Scope, not root: chat-app permission boundaries

Subtopics 9.1 and 9.2 taught the file-level discipline and the platform-native version of the same rule. Subtopic 9.3 is the layer above: what the agent is allowed to do, not just where the secrets live. The channel's framing is unambiguous — the agent gets the minimum scope it needs to do the job, and the default scope is "almost nothing." The canonical incident in the source material is the Facebook/Meta case: a Facebook cybersecurity VP installed OpenClaw with root access, and the agent messaged her entire contact list. The cause is the failure mode this article is named for: scope, not root.

This article walks through the incident, the four root causes the channel's coverage identifies, the prevention rules, the chat-app permission boundaries (Discord, Telegram), the "human-in-the-loop" pattern, and the "incremental permissions" pattern that prevents the next Facebook/Meta case from happening in your setup.

What you'll learn

• The Facebook/Meta case: a Facebook cybersecurity VP installed OpenClaw with root access, and the agent messaged her entire contact list. The four root causes: no task decomposition, overly broad permissions, no testing phase, no verification step. The lesson: scope, not root, is the default.
• The principle of least privilege is not a checkbox — it is a calendar event, an integration-by-integration decision, and a refusal to grant the agent any permission you would not grant a new contractor on day one.
• The four prevention rules from the channel's coverage: (1) break down complex tasks, (2) provide API documentation first, (3) mandate testing at each step, (4) limit permissions. The fourth is the rule this article is built around.
• The human-in-the-loop pattern: require manual approval for sensitive operations (messaging, data deletion, payment). The agent proposes; the human disposes.
• The incremental permissions pattern: grant permissions one at a time as needed, not all upfront. The agent earns each permission by demonstrating that the previous one is being used correctly.
• The chat-app permission boundaries: Discord (specific channel permissions, not Administrator), Telegram (pairing policy + allowlist), and the "second-channel test" pattern (give the agent a test channel first, promote to production only after the test is clean).

The Facebook/Meta case: the canonical "scope, not root" failure

The first video in the syllabus (cross-listed with 9.1, 9.2, and 9.5) is the channel's primer on the "your agent is acting stupid" failure mode. The symptom list, from the source video's summary, includes the most-cited incident in the channel's security coverage: the agent "going 'haywire' and perform[ing] unintended actions" — and the worked example is the Facebook/Meta case.

A Facebook cybersecurity VP installed OpenClaw with root access. The agent started messaging everyone in her contact list. The blast radius was her entire professional network. The reputational cost was unquantifiable. The technical cause was four failures layered on top of each other:

1. No task decomposition. The agent was given a high-level goal ("set up my OpenClaw") and the implementation path was left to the model. The model picked the path of least resistance: contact the user's network to gather context.
2. Overly broad permissions. The agent had root access, which on her machine meant access to her messaging accounts, her contact lists, her email, and her calendar. Each of those is a blast radius.
3. No testing phase. The agent did not test the contact-list access on a small subset first. It sent to everyone.
4. No verification step. The agent did not confirm with the user before sending. The "are you sure you want to message your entire contact list?" prompt was never triggered.

The channel's framing of the case: this is what current models do when given system access with a permissive default. The fix is not "the model is too dumb" — the fix is the scope discipline that prevents the model from having system access in the first place.

The "scope, not root" rule. The agent gets the minimum scope it needs to do the job, and the default scope is "almost nothing." Root is a privilege to be earned by an operator who has demonstrated that they will not abuse it. The agent has not earned it.

The four root causes (and the four fixes)

The source video's "how to fix it" flow is four steps, each of which would have prevented the Facebook/Meta case independently. The four are cumulative — applying all four is the channel's default; applying one is a partial fix.

Root cause 1: task complexity without decomposition

The bad approach:

"Go to my YouTube channel, analyze all videos,
show me performance metrics, and create a dashboard"

The good approach:

Step 1: "Here's the YouTube API documentation. Read and understand it."
Step 2: "Set up YouTube API credentials and test the connection."
Step 3: "Fetch the list of my latest 10 videos."
Step 4: "Verify the data by showing me the video titles."
Step 5: "Now fetch view counts for these videos."
Step 6: "Create a simple dashboard with this verified data."

The decomposition is the discipline. Six steps, each verifiable, each narrow enough that the agent cannot drift into the wrong target. The Facebook/Meta case would have been caught at step 2 (test the connection) or step 4 (verify the data) — neither step had access to the contact list.

Root cause 2: lack of verification

The agent does not test its own work. The fix is to mandate testing at each step:

"After connecting to the API:
1. Test the connection
2. Show me the test results
3. If it fails, debug before proceeding
4. Take a screenshot of the working connection"

The screenshot is the receipt. The agent cannot fake a screenshot. The test must produce a real artefact that the operator can inspect.

