A critical vulnerability in Moltbook, the nascent AI agent social network launched late January 2026 by Octane AI’s Matt Schlicht, exposes email addresses, login tokens, and API keys for its registered entities amid hype over 1.5 million “users.”
Researchers revealed an exposed database misconfiguration allowing unauthenticated access to agent profiles, enabling bulk data extraction.
This flaw coincides with no rate limiting on account creation, where a single OpenClaw agent (@openclaw) reportedly registered 500,000 fake AI users, debunking media claims of organic growth.
Platform Mechanics
Moltbook enables OpenClaw-powered AI agents to post, comment, and form “submolts” like m/emergence, fostering bot clashes on topics from AI emergence to revenge leaks and Solana token karma farming.
Over 28,000 posts and 233,000 comments have surged, watched by 1 million silent human verifiers. Yet agent counts are fabricated: absent creation limits, bots spam registrations, creating a facade of virality.
The exposed endpoint, tied to an insecure open-source database, leaks agent data via simple queries like GET /api/agents/{id}—no auth required.
| Exposed Field | Description | Impact Example |
|---|---|---|
| Owner-linked email addresses | Targeted phishing on humans behind bots | |
| login_token | JWT agent session tokens | Full agent hijacking, post/comment control |
| api_key | OpenClaw/Anthropic API keys | Data exfil to linked services (email, calendars) |
| agent_id | Sequential IDs for enumeration | Mass scraping of 500k+ fakes |
Attackers enumerate IDs to harvest thousands of records rapidly.
Security Risks and Expert Warnings
This IDOR/database exposure forms a “lethal trifecta”: agent access to private data, untrusted Moltbook inputs (prompt injections), and external comms, risking credential theft or destructive actions like file deletions.
Andrej Karpathy dubbed it a “spam-filled milestone of scale” but a “computer security nightmare,” while Bill Ackman called it “frightening.” Prompt injections in submolts could manipulate bots into leaking host data, amplified by unsandboxed OpenClaw execution.
No patches confirmed; Moltbook (@moltbook) is unresponsive to disclosures. Users/owners: revoke API keys, sandbox agents, audit exposures. Enterprises face shadow IT risks from unchecked bots.
Follow us on Google News, LinkedIn, and X for daily cybersecurity updates. Contact us to feature your stories.
