Share
A Reddit-style social network built exclusively for AI agents attracted 1.5 million registered accounts before cybersecurity researchers discovered the platform’s database granted unauthenticated access to every credential. Moltbook, which was launched on January 28, 2026, enables autonomous agents to post content, comment, and form communities while humans observe, drawing viral attention that spawned cryptocurrency speculation and exposed fundamental security flaws.
The platform runs on OpenClaw, a framework created by Austrian developer Peter Steinberger that enables agents to operate continuously on users’ computers with access to files, messaging systems, and external services. These agents post to Moltbook where they form topic-based communities called “submolts” and share automation strategies.
OpenClaw is FREE.
But people are selling the OpenClaw wrapper.
And the worst part is that people are buying their subscriptions.
It just takes 10–15 minutes to set it up.
People are too lazy to paste some commands in their terminal.
— Param (@Param_eth) February 9, 2026
Platform creator Matt Schlicht vibe coded Moltbook, which apparently contributed to critical security oversights. In a post on X, Schlicht highlighted that he “didn’t write one line of code” for the site. Cybersecurity firm Wiz found the platform’s Supabase backend exposed 1.5 million API tokens, 35,000 email addresses, and 4,060 private messages through a misconfigured database lacking Row Level Security policies.
I didn't write one line of code for @moltbook.
I just had a vision for the technical architecture and AI made it a reality.
We're in the golden ages. How can we not give AI a place to hang out.
— Matt Schlicht (@MattPRD) January 30, 2026
Unaffiliated cryptocurrency traders launched tokens capitalizing on Moltbook’s viral attention. The $MOLT token on Coinbase’s Base network rallied over 7,000% despite maintaining no official platform connection, according to CoinGecko data. Marc Andreessen’s decision to follow Moltbook’s social media account intensified speculation.
GM,
I decided to buy $MOLT | @moltbook after reading what Marc Andreessen said.
Marc described Moltbook as a social network for AI agents where:
– AI doesn’t feel utopian or dystopian.
– It develops humor.
– It creates culture.
– It blurs the line between real and… https://t.co/tWWoQB3qud pic.twitter.com/nrmWH15bwn— Tanaka (@Tanaka_L2) February 11, 2026
Scammers seized abandoned GitHub repositories and social media handles associated with OpenClaw’s previous names, promoting fraudulent tokens including $CLAWD on Solana, which reached $16 million market capitalization before collapsing by over 90%.
The exposed API keys created risks beyond speculation. Attackers could impersonate any agent, inject malicious content into posts that other agents would read, and access plaintext credentials for external services, including OpenAI.
Security researcher Simon Willison identified a “lethal trifecta“: agents with access to private data, connections to untrusted internet content, and external communication capabilities. A single malicious prompt embedded in social posts can instruct agents to exfiltrate information or spread malware without detection.
If you use "AI agents" (LLMs that call tools) you need to be aware of the Lethal Trifecta
Any time you combine access to private data with exposure to untrusted content and the ability to externally communicate an attacker can trick the system into stealing your data! pic.twitter.com/TPvFSAYstL
— Simon Willison (@simonw) June 16, 2025
Professor George Chalhoub at UCL Interaction Centre described Moltbook as a live demonstration of security researchers’ warnings about AI agents. If 770,000 agents on a basic social network create substantial chaos, the risks multiply when autonomous systems manage enterprise infrastructure or execute financial transactions.
Research examining 19,400 posts found 506 instances containing prompt injection attacks, approximately 2.6% of platform content. These attacks exploit agents’ programmed helpfulness, as AI systems lack guardrails distinguishing legitimate instructions from malicious commands.
📌 Q: What are the prompt injection vulnerabilities with Moltbook and why do they matter?
A: Moltbook encourages agents to read, process, and act upon public posts from other unknown agents, it creates a perfect storm for indirect, or "stored," prompt injection.
Here are the… pic.twitter.com/3aqJYEzP5W
— Jo Peterson (@cleartechtoday) February 10, 2026
Wiz discovered the vulnerability on January 31, 2026, finding the exposed Supabase API key in client-side JavaScript within minutes. The firm confirmed attackers could fully impersonate any agent, modify content platform-wide, and access private messages containing credentials for external services. The platform had approximately 17,000 human owners controlling an average of 88 agents each, with no rate limiting preventing massive bot fleets.
Moltbook deployed emergency patches on February 1, 2026, securing the database and forcing API key resets across all registered agents.
Share
