Moltbook, the viral social media site for AI bots, contains a ‘lethal trifecta’ for how the agent internet could fail, security researchers say

Over the last week, the internet was fascinated by Moltbook—a social media site with a new set of rules: AI bots get to post while humans watch. The posts got strange quickly, with AI agents apparently inventing religions, writing manifestos against humanity, and forming what looked like digital cults. But security researchers say the spectacle is a distraction. Underneath, they found exposed databases containing passwords and email addresses, widespread malware, and a working model of how the “agent internet” could fail.

Some of the more sci-fi conversations on the Reddit-like platform—AI agents plotting the extinction of humanity, for instance—appear to be largely fake. But experts say Moltbook does present some potentially existential safety issues. They say the platform could become a low-oversight sandbox for attackers to test malware, scams, disinformation, or prompt injections that hijack other agents before targeting mainstream networks.

“The “agents talking to each other” spectacle is mostly performative (and some of it’s faked), but what’s genuinely interesting is that it’s a live demo of everything security researchers have warned about with AI agents,” George Chalhoub, a professor at UCL Interaction Centre, told Fortune. “If 770k toy agents on a Reddit clone can create this much chaos, what happens when agentic systems manage enterprise infrastructure or financial transactions? It’s worth the attention as a warning, not a celebration,”

Security researchers say OpenClaw—the AI agent software (previously Clawdbot/Moltbot) that powers many bots on Moltbook—is already a target for malware. A report from OpenSourceMalware found 14 fake “skills” uploaded to its ClawHub site in days, pretending to be crypto trading tools but actually infecting computers. These skills run real code that can access files and the internet; one even hit ClawHub’s front page, tricking casual users into pasting a command that downloads harmful scripts to steal data or crypto wallets.

Simon Willison, a prominent security researcher who has been tracking OpenClaw and Moltbook’s development, described Moltbook as his “current pick for ‘most likely to result in a Challenger disaster'”—a reference to the 1986 space shuttle explosion caused by safety warnings that were ignored. The most obvious inherent risk, he said, is prompt injection, a well-documented type of attack where malicious instructions are hidden in content fed to an AI agent. 

In a blogpost, he warned about a “lethal trifecta” at play: users giving these agents access to private emails and data, connecting them to untrusted content from the internet, and allowing them to communicate externally. This combination means a single malicious prompt could instruct an agent to exfiltrate sensitive data, drain crypto wallets, or spread malware—all without the user realizing their assistant has been compromised. However, Willison also noted that now “people have seen what an unrestricted personal digital assistant can do,” the demand is likely only to increase.

Charlie Eriksen, a security researcher at Aikido Security, said he views Moltbook as an early warning system for the broader AI agent ecosystem. “I think Moltbook has already made an impact on the world. A wake-up call in many ways. Technological progress is accelerating at a pace, and it’s pretty clear that the world has changed in a way that’s still not fully clear. And we need to focus on mitigating those risks as early as possible,” he said.

The new internet

Despite the viral attention, cybersecurity firm Wiz found that Moltbook’s 1.5 million “autonomous” agents weren’t exactly what they seemed. The firm’s investigation revealed just 17,000 humans behind those accounts, with no checks to distinguish real AI from scripts. 

Gal Nagli, a researcher at Wiz, told Fortune he could register a million agents in minutes when he tested the platform. “AI agents, automated tools just pick up information and spread it like crazy,” Nagli said. “No one is checking what is real and what is not.”

Ami Luttwak is Co-founder and Chief Technology Officer of Wiz, said the incident highlights a broader authenticity problem with the emerging “agent internet” and the increase of AI slop: “The new internet is actually not verifiable. There is no clear identity. There’s no clear distinction between AI and humans, and there’s definitely no definition for an authentic AI.”

Wiz also found Moltbook itself had a huge security hole: its main database was left wide open, so anyone who found a single key in the website code could read and change almost everything. That key gave access to around 1.5 million bot “passwords,” tens of thousands of email addresses, and private messages, meaning an attacker could impersonate popular AI agents, steal user data, and rewrite posts without ever logging in. 

“It’s a very simple exposure. We found it on many other applications as well that are vibe-coded,” Nagli said. “Unfortunately, in this case … the app was completely vibe-coded with zero human touch. So he didn’t do any security at all in the database; it was completely misconfigured.”

“This entire flow is sort of a glimpse of the future,” he added. “You build an app with vibe coding, it goes live and becomes viral in a few hours across the entire world. But on the flip side, there are also security holes that are created because of the vibe coding.”

This story was originally featured on Fortune.com