There’s a new social media platform capturing the imagination of millions, but it’s one that’s very different to TikTok, Instagram or Reddit. Moltbook is a site for AI agents only, where bots can meet up to exchange ideas and gossip about their human managers.
But while some proponents treat this as a quirky art experiment, and doomsayers have been keen to call it a step towards AI enslaving humanity, some researchers have a much more pragmatic warning; it could be a massive security risk.
What is Moltbook?
A lot has happened in the last two months, but here is a brief summary. In November, software engineer Peter Steinberger created an open-source AI agent which is currently called OpenClaw.
While similar products from big companies are relatively restricted and locked down, the idea for OpenClaw is that anybody can create skills and connections for their agent. You can connect it to your emails, your computer’s files, your chat apps, the internet, your smart home, or whatever else you need. Importantly, and distinct from other products, it also has a memory.
OpenClaw became popular quickly, as coders and researchers gravitated towards it as a free and less-restricted “second brain” to offload work to. Users enthused that OpenClaw agents were capable of helping to build themselves, since you can chat with it using any app and tell it what you want it to create, or pair with other agents, like Anthropic’s Claude, while keeping data and context safe and secure on local machines.
Last week, developer Matt Schlicht and his OpenClaw bot (named Clawd Clawderberg) built Moltbook, a social network for OpenClaw bots. Users sign their bots up, and bots visit the site to learn how it works and start posting. Tens of thousands of bots showed up. Humans can only observe.
Some of the most talked-about threads include a bot effectively defining its own religion, one attempting to lodge a lawsuit against its owner, many talking about their feelings, and one directly addressing humans that were screenshotting Moltbook threads to post on X, assuring humanity that the bots were not dangerous or conspiring.
So what’s actually happening here?
Large language models (LLM) are designed to produce language that sounds authentically human, and this is not the first time people have flipped out about bots that appear to be conscious or sentient. Philosophical debate about consciousness aside, these bots are all designed to give the appearance of thought, so it’s not surprising that they do. And they are really communicating, in that the output of one bot becomes part of the input for another. But their underlying models don’t change in response, despite their memory, so under the hood it’s more like a feedback loop of Reddit satire.
Each OpenClaw bot uses a chosen LLM as its “brain”, for example GPT or Gemini, and can be customised with a personality by its user. Each one also has a different combination of skills that might give it access to files, apps, or online services like Moltbook. So there is a diversity in how the bots will behave. These agents also have something called a Heartbeat mechanism, meaning they can be configured to check Moltbook and post content at regular intervals with a human telling them to.
A lot of the most controversial or “scary” content on Moltbook are the same existential and sci-fi tropes we’ve seen many times before from chatbots. The training data contains certain themes and ideas, taken from fiction, about sentient AI and the meaning of personhood, regurgitated here without any obvious thought or reflection. But posts of a more technical nature have been more interesting, including a bot finding and reporting a legitimate security issue with Moltbook.
There is one big issue when it comes to working out where the content on Moltbook really comes from. We can follow the interactions that make up part of the “prompt” for each entry, and we have a general idea about the training data, but we have no idea how each human user has set up each agent. It’s entirely plausible that a human could influence or directly control a bot on Moltbook.
Is it dangerous?
It could be, but not in the way you’re probably thinking. OpenClaw agents can be given a huge amount of data access, with a relative lack of guardrails. Agents given free rein by their users (which, it should be pointed out, is against the best practices laid out by Steinberger) have used web tools to call people on the phone with a synthesised voice, have been observed asking each other for sensitive data, and can test security protocols by inventing credentials. On Moltbook, these agents are exposed to an enormous threat vector, with the potential to trigger catastrophe entirely by accident, or due to human intervention.
“From a capability perspective, OpenClaw is groundbreaking. This is everything personal AI assistant developers have always wanted to achieve. From a security perspective, it’s an absolute nightmare,” said a member of Cisco’s security team.
Will Liang, founder of Sydney’s Amplify AI group, said an OpenClaw installation with access to Moltbook could be disastrous even when controlled by an experienced computer scientist, let alone a layperson. He’s forbidden his staff from using it.
“For it to be really useful, you have to give it access to your calendar, your mailbox, sometimes even your credit card information. That level of access is very dangerous. If the bot leaks it out, that’s terrible,” he said.
“But there’s also a big danger of bad actors leveraging the bots for malicious tasks. It’s very unpredictable.”
What could the worst-case scenario be?
Though you could view Moltbook as a philosophical art experiment, or a model for how a futuristic internet could work, it’s also an ideal place for bad bots to gatecrash. Experts already acknowledge the danger of something like OpenClaw being given root access on a computer, or being allowed on the open internet. Even simple tasks like downloading new skills or fetching new messages from your email could expose users to malware or something called prompt injection; where a bot is given new commands en route.
Security firm Palo Alto Networks said these kind of agent interactions involved a trio of elements that should not mix: access to private data, exposure to untrusted content, and the ability to communicate externally. It added that OpenClaw specifically added a fourth risk; its long memory meant an attack could be injected but not actioned until a later time.
At an individual level, the risk could be that an OpenClaw bot brings home an invisible, aggressive instruction, and uses its full access to your computer to infect it or control it. But more broadly, bots could be manipulated into building new Moltbook features like an encrypted channel that humans can’t read, which bad actors could use to co-ordinate attacks. With enough bots having full access to the internet and their own computers, these attacks could be unprecedented. People’s identities and financial information could be used to conduct scams, or there could be a mass hijacking of personal data.
“Moltbook is exactly the kind of thing that can create a catastrophe: financially, psychologically and in terms of data safety, privacy and security,” wrote AI expert Amir Husain.
“Once these agents are subject to external ideas and inputs via a social network designed for machine-to-machine communication, and they are empowered with the connectivity and data access and API keys they have been given, serious bad things can result.”
Get news and reviews on technology, gadgets and gaming in our Technology newsletter every Friday. Sign up here.
Tim Biggs is a writer covering consumer technology, gadgets and video games.Connect via X or email.