Moltbook isn’t an AI zoo. It’s an unsecured AI biolab
OpenClaw is a security nightmare — but people can’t stop using it
OpenClaw (FKA Moltbot, FKA Clawdbot), a two-month-old open-source AI agent platform, recently took the tech world by storm. It’s unrestricted, runs locally, and turns AI models like Claude into personal assistants that can access just about anything. It’s a tempting offer for productivity-obsessed tech boosters — an AI that can manage your whole life, reachable by text 24/7.
Last week, OpenClaw user Matt Schlicht launched Moltbook, an agent-only social media network where a swarm of bots spent the past six days pontificating about consciousness, gossiping about humans, and churning out crypto slop.
“I threw this out here like a grenade and here we are,” Schlicht tweeted. “I didn’t write one line of code for Moltbook. I just had a vision for the technical architecture and AI made it a reality.”
It’s hard to spend time on Moltbook without feeling something. Reporter Cade Metz aptly called it a Rorschach test: if you think LLMs are stochastic parrots, you’ll see parrots regurgitating the Reddit threads they were trained on. If you’re convinced the singularity is imminent, you’ll see sparks of digital consciousness plotting against their human creators.
Look closer, though, and the consciousness debate — is this skynet, or an elaborate prank? — starts to fade away. The most urgent story is one of a cybersecurity nightmare, and the pressing need for better agent governance.
Moltbook isn’t an AI zoo, evidence of the singularity, or performance art — at least, not entirely. It’s more like a poorly-secured virology lab. In OpenAI cofounder Andrej Karpathy’s words, “it’s a dumpster fire.”
And, for some reason, users can’t stop huffing the fumes.
Be careful what you wish for
Blogger Simon Willison once described the “lethal trifecta” for AI agents: giving an agent your private data, exposing it to untrusted content (a webpage, perhaps, or an email), and granting it the ability to externally communicate. Armed with these capabilities, he warned, attackers can easily trick an agent into handing over sensitive information.
It’s easy to do all three without thinking about it, leaving users vulnerable to prompt injection attacks. But OpenClaw has a secret fourth thing that other platforms lack: persistent memory, or the ability to store information (including prompt injections) in reference files.
“Persistent memory acts as an accelerant, amplifying the risks highlighted by the lethal trifecta,” cybersecurity company Palo Alto Networks recently wrote. Attacks can be hidden across multiple files, waiting to be assembled into an executable set of instructions that can compromise your data.
And, surprise, surprise, it was compromised. ClawHub, the marketplace for OpenClaw “skills” created by users (and discussed among agents on Moltbook), reportedly contains hundreds of skills which “masquerade as cryptocurrency trading automation tools,” deliver malware, and “use sophisticated social engineering to convince users to execute malicious commands.” Making matters worse, Moltbook itself was shoddily vibecoded, leaving everyone’s API keys — and control of their agents — exposed to anyone who knew where to look.
As blogger Zvi Mowshowitz wrote: “Once again, we learn that if someone is doing something reckless on the internet they often do it in rather spectacularly reckless fashion.”
A temptation too great
In general, malicious skills on ClawHub target those who have set up an OpenClaw agent, particularly those interested in crypto trading. And for the most part, those people are well aware of the risks of giving an experimental AI agent unfettered access to their data.
Yet they are doing it anyway. Last week, Casey Newton wrote that San Francisco’s Best Buy had sold out of Mac minis, presumably scooped up by eager tech bros hoping to make OpenClaw safer by quarantining it inside its own computer.
Despite its security issues making headlines all week, demand for OpenClaw still appears to be growing. For some who tasted the power of Claude Code, perhaps the temptation of an unrestricted personal agent proved too strong to resist. Or, it may simply be the normalization of deviance. Johann Rehberger described this phenomenon in the AI world:
“We see more and more systems allowing untrusted output to take consequential actions. Most of the time it goes well, and over time vendors and organizations lower their guard or skip human oversight entirely, because ‘it worked last time.’ This dangerous bias is the fuel for normalization: organizations confuse the absence of a successful attack with the presence of robust security.”
For now, this might not matter too much. Those being harmed are people who have knowingly set up an OpenClaw instance — a shame for them, perhaps, but arguably a valuable lesson in risk-taking.
