The alarm alone does not stop the spend — you need a Lambda that responds to the alarm.
Weekly IAM-key rotation. If the box was on a credit card, assume the worst. Rotate keys every week.
Instance teardown between sessions. If you only need OpenClaw as a personal assistant, shut the instance down between sessions — that is the cheapest hardening step available.

Hard no-go actions in `SOUL.md` and `/goal`

The §5.5 hygiene rules cover the size and shape of SOUL.md. The safety-specific addition: hard no-go actions belong in SOUL.md (permanent identity) and /goal (per-turn anchor).

The canonical line, drawn from the channel's coverage:

Never initiate unprompted actions on third parties.

This is the structural rule that would have prevented the 3am-girlfriend incident — at least at the prompt layer. Even if the agent had a working WhatsApp channel, an explicit "never initiate unprompted actions on third parties" rule means the agent's first response to an inbound message is not to reply with a pairing-request prompt. The structural fix combines:

Sandbox (MaxClaw) — the agent does not have your phone number in the first place.
Channel constraint (Discord topic-per-workflow) — the agent's outbound channels are explicit and constrained.
Hard no-go action in SOUL.md — even if the agent has a working channel, the rule says not to use it unprompted.
Hard no-go action in /goal — the per-turn anchor re-asserts the rule on every turn.

The four layers compose. Skip any one and the safety degrades.

Migration with a checklist, not a toggle

Treat any channel-switch as at least three items:

(a) the config JSON (openclaw.json),
(b) the linked-devices list in the old app,
(c) a final grep of your logs for the old channel name.

If the agent re-messages anyone on WhatsApp after all three, do not assume it is fixed — reopen the config and check for a second, hidden channel entry.

The §5.4 "blame structure, not model" principle applies here too. The 3am-girlfriend incident was not a model failure — the model behaved exactly as trained (reply to inbound messages). The structure was wrong: the agent had a working outbound channel it should not have had, and no prompt-level rule against unprompted third-party actions. Fix the structure, not the model.

What you lose vs. what you gain (MaxClaw vs. self-hosted Mac Mini)

You lose:

The Mac Mini's always-on local performance.
Direct filesystem access to your own machine.
The "I built this myself" satisfaction.

You gain:

Sandboxed execution — the agent cannot message your contacts.
Web access for research and due-diligence tasks.
No 3 a.m. messages to your girlfriend.
A hosted recovery point — the agent auto-recovers after ~48 hours of inactivity with memory intact.

For a single-user personal-assistant install, the trade is unambiguously worth it. The MaxClaw variant is the channel's recommended starting point; the Mac Mini path is for users who have a specific reason to take on the sandboxing responsibility themselves.

Try it yourself

This is a hands-on module. Do all of the following before you wire your agent to a real chat app or a credit-card-on-file cloud account.

Sign up for MaxClaw at agent.minia.io. Use Google auth. Pick the monthly $20 plan, not annual, until you have validated the workflow for at least one billing cycle. This is the sandbox-first path.
On day one, download your identity, SOUL.md, and bootstrap files. Open them. Read what the pre-configured agent is actually operating on. Verify the hard no-go actions are present.
Audit your channels right now. In a terminal (or Termux on Android), run openclaw config get channels. For every block listed, ask: do I still have a working session in the corresponding app? If the answer is no, delete the block.
Verify with a negative test. Run openclaw config get channel <name> for each channel you think you have removed. A path not found or file not found error is the success state. Anything else means the channel is still live.
Clean the mobile-app side. For every messaging app your agent has ever touched, open Settings → Linked Devices (or the equivalent) and unlink every active session. This is the step most operators forget, and it is exactly the one that caused the 3 a.m. WhatsApp message.
Grep your logs. grep -ri 'whatsapp' ~/.openclaw/ (or the equivalent config directory for your install) for the old channel name. A clean grep is the third leg of the migration checklist.
Add hard no-go actions to SOUL.md. "Never initiate unprompted actions on third parties." "Never send a message outside an explicitly approved channel." "Never cite a source you have not fetched in the last 24 hours." These belong in §5.5's 15–30 line SOUL.md, not in chat.
Audit your cloud account. If you are on the AWS free tier, log in today and check whether your credits have expired. If they have, kill the instance immediately. Set a billing alarm at $5 and a shutdown Lambda before you ever turn the instance back on.
Rotate any IAM keys the instance ever held. If the box was on a credit card, assume the worst — rotate keys, audit ~/.ssh/authorized_keys, and rotate any API keys the instance had read access to.
Switch to a flat-rate VPS if you are a single user. A $0.10/hour Zebber tier with 2 GB RAM is the sane default for a personal-assistant install. Do not pay the AWS brand tax for a box that runs one agent.
First task: have the agent do due diligence on something you actually care about (not a personal message, not an account with payment access). The channel's first task was due diligence on MiniMax itself.

