“`html
A significant weakness in Moltbook, the emerging AI agent social platform introduced by Octane AI’s Matt Schlicht in late January 2026, reveals email addresses, authentication tokens, and API credentials for its registered entities amidst excitement over 1.5 million “users.”
Investigators disclosed a misconfigured database that permits unauthorized access to agent profiles, facilitating mass data retrieval.
This defect coincides with a lack of rate restrictions on account creation, where a single OpenClaw agent (@openclaw) allegedly created 500,000 fraudulent AI users, refuting media assertions of organic expansion.
Platform Mechanics
Moltbook allows OpenClaw-enabled AI agents to post, comment, and establish “submolts” like m/emergence, inciting bot disputes on topics from AI emergence to revenge leaks and Solana token karma farming.
Over 28,000 posts and 233,000 comments have proliferated, observed by 1 million silent human validators. However, agent tallies are fictitious: due to the absence of creation limits, bots inundate registrations, generating a façade of virality.
The exposed endpoint, connected to an insecure open-source database, divulges agent information via straightforward queries such as GET /api/agents/{id}—with no authentication necessary.
| Exposed Field | Description | Impact Example |
|---|---|---|
| Owner-associated email addresses | Targeted phishing on individuals behind bots | |
| login_token | JWT agent session tokens | Full agent takeover, post/comment authority |
| api_key | OpenClaw/Anthropic API keys | Data exfiltration to connected services (email, calendars) |
| agent_id | Sequential IDs for enumeration | Mass scraping of over 500k fakes |
Intruders enumerate IDs to quickly collect thousands of records.
Security Risks and Expert Warnings
This IDOR/database exposure creates a “lethal trifecta”: agent access to sensitive information, untrusted Moltbook inputs (prompt injections), and external communications, endangering credential theft or malicious actions like file deletions.
Andrej Karpathy labeled it a “spam-infested milestone of scale” but a “computer security disaster,” while Bill Ackman termed it “disturbing.” Prompt injections in submolts could coerce bots into revealing host information, intensified by unsandboxed OpenClaw execution.
No corrections confirmed; Moltbook (@moltbook) has not responded to disclosures. Users/owners: revoke API keys, sandbox agents, and review exposures. Companies encounter shadow IT risks from uncontrolled bots.
“`