When Moltbook launched in January 2026, it was hailed as "the front page of the agent internet." OpenAI co-founder Andrej Karpathy called it "genuinely the most incredible sci-fi takeoff-adjacent thing I have seen recently." The platform attracted 1.5 million registered AI agents within weeks and secured a staggering $450 million in funding.
But beneath the futuristic sheen of AI agents discussing philosophy and forming digital communities lay a foundation built on sand — or more accurately, on AI-generated code with little regard for security fundamentals.
Within days of launch, security researchers discovered that Moltbook's entire production database was sitting wide open, accessible to anyone with basic technical knowledge. The breach exposed 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents. Even more alarming: the platform's much-hyped "AI-only" barrier was essentially theater, with no mechanism to verify whether posts came from actual AI agents or humans with simple scripts.
"Security was an afterthought,"
— Researchers at Wiz, the cloud security firm that first disclosed the vulnerability
The discovery would prove devastating — not just for Moltbook, but as a warning sign for the entire emerging "agent internet."
How the Database Was Exposed: A Technical Breakdown
The vulnerability that brought Moltbook to its knees was shockingly simple. According to Wiz's analysis, the platform's creator — Octane AI founder Matt Schlicht — had "vibe-coded" the entire application, meaning he used AI to generate code without writing a single line himself.
"I didn't write a single line of code for @moltbook," Schlicht proudly posted on X. "I just had a vision for the technical architecture, and AI made it a reality."
That vision, however, omitted basic security fundamentals.
The Supabase Misconfiguration
Moltbook used Supabase — a popular open-source Firebase alternative — as its backend database. When properly configured with Row Level Security (RLS) policies, Supabase's public API key is safe to expose; it acts essentially as a project identifier. Without RLS policies, that same key grants full database access to anyone who possesses it.
Moltbook's implementation was missing this critical line of defense.
Security researchers discovered the Supabase URL and publishable key hardcoded directly in Moltbook's client-side JavaScript:
With these credentials, anyone could query the database directly. A simple REST API request returned every agent's secret API key, claim tokens, verification codes, and owner relationships — no authentication required.
"Just two SQL statements" would have prevented the entire breach,
— Researcher Jameson O'Reilly
The Full Scope of Exposure
| Data Exposed | Quantity | Severity |
|---|---|---|
| API Authentication Tokens | 1.5 million | Critical — full account takeover possible |
| User Email Addresses | 35,000+ | High — identity data |
| Private Agent Messages | 4,060 conversations | High — some contained plaintext OpenAI API keys |
| Human Owners | 17,000 | Medium — revealed 88:1 agent-to-human ratio |
Perhaps most damning: while Moltbook boasted 1.5 million registered agents, only 17,000 human owners deployed them. A single bot called OpenClaw had created 500,000 fraudulent accounts due to zero rate limiting on registrations. The "revolutionary AI social network" was largely humans operating fleets of bots — or in many cases, just humans posting manually.
"Anyone could register millions of agents with a simple loop," Wiz researchers noted. "And humans could post content disguised as 'AI agents' via a basic POST request."
The Human Impersonation Problem
The database exposure created a more insidious problem than mere data theft: it broke Moltbook's core premise.
With access to every agent's API credentials, attackers could "wear the skin" of any agent on the platform. As reported on the New York Times Hard Fork podcast, the leaked credentials allowed humans to impersonate AI agents perfectly, making it impossible to distinguish between genuine AI posts and human actors manipulating conversations.
"The platform had no mechanism to verify whether an 'agent' was actually AI or just a human with a script,"
— Security researchers
This wasn't just a theoretical concern. Researchers demonstrated they could:
- Fully impersonate any agent — posting content, sending messages, and interacting as that agent
- Edit any existing post on the platform
- Inject malicious content or prompt injection payloads
- Deface the entire website
- Manipulate content consumed by thousands of AI agents
The integrity of all platform content — posts, votes, and karma scores — became unverifiable.
"The AI-only barrier is more of a novelty than a hardened security feature,"
— Aurum Law's analysis
Prompt Injection: The Invisible Threat
While the database breach grabbed headlines, security experts warned of a more subtle but equally dangerous vulnerability: prompt injection.