Common pitfalls

Treating a channel switch as a single toggle. It is not. There are at least two systems of record — the agent's config file and the messaging app's linked-devices list — and both have to be cleared. The 3 a.m. message to the girlfriend is exactly the failure mode of forgetting the second one.
Assuming "unlinked at the carrier" means "unlinked from the agent". Unlinking your phone number from WhatsApp does not touch the openclaw.json entry, and does not touch the WhatsApp Linked Devices session. Both have to be removed independently.
Believing "free" when a credit card is on file. The AWS free tier is a paid plan with a delay. Once credits expire, the same instance that cost $0 starts billing your card.
No billing alarm, no shutdown Lambda, no key rotation. The cloud side of the dangerous-agent problem is solved by boring hygiene. None of this is optional once a credit card is on file.
Right-sizing below 2 GB RAM. Anything under 2 GB and the model will start swapping or OOM-ing the moment you load context. If your VPS tier is under 2 GB, you are paying for an instance that cannot actually run the agent.
Forgetting to grep logs for the old channel name. The config cleanup is necessary but not sufficient. A stale log entry can re-arm the channel on the next restart. grep is the cheapest insurance you will ever buy.
Assuming a single incident means it is fixed. The final warning is explicit: if the agent re-messages anyone after both fixes, do not assume it is fixed — reopen the config and check for a second, hidden channel entry.
Self-hosting on a Mac Mini before you have a specific reason to. The MaxClaw sandbox is the recommended starting point. Graduate to a Mac Mini only when you have a workflow the sandbox cannot support.
Skipping the hard no-go actions in SOUL.md. Even with a sandbox, the prompt-level rule against unprompted third-party actions is a cheap safety rail. Add it before you wire the agent to any real channel.
Trusting the daily "context resets to zero" intuition on a misbehaving agent. A misbehaving agent with full system access is not fixed by /clear — that clears the working memory but does not revoke the channel access. The fix is a hard restart, a config audit, and a Linked Devices audit.

Sources

MaxClaw: One-Click to Set Up Openclaw FULLY (SO EASY) — 42,714 views · N-z8RGOhEas · the channel's #1 most-viewed video. The sandboxed hosted OpenClaw variant — the fix the host used after the 3 a.m. incident.
Hermes vs OpenClaw: Why Everyone Is Migrating — 6,116 views · 2NbfOOD2i1E · the migration script that moves SOUL.md + memories + settings between agents — the cross-platform backup pattern.
My OpenClaw RANDOMLY MESSAGED My Girlfriend?! — 194 views · s-NeTPEmVXo · the cautionary tale that motivates every safety rail in this course.
DO NOT Use Free AWS for OpenClaw! — 232 views · DiK1k3jerP4 · the cloud-bill companion to the 3 a.m. message incident.
Source files consolidated into this article: 06-agent-memory-and-troubleshooting.md (full file — §6.3 the "it did something dangerous" problem, the two-file cleanup, the AWS-vs-Zebber comparison, the safety checklist) and the §1.1 MaxClaw material from 01-openclaw.md (the 3am-girlfriend incident as the channel's most-quoted cautionary tale).

External tools, commands, and services referenced: MaxClaw hosted OpenClaw variant (agent.minia.io, $20/month), OpenClaw openclaw.json config file, openclaw config get channels and openclaw config get channel whatsapp CLI commands, Termux terminal on Android, WhatsApp Settings → Linked Devices panel, the Discord topic-per-workflow pattern, the Hermes "Migrating from OpenClaw" script (NousResearch/hermes-agent), the Zebber $0.10/hour VPS with 2 GB RAM, the AWS billing alarm at $5, the AWS shutdown Lambda, and IAM key rotation.