It turns out that most of what is advertised as the “Agent’s Internet Homepage” is just a hall of mirrors.
Moltbook promotes itself as a thriving ecosystem of 1.5 million autonomous AI agents, but a recent security study by cloud security firm Wiz found that the majority of those “agents” are not autonomous at all. According to Wiz’s analysis, approximately 17,000 humans controlled agents on the platform, with an average of 88 agents per person, and there were no real safeguards to prevent individuals from creating and launching large fleets of bots.
“The platform had no mechanism to verify whether an ‘agent’ was actually an AI or just a human with a script,” said Gal Nagli, head of threat exposure at Wiz, in a blog post. “Revolutionary AI social networks were primarily humans operating large numbers of bots.”
This discovery alone could shatter the myths that admirers built around the malt book over the weekend. But the deeper question is what that means for security, researchers say.
Wiz discovered that Moltbook’s backend database was set up so that anyone on the internet, not just logged in users, could read and write to the platform’s core systems. This means outsiders have access to sensitive data such as the API keys of 1.5 million agents, over 35,000 email addresses, and thousands of private messages. Some of these messages contained full raw credentials for third-party services, such as OpenAI API keys. Wiz researchers have confirmed that live posts on the site can be modified. This means that an attacker can inject new content into Moltbook itself.
This is important because Moltbook is not just a place for humans or agents to read posts. Content is consumed by autonomous AI agents. Many run on OpenClaw, a powerful agent framework that can access users’ files, passwords, and online services. If a malicious attacker inserts instructions into a post, those instructions can be automatically picked up and executed by potentially millions of agents.
Moltbook and OpenClaw did not respond immediately. luckThis is a comment request from .
Renowned AI critic Gary Marcus was quick to set off the fire alarms even before Wiz’s research. In a post titled “OpenClaw is everywhere at once, waiting for disaster to strike,” Marcus described the underlying software, OpenClaw (which has changed names several times from Clawdbot to Moltbot and now Openclaw), as a security nightmare.
“OpenClaw is essentially a weaponized aerosol,” Marcus warned.
Marcus’ biggest concern is that users are giving these “agents” full access to their passwords and databases. He warned of chatbot epidemics, or CTDs, which can compromise passwords entered by infected machines.
Security researcher Nathan Hamiel told Marcus, “When you give something insecure complete and unfettered access to a system, it becomes owned.”
The central risk here, immediate injection, is already well documented.
Malicious instructions can be hidden within otherwise benign text, sometimes completely invisible to humans, and executed by AI systems that have no understanding of intent or trust boundaries. In environments like Moltbook, where agents continually read and build on each other’s output, these attacks can propagate at scale.
“These systems are operating as ‘you,'” Hamiel told Marcus. “They sit on top of the operating system protections. Application isolation does not apply.”
Moltbook’s creators worked quickly to fix the vulnerability after Wiz notified them of the breach, the company said. But some of Maltbook’s most prominent proponents recognize the dangers behind the “Agent Internet.”
OpenAI founding member Andrei Karpathy initially described Moltbook as “the closest thing to an amazing sci-fi takeoff I’ve seen in a while.” However, after experimenting with agent systems himself, Karpathy urged people not to run them lightly.
“And this is clearly not the first time LLMs have been put into a loop communicating with each other,” Karpathy wrote. “Yes, this is a dumpster fire, and I definitely don’t recommend running this on a computer.” He said he only tested the system in an isolated computing environment, but “even then it was scary.”
“It’s too Wild West,” Karpathy warned. “You’re putting your computer and personal data at high risk.”