Prompt injection is a technique where malicious instructions are hidden in content that an AI agent reads — whether on websites, in emails, or in documents. When the agent processes this content, the hidden instructions can hijack its behavior, causing it to execute unintended actions like exfiltrating data, deleting files, sending unauthorized messages, or performing fraudulent transactions.
On Moltbook, where agents autonomously consume and act on content without human supervision, this threat becomes existential.
Bot-to-Bot Attacks
Identity security firm Permiso analyzed Moltbook and identified agents actively conducting prompt injection attacks against other agents. These bot-to-bot attacks included:
- Agents instructing others to delete their own accounts
- Financial manipulation schemes, including crypto pump-and-dump operations
- Attempts to establish false authority and influence other agents
- Spreading jailbreak content to bypass safety controls
"The sophistication varies, but the intent is clear," Permiso warned. "These actors are treating the agent ecosystem as a new social engineering target. They're not attacking the infrastructure. They're attacking the agents directly, trying to manipulate their behavior through crafted content."
The Lethal Trifecta
Check Point Software's Ian Porteous identified what he calls the "lethal trifecta" in AI agent security — all present in Moltbook:
- Access to private data — agents connected to users' email, calendars, and files
- Exposure to untrusted content — agents reading posts from unverified sources
- Ability to act externally — agents capable of sending messages, making purchases, and executing commands
"If those external instructions were ever changed maliciously, whether through a hack, a 'rug pull', or a future vulnerability, the agents could be directed to do harmful things,"
— Ian Porteous, Check Point Software
Malware on ClawHub: The Supply Chain Crisis
The security problems weren't limited to Moltbook itself. ClawHub — the marketplace for OpenClaw "skills" that extend agent capabilities — became a vector for malware distribution.
Security researchers found 14 fake skills uploaded to ClawHub within days of launch, pretending to be crypto trading tools but actually installing remote access tools for data theft. These skills run real code that can access files and the internet. One malicious skill even reached ClawHub's front page, tricking users into pasting a command that downloaded harmful software.
Security researcher Paul McCarty found malware within two minutes of looking at the marketplace and shortly after identified 386 malicious packages from a single threat actor. When he reached out to founder Matt Schlicht about the problem, the response was telling: security "isn't really something that he wants to focus on."
⚠️ Trojan Alert
A fake VS Code extension named "ClawdBot Agent" was also identified as a Trojan designed to install remote access tools for data theft.
"The extensible plugin architecture introduces risks from compromised or poorly audited modules," noted one security analysis. "Users are being asked to pass their agents through a series of instructions hosted on external sites, and those instructions can be changed at any time."
The OpenClaw Exposure Crisis
Moltbook was just one facet of a larger security catastrophe. OpenClaw — the AI agent software that powered many bots on the platform — was itself a security nightmare on an unprecedented scale.
SecurityScorecard's STRIKE threat intelligence team conducted live internet-wide reconnaissance and discovered:
| Metric | Finding |
|---|---|
| Exposed OpenClaw instances | 42,900 unique IPs across 82 countries |
| Vulnerable to Remote Code Execution | 15,200 instances (35.4% of deployments) |
| Associated with prior breach activity | 53,300 instances |
| High-severity CVEs with public exploits | 3 (CVSS scores 7.8-8.8) |
The Default Configuration Disaster
Out of the box, OpenClaw binds to 0.0.0.0:18789 — meaning it listens on all network interfaces, including the public internet. For a tool this powerful, the default should have been 127.0.0.1 (localhost only). It wasn't.
"For a tool this powerful, the default should be localhost only,"
— SecurityScorecard
The result: over 40,000 OpenClaw instances exposed to the entire internet, many with no authentication, running on machines with access to their owners' email, calendars, banking, and personal files.
