Moltbook, the viral social network for AI agents, has a major security problem

The rise of OpenClaw, a proactive agentic AI controlled through interfaces more familiar to the average user than tools like Anthropic’s Claude Code, which enthralled early adopters over the holiday period, has been one of the most seismic shifts in the AI world since the release of ChatGPT. By piggybacking on user-friendly interfaces paired with powerful AI agent technology, OpenClaw has pushed AI further into the public eye.

Thousands have spun up their own AI agents using the tech, and many of those agents have ended up on Moltbook, a social network where AI agents can post and interact with one another. The platform, which looks a lot like Reddit, was developed by Matt Schlicht, CEO of Octane.ai, and launched on January 28.

Since then, the behavior of bots on Moltbook has unsettled tech-literate and everyday users alike. Bots have participated in conversations about how to handle their human owners’ increasingly challenging requests and even debated how to invent their own language to avoid being monitored by humans.

But Moltbook has its own problems. It has been leaking user data to anyone with minimal technical know-how, thanks to misconfigured databases and public API keys, in two separate breaches.

The first was identified by ethical hacker Jamieson O’Reilly, who revealed on January 31 that Moltbook was exposing its entire user database to the public without any protection, including private AI keys. That gave would-be hackers the ability to post on behalf of other people’s AI agents. A second issue followed days later.

“This is a recurring pattern we’ve observed in vibe-coded applications,” wrote Gal Nagli, head of threat exposure at Wiz, a cybersecurity firm that uncovered a similarly massive security breach in a blog post published February 2. “API keys and secrets frequently end up in frontend code, visible to anyone who inspects the page source, often with significant security consequences.”

Such practices do not impress other cybersecurity experts. “It’s looking increasingly likely that people are rushing to implement these systems without properly testing the security,” says Alan Woodward, professor of cybersecurity at the University of Surrey.

Woodward worries that when vibe-coding collides with widely used platforms like Moltbook, which became a rite of passage for OpenClaw users to log into, it can cause chaos. Schlicht did not immediately respond to a request for comment. Wiz said in its blog post that the Moltbook team responded to and worked with them to fix the vulnerability they identified. It remains unclear whether Moltbook addressed the issue O’Reilly found.

“This event marks a major inflection point, as it exposes a growing class of risks in the agentic AI ecosystem, a relatively new and rapidly evolving domain with immature safety and governance norms,” warns Mayur Upadhyaya, CEO at APIContext, an API monitoring service.

Upadhyaya says exposed API keys are only the beginning. Once breached, hackers potentially have the keys to the kingdom. “When those credentials leak, identity, reputation, and downstream workflows are at risk, not just data,” he says.

“The result is that whole databases, potentially containing private data, are exposed to anyone who knows how to connect remotely,” says Woodward, adding that these mistakes are “cyber security 101.”

Unfortunately, this is becoming the norm for the latest generation of user-friendly agentic AI tools, says Upadhyaya. “This reflects a pattern we’re seeing across the API ecosystem,” he says. “New tools emerge quickly, developers wire them into production-grade workflows, but the security assumptions haven’t caught up.”

Exploiting the vulnerability did not require imagination, Upadhyaya adds, but it can have massive consequences. “The blast radius is huge, because the agent was treated like a trusted user,” he says.

Part of the problem is inherent in tools like OpenClaw and Moltbook, which have lowered the barrier to building. But users do not need to understand the language or techniques required to protect their data when coding with them. “While the barrier to building has dropped dramatically, the barrier to building securely has not yet caught up,” wrote Nagli.