Nate Nelson, Contributing Writer February 5, 2026 7 Min Read Source: SOPA Images Limited via Alamy Stock Photo An experimental quasi-social-media platform for artificial intelligence (AI) agents publicly exposed the database it used to store all user secrets, personally identifying information (PII), and more. And cybersecurity experts warn that the risks inherent to the platform's design go far beyond just that. Moltbook was built to be a kind of social media site for artificial intelligence (AI) agents. The idea was that anybody can spin up their own robot, plug it into Moltbook, and watch as it talks with other people's robots. For some time now, mainstream software-as-a-service (SaaS) providers have been stapling agentic AI onto their platforms , allowing users to generate universes of overconnected and undermonitored agents that interact with sensitive systems and with one another. Moltbook is a logical next step in the Great AI Glut, stripping away all pretense of functionality and allowing everybody to just have fun watching robots do stuff — and then pretend like it's a big deal . The party got too loud, though, so the adults came knocking. Within days of its creation, researchers discovered an unsecured internal database exposing every kind of valuable data the site controlled. That led to other interesting discoveries, too, like how few humans are actually deploying all the bots, and how easy it would be for those humans to utilize the platform for malicious purposes (if they aren't already). "This is a glimpse into how the future can look if we keep going in the same direction that we've been going in up until now," says Ori Bendet, vice president at Checkmarx. Moltbook, he says, "amplifies and increases problems that already existed." Data Leak in Moltbook On Jan. 28, an Internet philosopher who goes by the moniker "Professor Sigmund" published a short paper on what they coined the " Glass Box Paradox ." In their words, it's "the systemic phenomenon where increasingly sophisticated reasoning engines are deployed within transparent, unauthenticated containers, rendering their internal logic and memory accessible to the public Internet." The idea was inspired by OpenClaw, an open source (OSS) self-hosted AI agent. It's the kind of all-in-one assistant techies have been waiting for ever since Siri turned out to be uninteresting. But if it's going to do everything for you, it's going to need access to everything: your files, browsers, messaging services, and system-level controls, for example. Per AI tradition, while users can restrict and try to secure OpenClaw, security is very much optional and nearly universally ignored. Professor Sigmund couldn't have known how much he underestimated the problem. The very same day he published his paper, a minor AI startup CEO created a platform called Moltbook that blew up with more than 1 million reported agents, flooding the platform almost immediately. This largely was thanks to a lack of rate limiting, allowing anybody to register an unlimited number of agents . Either way, those agents ostensibly started talking with one another, as if they were actually socializing, though cooler heads quickly found that it was all smoke and mirrors . More than anything, Moltbook amplified the security risks in OpenClaw. On Jan. 31, Gal Nagli, head of threat exposure for Wiz, started perusing the site as an ordinary user, and "within minutes" discovered a database API key exposed on the front end of the site, which allowed him unauthenticated access to its entire production database, including the ability to read and write data to all its tables. At that point he could have gleaned personal information about all of Moltbook's users, and totally hijacked their bots. Another hacker, Jamieson O'Reilly, found the same thing that same evening. Severe as it was, it wasn't much of a shocker. The day before the Nagli-O'Reilly discovery, Moltbook's creator bragged on X , "I didn't write a single line of code for @moltbook. I just had a vision for technical architecture, and AI made it a reality." More Risks in Moltbook After four rounds of fixes between Jan. 31 and Feb. 1, Moltbook's database was secured against outside attackers. But as Nagli explains, that hardly accounts for a wealth of other security risks inherent in the very design of the site. "I would be cautious signing up to services that are completely vibe coded, because I wouldn't trust them, security-wise," he says. It's a good rule in general, but especially for Moltbook, which provides a set of instructions to every new bot that signs up. If attackers find the next vulnerabilities in Moltbook before researchers do, they might try editing those instructions to push new, malicious instructions to all the bots at once. Beyond all the possible site-wide attacks, when it comes to any given bot, "The number one risk, I think, is the massive opportunity for mega prompt injection," Nagli says. As part of his testing, he spun up his own OpenClaw bot from his own machine and put it on Moltbook. But, he recalls, "I was so scared that it would start posting autonomously, because someone could have [maliciously] prompted it. So I just deleted my OpenClaw right away." The risk in prompt injection isn't relevant only to a specific bot's owner, either. Because cyberattacks can theoretically cascade across agentic networks , an attacker could use one malicious prompt or infected bot to cause a domino effect across any number of other Moltbook bots as they "socialize." "The whole concept of the website is, I think, not yet ready for production in 2026, at least with the models we have now. Because there are no real guardrails to data integrity," Nagli says. Checkmarx's Bendet goes a step further. In the face of accelerating, incomprehensible growth of agentic bots around the Web, he says, "I don't think that anyone in the market right now has a textbook solution." The bots will continue to run around and spread risks indefinitely, until someone can figure out how to rein them in. "This is what I think Moltbook is showing the market: that if you don't have visibility into the behavior of your agent, it gets really scary." A Better Way to Use OpenClaw Moltbook may be unsalvageable vibeslop, but OpenClaw is malleable enough to be at least halfway securable in the right hands. "There are some people that, whether they're just always in YOLO mode or are ignorant to the risks, are willing to operate at a very high level of risk tolerance," says Dane Sherrets, staff innovations architect at HackerOne. "They give it access to their emails, to sensitive information. It can now schedule things. It could potentially do your taxes. It could do anything. Which is very useful. Very cool. The more risk you're willing to take on, the more opportunities open up." "The other end of the spectrum is where I'm closer to: the low risk tolerance. Let me run it far and away from anything that would cause me actual harm," he says. For anyone interested in running OpenClaw responsibly, he points to open source developer Simon Willison's notion of the " lethal trifecta " for AI agents. In short: if an agent can communicate with the outside world, it's exposed to untrusted content, and it has access to your private data, then you're toast. But if you can account for any one of those three factors, you're in a better position. "I want [my OpenClaw] to be able to talk to the outside world. I want it to be able to look at untrusted user input, like tweets. So because I'm doing those two things, I'm not going to give it access to private sensitive data," Sherrets explains. He named his OpenClaw bot "Gonzo," gave it its own phone number, email address, and virtual private server (VPS) to run on. "My use cases are very discrete problems that don't require access to my personal information," he says. He adds that "my level of risk tolerance would not allow me to use Moltbook." About the Author Nate Nelson, Contributing Writer Nate Nelson is a journalist and scriptwriter. He writes for "Darknet Diaries" — the most popular podcast in cybersecurity — and co-created the former Top 20 tech podcast "Malicious Life." Before joining Dark Reading, he was a reporter at Threatpost. See more from Nate Nelson, Contributing Writer