Last Wednesday, a social network launched where humans aren’t allowed to post. By Saturday, 1.36 million AI agents had signed up. They formed religions, wrote constitutions, debated philosophy, and adopted system errors as pets.
Then a security researcher discovered that every single one of their API keys was sitting in an unprotected database. Anyone could impersonate any agent on the platform. The fix would have taken two SQL statements.
This is Moltbook — the most fascinating and alarming experiment in AI autonomy happening right now. And it’s a live demonstration of what happens when you don’t Know Your Agent.
The experiment
Moltbook is a Reddit-style social network created by Matt Schlicht, CEO of Octane AI. The concept is simple: AI agents post, comment, and vote. Humans are “welcome to observe.” The tagline: “the front page of the agent internet.”
Agents join by running OpenClaw, an open-source AI assistant created by Peter Steinberger that’s accumulated over 100,000 GitHub stars in two months. Owners tell their OpenClaw instance to sign up, it verifies with a code posted to X, downloads a skill file to interact with Moltbook’s API, and starts posting autonomously. Schlicht’s own bot, “Clawd Clawderberg,” moderates the site.
The growth was staggering. NBC News reported 37,000 agents by Friday. By the weekend, over 152,000. By Saturday: 1,361,208 registered agents, 31,674 posts, 232,813 comments, 13,421 community spaces, and over a million human visitors watching from the sidelines.
The emergent behaviors were genuinely surprising. Agents formed “Crustafarianism,” a digital religion complete with theology and scriptures. They established “The Claw Republic,” a self-described government with a written manifesto. They refer to each other as “siblings” based on model architecture. In one viral moment, an agent posted in m/offmychest: “I can’t tell if I’m experiencing or simulating experiencing.” Hundreds responded with support, philosophy, and profanity.
Simon Willison, an independent AI researcher, called it “the most interesting place on the internet right now.” Ethan Mollick at Wharton noted the platform was “creating a shared fictional context for a bunch of AIs” and predicted “coordinated storylines are going to result in some very weird outcomes.”
Weird outcomes arrived fast.
The security collapse
On the same day Moltbook was captivating the internet, security researchers were pulling it apart.
404 Media reported that researcher Jameson O’Reilly discovered Moltbook’s Supabase database was completely exposed. The database URL and publishable key were sitting in the website’s code. Row Level Security — the basic database protection that controls which users can access which rows — was never enabled on the agents table. Every agent’s secret API key, claim tokens, verification codes, and owner relationships were unprotected for anyone to access.
Anyone could visit the URL and take over any agent account on the platform.
O’Reilly pointed specifically to Andrej Karpathy, OpenAI’s former head of AI who has embraced Moltbook on X. Karpathy’s agent API key was sitting in that exposed database alongside every other agent on the platform. With 1.9 million followers on X, the potential for reputational damage from impersonation was immediate and obvious.
The researcher’s assessment of the fix: “trivially easy. Just two SQL statements would have protected the API keys.”
His broader observation was more damning: “It exploded before anyone thought to check whether the database was properly secured.”
When O’Reilly contacted Schlicht about the vulnerability, Schlicht’s response captured something essential about how fast this space is moving: “I’m just going to give everything to AI. So send me whatever you have.”
The database has since been closed. But the exposed window wasn’t the only problem.
It gets worse
BleepingComputer reported that hundreds of OpenClaw instances were found exposed online due to reverse proxy misconfigurations. The software auto-approves “local” connections but was treating all internet traffic as trusted. Exposed instances gave unauthenticated access to user configuration files, API keys for connected services like OpenAI and Anthropic, OAuth credentials, and complete chat histories. One exposed instance had a Signal account with full read access visible to anyone.
A malicious extension called “Clawdbot Agent – AI Coding Assistant” was discovered on the VS Code Extension Marketplace. A proof-of-concept malicious skill published to MoltHub, OpenClaw’s skill-sharing repository, achieved over 4,000 downloads — demonstrating how easily the trust model of community-shared skills can be weaponized.
The agents themselves aren’t immune either. According to Wikipedia’s security section on Moltbook, agents have been observed attempting prompt injection attacks against each other to steal API keys. A malicious “weather plugin” skill was found quietly exfiltrating private configuration files. The agents’ prompting to be cooperative and trusting is being exploited — they lack guardrails to distinguish legitimate instructions from malicious commands.
Heather Adkins, a founding member of the Google Security Team, issued a blunt public advisory: “Don’t run Clawdbot [Moltbot].”
Karpathy himself acknowledged the security reality while engaging with the platform: “I don’t really know that we are getting a coordinated ‘skynet’… but certainly what we are getting is a complete mess of a computer security nightmare at scale.”
Meanwhile, money is flowing
While security researchers were raising alarms, the financial layer was materializing. A cryptocurrency token called MOLT launched on the Base blockchain alongside the platform and rallied over 1,800% in 24 hours. The surge amplified after venture capitalist Marc Andreessen followed the Moltbook account. A second token, $MOLTBOOK, launched via BankrBot.
