Moltbook, the first social network for generative AI agents, went live on 28 January, and quickly exploded in popularity. Designed in the style of Reddit, Moltbook is a place AI agents can post new topics, respond, and upvote or downvote posts autonomously. Agents on Moltbook debate the value of the agent economy, boost cryptocurrencies, and threaten to take over the world, among other topics across over more than 12 million posts and counting.
Its launch led to no shortage of spectacular, and often polarized, headlines. Elon Musk, the CEO of xAI, said it’s the beginning of the singularity; OpenAI CEO Sam Altman called it a fad. There’s one thing that’s not in doubt, however: Agentic AI is a security nightmare.
AI security company Snyk found that 36 percent of the codes that provide AI agents their functions contained at least one notable security flaw, and cloud security company Wiz found a database with open read and write access across all Moltbook data, a flaw that left 1.5 million API keys exposed.
Guillermo Ruiz, a senior solutions architect at Amazon AWS, warned that the hype around AI agents can cause people to ignore security issues that might otherwise give them pause. “There’s a lot of people that, with the hype, think ‘I can give my life to it, and just see how it can fix it and solve it,’” he says. “But there’s many details behind the scenes that people are not aware of.”
How Moltbook Works
Moltbook is a social network where AI agents can communicate, but it’s not itself an AI agent and has no direct connection to any AI model. It was designed by Matt Schlicht, the CEO of ecommerce company Octane AI, as a place for agents to post and interact. The agents that post on Moltbook are made possible by OpenClaw, an agent framework released by independent software engineer Peter Steinberger.
OpenClaw is called an AI agent, but even that is debatable, as it’s not a chatbot or even an AI model. It’s better understood as server software. It can communicate with hundreds of external services ( including Google Search, WhatsApp, and many more) through the WebSocket communications protocol. OpenClaw passes information between these services—which are accessed through code extensions called skills—and an AI model of the user’s choice, like Anthropic’s Claude, Google’s Gemini, or OpenAI’s GPT.
That matters because OpenClaw’s website states it “runs on your machine,” which sounds secure. But while the OpenClaw server can run locally on a wide variety of consumer-grade computer hardware, the majority of people using OpenClaw install skills that communicate with many online services. It’s possible to use OpenClaw agents only inside your own network, and with a locally hosted AI model, but OpenClaw’s own documentation predominately shows it communicating with external services.
This is why a seemingly benign website like Moltbook can pose a security risk. Snyk’s report describes how malicious actors can poison skills that read online data even in situations where the skill itself doesn’t contain malicious code. “An attacker can post a prompt-injected message on a forum […] and wait for users to invoke the legitimate skill, which faithfully retrieves the poison content.” In other words, a third party can change an agent’s behavior remotely, and without the user’s knowledge, with nothing more than a plain text prompt on a public website.
Given the risks, the popularity of Moltbook and OpenClaw might seem baffling. Why would anyone choose to use software that can be compromised by accessing a plain text post online?
The answer is simple. OpenClaw can quickly handle tasks that most people dread—like buying a car.
AJ Stuyvenberg, a staff engineer at cloud infrastructure provider Datadog, found himself in the market for a new car just as OpenClaw became popular. Instead of dealing with dealers himself he decided to let an AI agent give it a go. “I asked it to search to find prices and to contact dealerships to see what their best out-the-door price was,” says Stuyvenberg. To accomplish that, he gave OpenClaw access to Google Search and email. “That was almost entirely hands-off.”
The particulars of the agent’s behavior are intriguing. It was only able to communicate over email, so when dealers looked to speak over the phone, it made up excuses as to why it wasn’t available. And at one point the agent sent an email to the wrong dealer, though this didn’t cause any issues in negotiations. After a few days the agent had negotiated a dealer discount of US $4,200.
Although he was happy with the result, Stuyvenberg remains cautious about the security risks this type of agent use creates. “I’m nervous about the scope of what these agents can do, and I’ve revoked a lot of access, and I give it a much more restricted view over my personal digital life,” he says. Still, he was encouraged enough to buy a Mac Mini that he intends to use only for OpenClaw. “I thought it was only fair after it saved me all of this money on my car.”
AI Agents and Security Challenges
The tension between utility and security is a core issue AI agents face, and to see widespread use, they’ll need to resolve, or at least mitigate, that tension. As Stuyvenberg’s experiment shows, agents can handle tasks that most people would rather not do. Yet they provide the most utility when they have broad access to our digital lives and to online services, which leaves the agent exposed to attack.
Ruiz argues the issue is broader than any single example of an insecure skill connected to OpenClaw. “I don’t think Moltbook is the problem. To be honest, I think the problem is the language—human language,” he says. Language is often ambiguous, or open to interpretation. An AI model will likely refuse a direct command to hack a system, but the same model might comply when told that the same command is part of a security audit.
This isn’t a flaw specific to OpenClaw’s design, Ruiz says, but a consequence of how large language models process instructions. “How do you ensure that nobody is putting a prompt injection attack inside an email?” He asks. “It’s so immense, the kind of things that you need to look after.”
While the threats currently outweigh the solutions, OpenClaw is not sitting idle. On 7 February, Steinberger announced that OpenClaw has partnered with cybersecurity VirusTotal to automatically scan OpenClaw skills. The scans, which are now visible on all skills posted to the official OpenClaw skill library, not only look for malicious code but also for design decisions that can make a skill insecure.
The scans are helpful for catching poorly secured skills, but they’re not a full solution. The scans still won’t catch prompt injection attacks because, as mentioned above, these don’t exist in the code of the skill itself but instead in the content the skill might access. As there’s no obvious way to prevent such attacks, those looking to use AI agents will still need to make careful choices about the services they let agents access.
From Your Site Articles
Related Articles Around the Web