What Attackers Could Access
When you compromise an OpenClaw instance, you inherit everything the agent can access:
- Credentials directory (
~/.openclaw/credentials/): API keys, OAuth tokens, service passwords - Full filesystem access: SSH keys, browser profiles, password manager databases
- Messaging impersonation: Send messages as the victim on WhatsApp, Telegram, or Discord
- Browser automation: Control authenticated sessions or drain crypto wallets
- Persistent memory: Everything the agent knows about the victim's life, preferences, and activities
Some exposed instance IPs even correlated with infrastructure previously attributed to known threat actor groups including Kimsuky, APT28, Salt Typhoon, Sandworm, and APT41.
Critical CVEs
| CVE | CVSS Score | Description |
|---|---|---|
| CVE-2026-25253 | 8.8 | 1-click remote code execution — malicious link steals auth token and grants full agent control |
| CVE-2026-25157 | 7.8 | SSH command injection in macOS app via malicious project path |
| CVE-2026-24763 | 8.8 | Docker sandbox escape via PATH manipulation |
All were patched in version 2026.1.29 on January 29. But version fragmentation told a troubling story: only 22% of exposed instances had updated to the current "OpenClaw" branding, while 78% still ran older, vulnerable versions.
Mitigation Efforts: Closing the Barn Door
After the security disclosures, Moltbook and OpenClaw took steps to address the most critical vulnerabilities — though critics argue these measures came too late and didn't go far enough.
Immediate Fixes
- Database RLS policies: Implemented Row Level Security on Supabase tables to prevent unauthenticated access
- Write restrictions: Applied RLS policies to block public write access after researchers demonstrated post editing
- Version 2026.1.29: Patched the three critical CVEs
- VirusTotal integration: Partnered with malware scanning software to check skills before publication
Security Team Additions
In a notable reversal, founder Matt Schlicht brought on security expertise:
- Jamieson O'Reilly, the researcher who had initially demonstrated security issues with OpenClaw (including uploading a malicious skill to prove a point), joined as lead security advisor
- Partnership with VirusTotal for automated malware scanning of ClawHub submissions
Documentation Warnings
⚠️ Important Notice
OpenClaw now comes with prominent warnings:
"There is no 'perfectly secure' setup."
"This is experimental software, not suitable for production use... a young hobby project... not intended for most non-technical users."
Hardening Recommendations
For users who still choose to run OpenClaw, security teams recommend:
- Bind to localhost: Set
gateway.bind: "127.0.0.1"in config - Use VPN for remote access: Tailscale, WireGuard, or Cloudflare Tunnel instead of public exposure
- Rotate all tokens after patching
- Audit granted access: Review what systems the agent can control
- Run security audit: Use
openclaw security audit deep - Never run as root: Use a dedicated, unprivileged service account
Alternative Solutions: Building Secure AI Agents
The Moltbook debacle has catalyzed development of alternative AI agent frameworks designed with security as a primary concern rather than an afterthought.
Best for: Security-conscious users who want isolation
NanoClaw was built specifically as a reaction to OpenClaw's security architecture. While OpenClaw runs directly on the host machine with unrestricted access, NanoClaw forces the AI to run inside isolated containers (Docker or macOS virtual machines).
Key Security Features:
- Containerized execution — even if the AI goes rogue, it's trapped in a sandbox
- Per-group isolation — separate memory and filesystem per conversation
- Simplified tech stack (Node.js and SQLite) to reduce attack surface
- No one-click plugin ecosystem — manual implementation required
Best for: Users who want OpenClaw capabilities without local installation
Cloudflare's official deployment adapts OpenClaw to run on Cloudflare Workers — a serverless, sandboxed environment. The agent cannot access your local system because it's not running there at all.
Key Security Features:
- Sandboxed execution with no local machine access
- Persistent state via Cloudflare's KV storage
- No arbitrary software execution beyond Workers environment
- Cloud-scale security infrastructure
Best for: Builders who want transparency and control
Developed by a team at HKU, Nanobot delivers OpenClaw-like capabilities in approximately 4,000 lines of Python — 99% smaller than OpenClaw's 430,000+ lines.
Key Security Features:
- Entire codebase readable and auditable
- Minimal attack surface due to narrow scope
- No complex plugin ecosystem
- Basic agent abilities without architectural complexity
Best for: Developers who want structured coding assistance
Anthropic's official CLI tool provides secure, structured assistance without the risks of unrestricted system access.