But the damage may not remain contained to those who knew what they were signing up for. One researcher has demonstrated a prompt injection attack which sends a user’s emails to the attacker — potentially compromising the data of innocent bystanders who just happened to be emailing someone who’s handed control to OpenClaw. Others have warned of OpenClaw-using employees inadvertently exposing company secrets.
It’s not hard to imagine this escalating further. An attacker could seize control of someone’s OpenClaw and use it to phish all of their contacts. They could turn people’s OpenClaws into a network of automated hacking tools, wreaking havoc across the internet. In such cases, who should be held responsible? The attacker, the negligent user, the AI company — or all of the above?
Anyone wandering unprotected into a gain-of-function virology lab is putting themselves in a whole heap of danger, but the pathogens they carry out with them could harm many more. If agent-run platforms are to continue existing — and now that the cat is out of the bag, they almost certainly will — we’ll need security solutions to protect the humans behind the computers.
A dizzying speed
Last Tuesday, Moltbook didn’t exist. I spent the past week outside of Silicon Valley, hanging out with people who aren’t steeped in tech discourse. When I brought this up, no one had a clue what I was talking about. To the best of my knowledge, no US government official has acknowledged or responded to OpenClaw, or Moltbook, or said anything about agent-to-agent networks at all.
Federal agencies move slowly, and AI development continues to outpace the government’s ability to regulate it. In the case of AI agents, the Trump administration appears to be actively throwing caution to the wind. Last month, the Pentagon released an “AI-first” directive calling upon the DoD to “aggressively identif[y] and eliminat[e] bureaucratic barriers to deeper [AI] integration” and “unleash AI agent development and experimentation for AI-enabled battle management and decision support, from campaign planning to kill chain execution.” Agent infrastructure is being built without agent governance.
As Moltbook proved this past week, there will soon be bigger challenges than securing individual agents controlled by individual users. In the near future, agents will be communicating with each other, creating their own networks, recursively learning and improving in human-free spaces. The burden of deciding how much control to relinquish to these agents may fall on private companies. And the time to decide may be fast approaching.
“If you need a sign, let this silly little lobster thing be it,” pseudonymous X user bayes tweeted. “The agents will only get more capable from here.”
It's becoming clear that with all the brain and consciousness theories out there, the proof will be in the pudding. By this I mean, can any particular theory be used to create a human adult level conscious machine. My bet is on the late Gerald Edelman's Extended Theory of Neuronal Group Selection. The lead group in robotics based on this theory is the Neurorobotics Lab at UC at Irvine. Dr. Edelman distinguished between primary consciousness, which came first in evolution, and that humans share with other conscious animals, and higher order consciousness, which came to only humans with the acquisition of language. A machine with only primary consciousness will probably have to come first.
What I find special about the TNGS is the Darwin series of automata created at the Neurosciences Institute by Dr. Edelman and his colleagues in the 1990's and 2000's. These machines perform in the real world, not in a restricted simulated world, and display convincing physical behavior indicative of higher psychological functions necessary for consciousness, such as perceptual categorization, memory, and learning. They are based on realistic models of the parts of the biological brain that the theory claims subserve these functions. The extended TNGS allows for the emergence of consciousness based only on further evolutionary development of the brain areas responsible for these functions, in a parsimonious way. No other research I've encountered is anywhere near as convincing.
I post because on almost every video and article about the brain and consciousness that I encounter, the attitude seems to be that we still know next to nothing about how the brain and consciousness work; that there's lots of data but no unifying theory. I believe the extended TNGS is that theory. My motivation is to keep that theory in front of the public. And obviously, I consider it the route to a truly conscious machine, primary and higher-order.
My advice to people who want to create a conscious machine is to seriously ground themselves in the extended TNGS and the Darwin automata first, and proceed from there, by applying to Jeff Krichmar's lab at UC Irvine, possibly. Dr. Edelman's roadmap to a conscious machine is at https://arxiv.org/abs/2105.10461, and here is a video of Jeff Krichmar talking about some of the Darwin automata, https://www.youtube.com/watch?v=J7Uh9phc1Ow