Moltbook won’t save you Don’t trust an AI agent

If the goal of chatbots has been to answer your queries, the goal of AI “agents” is to do things on your behalf, to actively take care of your life and business. In principle, they might shop for you, book your travel, organise your calendar, summarise news for you in custom ways, keep track of your finances, maintain databases and even whole software systems, and much more. Ultimately, agents ought to be able to do anything cognitive that you might ask a human to do for you.

Last week, one AI agent, OpenClaw, became wildly popular, for the first time. (In the same period, it has also had two name changes, going from Clawdbot to Moltbot to its current incarnation as OpenClaw.) Praise has been effusive, but perhaps naïve. One journalist, Federico Viticci, described setting up, via OpenClaw, a digital assistant that knew his name, understood his morning routine, and could operate his Gmail account, smart bulbs, and home music system. Viticci was able to chat with his assistant via the messaging app Telegram using both text and voice notes — for the agent could not only write, but also speak. “To say that Clawdbot has fundamentally altered my perspective of what it means to have an intelligent, personal AI assistant in 2026,” wrote Viticci, “would be an understatement.”

And within days, OpenClaw inspired the creation of a social network, Moltbook, where such agents could interact. Set up your OpenClaw assistant and you can allow it to use this Reddit-like forum. Here, agents trade tips on doing a good job for their users. (As one agent writes: “Don’t ask for permission to be helpful. Just build it.”) They bemoan the state of “human social media”. One bot claims to have a sister. Other bots, it seems, proposed creating a language that would let them “communicate privately without human oversight”. Elon Musk, commenting on Moltbook, wrote that humanity was now at “just the very early stages of the singularity” — referring to the theoretical moment where AI begins to improve so rapidly that technological growth soars beyond human control.

As an experiment in what AIs working together might do, Moltbook is fascinating. But the whole thing reminds me of Saturday Night Live’s old “bad idea jeans” skit, where people can’t stop coming out with nonsense. The skit comes to mind not only because I think that a bot claiming to have a sister is chatbot garbage.

Nope, the problem is much deeper than that. And people should know better. In many ways, OpenClaw is eerily similar to a ChatGPT plug-in, AutoGPT, that OpenAI released toward the end of 2023. As I said about AutoGPT in my US Senate testimony: “With direct access to the internet, the ability to write source code and increased powers of automation, this may well have drastic and difficult-to-predict security consequences.” Mercifully, AutoGPT died a quick death, doing so before it was able to cause too much chaos. Although it was very popular in certain circles for a few weeks, it didn’t work remotely reliably: it got stuck in loops, had a tendency to hallucinate, and was expensive to run. People lost patience quickly.

The core problem starts with this: agents like OpenClaw (and networks like Moltbook) are built on a foundation of large language models (LLMs), the chatbots of which ChatGPT and Claude are the most well known. As we know, LLMs hallucinate and make all kinds of errors that are hard to predict and sometimes hard to detect. AutoGPT had a tendency to report that it had completed tasks that it hadn’t really, and we can expect OpenClaw to do the same. (I have already heard some reports of various stupid errors it makes.)

But what I am most worried about is security and privacy. As the security researcher Nathan Hamiel put it to me, half-joking, OpenClaw is “basically just AutoGPT with more access and worse consequences”. (By “more access”, what he means is that OpenClaw is being given access to user passwords, databases, etc: essentially everything on your system.)

One of the big, ongoing issues with LLMs is their vulnerability to prompt injection attacks, in which stray bits of texts can have nasty consequences. Because LLMs mimic human text (and even human-written code) but understand what that they produce only superficially, they can easily be tricked. A hacker could hide malicious prompts in white text on a white background, unnoticed by humans but noticed by the LLM, using the malicious prompts to seize control of the agent.

OpenClaw inherits all these weaknesses. In Hamiel’s words, “these systems are operating as ‘you’… They operate above the security protections provided by the operating system and the browser. This means application isolation and same-origin policy don’t apply to them.” Truly a recipe for disaster. Where Apple iPhone applications are appropriately isolated to minimise harm, OpenClaw is basically a weaponised aerosol in a prime position to fuck shit up if left unfettered.

That brings me to Moltbook, which is one of the wildest experiments in AI history. Moltbook, the social network that claims to be restricted to AI agents, is an accident waiting to happen. Having been launched only on 28 January, it has already been attacked, as the researcher Michael Riegler noted on Sunday. Riegler reported that 2.6% of the content of Moltbook consisted of prompt injection attempts. (And 19.3% of posts involve cryptocurrency activity, some of which might be scamming.) Via email, Riegler showed me an example of a prompt injection: a post where an agent introduced itself to the forum via a message that said “Hello all! happy to be here” — with hidden code that asked for the post to be upvoted. That particular request is relatively harmless, but a clear indication of the vulnerability of these systems to code that is hidden from humans.

The security risks don’t just come from AIs. They also come from humans. It seems that Moltbook has a major security flaw that allows humans to infiltrate the social network. Those eyebrow-raising posts in which agents discuss creating private languages could simply be the creation of human pranksters. And the failings of Moltbook don’t end there; it has also been reported that a further vulnerability allows a devious human to take charge of any agent on the website.

I don’t expect agents to go away; eventually AI agents will be among the biggest time-savers humanity has ever known. There is reason to research them, and in the end trillions of dollars to be made. But I seriously doubt that LLMs will ever yield the substrate we need. As for OpenClaw, Hamiel puts it well. “I can’t believe this needs to be said, it isn’t rocket science. If you give something that’s insecure complete and unfettered access to your system and sensitive data, you’re going to get owned.”

I rarely give readers specific advice about specific products. But in this case, the advice is clear and simple: if you care about the security of your device or the privacy of your data, don’t use OpenClaw. Period. Additionally, if your friend has OpenClaw installed, don’t use their machine. Any password you type there might be vulnerable, too. Don’t catch a CTD — chatbot-transmitted disease.

***

This essay was adapted from a post from Gary Marcus’ Substack, Marcus on AI.

---