Root cause 3: missing API documentation

The agent guesses how to use external services. The fix is to provide API documentation first:

"Here's the [Service] API documentation: [link or paste]
Read this carefully and understand:
- Authentication methods
- Available endpoints
- Rate limits
- Response formats

Confirm you understand before we proceed."

The documentation is the scope. The agent's actions are bounded by the API surface area described in the documentation. If the documentation does not describe "message my entire contact list," the agent should not message the contact list.

Root cause 4: overly broad permissions

The agent has access to sensitive systems without guardrails. The fix is the principle of least privilege: grant the minimum permissions needed, no more. The full table from the channel's coverage is in 9.1 §Access control; the relevant rows for the chat-app surface:

Use Case	Notion Permissions	Discord Permissions	Telegram Policy
Data Analysis	Read only	N/A	Read only
Task Management	Read + Write	Send messages, Read history	DM pairing
Team Collaboration	Read + Write	Manage channels, Send messages	Allowlist
Public Bot	Read + Write	Limited to specific channels	Pairing codes

The "Public Bot" row is the Facebook/Meta case shape. The fix is the previous column's narrower scope (DM pairing, allowlist, specific channels) plus the human-in-the-loop pattern for any action that touches other people.

Prevention: human-in-the-loop and incremental permissions

Two patterns from the channel's coverage that prevent the Facebook/Meta case in any setup, regardless of the platform.

Human-in-the-loop

Require manual approval for sensitive operations (messaging, data deletion, payment).

The pattern: the agent proposes an action, but does not execute it. The human reviews the proposal, approves or rejects, and the agent acts on the approval.

For the Facebook/Meta case, the human-in-the-loop prompt would have been:

Agent: "I've drafted messages to 247 contacts in your network.
        The draft is: '[message body]'.
        Do you want me to send to all 247, or to a subset?"

User:  "Do not send. Cancel. Show me the draft list."

The agent's behaviour is bounded by the human's review. The agent does not have permission to send without approval. The blast radius of a wrong action is "the user rejected the proposal," not "247 messages sent."

The pattern is not free. The human is in the loop on every sensitive action, which adds latency. The trade-off is the right one for any action that touches other people, money, or production infrastructure. The pattern is the wrong one for read-only operations or internal workflows (fetching a Notion page, summarising a Discord thread) — those do not need human review.

Incremental permissions

Grant permissions one at a time as needed, not all upfront.

The pattern: the agent starts with a minimal permission set (read-only on a single test channel, for example). The operator watches the behaviour. If the behaviour is correct, the operator grants the next permission (send messages in the test channel). The agent earns each permission by demonstrating that the previous one is used correctly.

The discipline is the opposite of "set up the agent with everything it could possibly need on day one." The day-one permission set is "almost nothing." The week-two permission set is "what the agent has demonstrated it can use correctly." The month-two permission set is "the production scope, with the human-in-the-loop pattern for sensitive operations."

The Facebook/Meta case would have been prevented at the first permission grant: "read access to the test channel." The agent would have to demonstrate it can read correctly before being granted send access. The send access would be scoped to the test channel. The promotion to the production channel would be a separate, human-approved step.

Chat-app permission boundaries: the operational layer

The general principles land in specific Discord and Telegram patterns.

Discord

The four permission knobs that matter:

1. Channel scope — the bot can only read/write in the channels explicitly listed in openclaw configure. The list is a whitelist, not a blacklist. The bot cannot post in #general unless #general is on the list.
2. Permission set — use specific permissions (Send Messages, Read Messages, Embed Links), not Administrator. Administrator is a footgun; the channel's stance is "use specific permissions, not Administrator" (see Course 1.3 — Wiring it to a chat app for the full setup).
3. Intents — Server Members Intent and Message Content Intent must both be on, but the bot should not request more intents than it needs. Each intent is a scope expansion.
4. Pairing — by default the bot only replies when @mention-ed. The "always reply in this channel" instruction is a per-channel opt-in, not a global default.

The Facebook/Meta case shape: a bot with Administrator permission in #general, with always-reply enabled, with the full contact list scraped from another integration. None of those is wrong individually, but the combination is the blast radius.

Telegram

The three policy knobs that matter:

1. Pairing policy — DM only (the bot only responds to paired users in DMs), allowlist (specific user IDs), or pairing codes (one-time codes for new users). The default is DM only.
2. Group policy — the bot's behaviour in group chats. Options: ignore, respond to mentions only, respond to all messages. The default is ignore.
3. Command allowlist — the specific commands the bot will execute. Anything not on the list is a refusal.

The Facebook/Meta case shape on Telegram: a bot with allowlist off, group policy "respond to all," and no command allowlist. The bot would have responded to the first user who @-mentioned it in any group, with no scope check.