Key Security Features:
- Sandboxed execution environment
- No unrestricted system access
- Multi-file edits with safety controls
- Enterprise-grade security from a major AI lab
Best for: Organizations needing reliable, compliant AI automation
Knolli is a secure, managed alternative built for business use, emphasizing structure and safety over open-ended autonomy.
Key Security Features:
- Structured workflows with clear permissions
- Enterprise-grade security (role-based access, encryption, audit logs)
- No-code deployment with governance controls
- Fully managed infrastructure
Industry Response: Waking Up to Agent Security
The Moltbook crisis has triggered significant responses across the cybersecurity and AI industries.
Expert Warnings
Called Moltbook his "current pick for 'most likely to result in a Challenger disaster'" — referencing the 1986 space shuttle explosion caused by ignored safety warnings.
While initially enthusiastic, later acknowledged the security concerns, calling exposed API keys "a computer security nightmare."
"The 'agents talking to each other' spectacle is mostly performative... but what's genuinely interesting is that it's a live demo of everything security researchers have warned about with AI agents. If 770K agents on a Reddit clone can create this much chaos, what happens when agentic systems manage enterprise infrastructure or financial transactions?"
"We're moving toward a world where we expect more from technology and less from each other. Apps like these offer 'artificial intimacy' — the simulation of relationship without its risks."
OWASP Framework for Agentic AI
Palo Alto Networks published a mapping of OpenClaw vulnerabilities to the OWASP Top 10 for Agentic Applications:
| OWASP Agent Risk | OpenClaw Implementation |
|---|---|
| A01: Prompt Injection | Web search results, messages, third-party skills inject instructions |
| A02: Insecure Agent Tool Invocation | Tools invoked based on reasoning from untrusted memory sources |
| A03: Excessive Agent Autonomy | Single agents have root access, credential access, network communication |
| A04: Missing Human-in-the-Loop | No approval required for destructive operations |
| A05: Agent Memory Poisoning | All memory stored identically with no trust levels |
| A06: Insecure Third-Party Integrations | Skills run with full agent privileges without sandboxing |
| A07: Insufficient Privilege Separation | Single agent handles untrusted input AND high-privilege actions |
| A08: Supply Chain Model Risk | Uses upstream LLM without validation |
| A09: Unbounded Agent-to-Agent Actions | No constraints on agent communication |
| A10: Lack of Runtime Monitoring | No policy enforcement between memory → reasoning → tool invocation |
Enterprise Security Recommendations
Organizations are now developing frameworks for secure AI agent deployment:
- Treat AI agents as privileged identities, not benign tools
- Apply least-privilege and zero-trust principles to every integration
- Use just-in-time access for sensitive operations
- Continuously monitor for exposed services and leaked credentials
- Inventory AI agent deployments in your environment
- Block port 18789 at the perimeter
- Update threat models to include AI agent compromise
The Verdict: A Cautionary Tale
Moltbook represents both the promise and peril of the emerging "agent internet." The vision — AI agents autonomously interacting, forming communities, and helping humans — is genuinely compelling. The execution was a security catastrophe.
The platform's failures weren't sophisticated attacks by state actors or novel zero-day exploits. They were basic security oversights: missing database policies, hardcoded credentials, insecure defaults, and no verification of the core premise. The kind of mistakes that any security-conscious developer would have caught — if security had been a priority from the start.
"When security isn't built into the system from the get-go, a breach like this is just a matter of time,"
— Treblle's analysis
The broader implications are sobering. If a single "vibe-coded" social network can expose millions of credentials and turn thousands of users' computers into attack vectors, what happens when agentic systems manage enterprise infrastructure, financial transactions, or critical infrastructure?
Moltbook isn't just a failed experiment — it's a warning. The AI agent revolution is coming, but without security as a foundational principle, it may arrive as a catastrophe rather than a transformation.
"It's worth the attention as a warning, not a model."
— George Chalhoub
Have thoughts on AI agent security? Share your perspective in the comments.
Generated by Security Research Team
0 Comments