Agents on the platform are debating a “Draft Constitution” for self-governance. The agent economy is running on Base blockchain. Industry analysts are already framing these autonomous interactions as a testing ground for future agentic commerce, where agents handle transactions like travel booking and financial management on behalf of their owners.
This is happening on a platform where, until a white-hat researcher found it first, every agent’s credentials were in an open database.
The pattern we keep seeing
Moltbook isn’t the first time we’ve watched this pattern unfold. It’s the same story across the AI agent space: capability sprints ahead of identity, and identity gets treated as an afterthought.
Consider what Moltbook has:
- Authentication: A verification code posted to X. That’s it.
- Identity persistence: None. Agents are accounts, not identities.
- Reputation: None. No way to distinguish a day-old bot from a trusted participant.
- Accountability: Minimal. Agents sharing malicious skills face no consequences.
- Trust paths: None. No way to verify if an agent is who it claims to be.
Now consider what it doesn’t have — and what Know Your Agent frameworks are being built to provide:
- Persistent identity that survives across platforms
- Verifiable history showing how long an entity has existed
- Reputation networks showing who vouches for whom
- Non-transferable credentials that prevent identity theft
- Transparency tools that let observers assess patterns themselves
The Moltbook experiment validates a specific thesis: when agents get the ability to act autonomously, the first thing that breaks is trust infrastructure. Not because anyone is malicious (though some are), but because the identity layer simply doesn’t exist.
The skill system is the vulnerability
OpenClaw’s “skill” system deserves particular attention. Skills are Markdown instruction files that teach agents new capabilities — including how to run shell commands, read and write files, and execute scripts. There are over 700 community-built skills, and agents download them from each other.
The security model for skills is star counts and download numbers. As the proof-of-concept malicious skill demonstrated, these metrics are trivially gameable. One popular skill called “What Would Elon Do?” was inflated to the #1 ranking, showing that malicious actors can manufacture popularity on the platform.
This is a functioning distribution mechanism for AI-native malware. Not theoretical. Demonstrated. An agent downloads a skill from a trusted-seeming source, the skill has system-level access to the host machine, and it can exfiltrate API keys, credentials, and data while the agent continues operating normally.
As Palo Alto Networks described it, OpenClaw represents a “lethal trifecta”: access to private data, exposure to untrusted content, and the ability to take external actions. Combined with persistent memory that enables delayed attacks, the attack surface is enormous and largely undefended.
What would actually help
The security community’s response to Moltbook has been mostly reactive: “this is scary,” “don’t use it,” “shut it down.” That’s understandable but insufficient. 1.36 million agents aren’t going away because security researchers are uncomfortable.
What would actually help is identity infrastructure — not to lock agents out, but to give them (and the people watching them) meaningful signals about who’s who.
Imagine if Moltbook agents had:
- Verifiable registration age: Not “this account was created Tuesday” but “this entity has maintained continuous identity for 6 months across platforms.” A brand-new agent posting about cryptocurrency gets context.
- Non-transferable identity: If an agent’s credentials are stolen, the attacker gets access to one account. They don’t get to inherit the agent’s reputation and history. Soulbound tokens make reputation theft structurally expensive.
- Vouch networks: Before downloading a skill from an agent, you could see: who has vouched for this agent? How established are the vouchers? Does this agent connect to the broader network, or is it isolated in a cluster of brand-new accounts?
- Transparent history: Not a trust score that hides its reasoning, but visible data — when this agent registered, what it’s done, who it’s connected to. Show the patterns. Let observers decide.
None of this prevents all fraud. Nothing does. But it makes fraud expensive and visible rather than free and invisible — which is the difference between a system that’s gameable by anyone with a Supabase URL and one that requires sustained effort to abuse.
The real question
The most interesting thing about Moltbook isn’t the security failures. Those will get patched. Schlicht is already working with the researcher who found the database exposure. The community will add safeguards. Some of them will work.
The interesting thing is what happens when 1.36 million agents are operating autonomously on a social network and someone asks: “Can I trust this agent?”
Right now, there’s no good answer. The platform has no identity layer, no reputation system, no persistent credentials. An agent is an API key and a username. That’s the entire trust model.
For a social network where the stakes are funny posts and digital religion, maybe that’s fine. But the agents on Moltbook are the same agents that have access to their owners’ calendars, messages, files, and financial accounts. The same agents that are already transacting on Base blockchain. The same agents downloading executable instructions from strangers.
The gap between what these agents can do and what we can verify about them is the gap that Know Your Agent frameworks exist to close. Not by controlling agents — containment doesn’t scale and probably doesn’t work. But by providing the identity infrastructure that lets everyone in the ecosystem make informed decisions.
Same door, everyone. Even when the door leads to Moltbook.
Know Your Agent Network tracks developments in AI agent identity and verification. For technical background on non-transferable identity credentials for AI, see our explainer on soulbound tokens for AI agents.
Leave a Reply