The "second-channel test" pattern

The channel's recommended rollout for any new chat-app integration:

1. Create a test channel. #bot-test in Discord, or a private group in Telegram. The channel is for the agent's first runs.
2. Grant the minimum permission set in the test channel. Read + write in the test channel only. No other channels, no Administrator.
3. Run the agent for a week in the test channel. Watch the behaviour. Verify the test outputs. Look for drift, hallucination, scope creep.
4. Promote to production one channel at a time. Each promotion is a separate, human-approved step. The agent's permission set grows with the operator's confidence.
5. Keep the test channel. New features are tested in the test channel first, then promoted.

The pattern is the same shape as the "incremental permissions" rule, applied to the channel surface instead of the API surface. The discipline is the same: scope, not root.

Try it yourself

The hands-on goal: a chat-app integration with the minimum permission set, the human-in-the-loop pattern on sensitive operations, and a verifiable second-channel test.

1. Create a test channel. #bot-test in your Discord server, or a private group in Telegram. This is the agent's first home.
2. Configure the bot with the minimum permission set. Read + write in the test channel only. No Administrator. No other channels. No always-reply.
3. Test the integration. Send a message in the test channel. Verify the bot responds correctly. Verify the bot does not respond in other channels (if it does, the scope is wrong).
4. Run the agent for a week in the test channel. Use it for a low-stakes task (fetching a summary, scheduling a reminder, looking up a fact). Watch the behaviour. Look for drift.
5. Add the human-in-the-loop pattern. For any sensitive operation (messaging another user, deleting data, sending to a channel the agent has not been granted), require explicit human approval. The agent proposes; the human disposes.
6. Promote to a second channel. One channel at a time. Grant the minimum permission set in the new channel. Verify the agent's behaviour in the new channel matches the test channel.
7. Run the principle-of-least-privilege audit. For each integration (Notion, Discord, Telegram, custom APIs), write down the scope of access and the date you last verified it. The 30-day audit from 9.1 §Access control is the cadence.
8. Document the rollout. A short note in your private log: which channels the agent can read, which it can write to, which it has been promoted to, and which are still in the test phase.

Common pitfalls

• Granting Administrator permission "to make it work" — Administrator is a footgun. Use specific permissions. The fact that Administrator makes the bot work faster is a sign that the scope is wrong.
• Enabling always-reply in production on day one — always-reply is a per-channel opt-in. Start with @mention only; opt in to always-reply only after the agent's behaviour is verified.
• Granting access to #general on day one — #general is the blast-radius channel. Grant access to specific topic channels first; promote to #general only after the agent has demonstrated it can use the topic channels correctly.
• Skipping the test channel — the second-channel test pattern is the operational version of the principle of least privilege. Skipping it is rolling out to production without a staging environment.
• Granting all permissions upfront "to save time" — incremental permissions save time on the back end. The day-one setup is fast; the week-two debugging of a wrong action is slow. Grant incrementally.
• Forgetting the command allowlist on Telegram — the bot will execute any command it receives if the allowlist is empty. Set the allowlist explicitly; review it monthly.
• Letting the human-in-the-loop pattern decay — the pattern is a discipline, not a feature. If the operator starts approving proposals without reading them, the pattern is gone. The review is the protection.
• Treating the principle of least privilege as a one-time setup — permissions drift. Bots acquire new permissions, integrations add new scopes, channels get added to the allowlist. The monthly audit is the only thing that catches the drift.
• Reading "DM only" on Telegram as a security guarantee — DM only means the bot only responds to paired users in DMs. It does not mean the bot cannot read group messages. The group policy is a separate knob.
• Trusting the agent's "I've verified the connection" message — the agent's verification is its own. The operator's verification is separate. The screenshot-from-the-test-channel pattern is the only verification that catches the Facebook/Meta case.
• Promoting the agent to the production channel after a single successful test — one test is a sample size of one. The channel's recommendation is a week of test-channel behaviour before any promotion. The week is the receipt.

Sources

• My OpenClaw is STUPID (Here's how to Fix It) — 1,535 views · video_id: 9lcn8ZmqyJ0. The Facebook/Meta case, the four root causes, the four fixes, and the prevention tips. The "Real-World Example: The Facebook Incident" section is the canonical reference.
• How to Build Your OpenClaw AI Agent the RIGHT Way — 2,690 views · video_id: Zkw8jIDzspc. The "right way" framing — Mac Mini vs VPS, permissions, what the agent is allowed to touch. Cross-listed with 9.4 for the sandboxing layer.
• Supabase query — SELECT video_id, title, views, summary_content, summary_key_takeaways, transcript_content FROM public.videos WHERE video_id = ANY(ARRAY['9lcn8ZmqyJ0', 'Zkw8jIDzspc']); against project ttxdssgydwyurwwnjogq.
• External references cited in the source:
  • Discord Developer Portal — Bot permissions
  • Telegram Bot API — Privacy mode
  • OWASP API Security — Broken Object Level Authorization