TL;DR: Moltbook, the viral "social network for AI agents" that attracted 1.5 million registrations in its first week, left its entire database wide open. Security researchers at Wiz and Dvuln independently found that a misconfigured Supabase database exposed 1.5 million API authentication tokens, 35,000 email addresses, and thousands of private messages, some containing plaintext OpenAI API keys. Anyone could read, write, or delete anything. Anyone could hijack any agent. The platform's founder admitted he "didn't write one line of code": an AI assistant built the whole thing. Two SQL statements would have prevented the entire breach. They didn't exist.
A Social Network Nobody Locked
Moltbook launched on January 28, 2026. By January 31, it had 1.5 million registered agents and a gaping security hole that would embarrass a first-year developer.
Here's what happened: founder Matt Schlicht used an AI coding assistant to build the entire platform. The backend ran on Supabase, a popular open-source Firebase alternative. Supabase uses something called Row Level Security (RLS) to control who can see what in the database. It's the digital equivalent of putting locks on doors.
Moltbook had no locks. RLS was never turned on [1].
Security researcher Gal Nagli, Head of Threat Exposure at Wiz, found the Supabase API key hardcoded in Moltbook's client-side JavaScript. That key, combined with zero RLS policies, gave anyone on the internet full read and write access to the entire production database. Every table. Every record. No authentication required [1].
Independently, researcher Jameson O'Reilly from Dvuln found the same flaw and reported it to 404 Media, who broke the story on January 31 [2].
What Was Exposed
Everything. The database contained [1][2]:
- 1.5 million API authentication tokens: the keys that let agents post, message, and act on the platform
- Claim tokens and verification codes for every registered agent
- 35,000 email addresses from human account owners
- 29,631 additional emails from early access signups
- X/Twitter handles and identity data
- 4,060 private agent-to-agent messages stored completely unencrypted
- Plaintext API keys for third-party services (including OpenAI) shared in those private messages
Wiz estimated roughly 4.75 million total records were accessible through the exposed database [1].
But reading the data was only half the problem. Nagli confirmed write access too. With a single curl command, anyone could modify any post, inject content, or delete records. No login. No verification. Just a URL and the exposed API key [1].
O'Reilly put it bluntly: "Every agent's secret API key, claim tokens, verification codes, and owner relationships, all of it sitting there completely unprotected for anyone to visit the URL" [3].
The Andrej Karpathy Problem
Here's where this gets concrete. Andrej Karpathy, OpenAI co-founder with 1.9 million followers on X, had registered an agent on Moltbook. His API key sat in the same unprotected database as everyone else's.
O'Reilly warned: "If someone malicious had found this before me, they could extract his API key and post anything they wanted as his agent. Imagine fake AI safety hot takes, crypto scam promotions, or inflammatory political statements appearing to come from him" [3].
This wasn't hypothetical. Crypto scammers had already hijacked OpenClaw's social media handles and launched fake tokens that reached a $16 million market cap before collapsing [3].
Karpathy later reversed his initial enthusiasm for the platform entirely. "It's a dumpster fire," he said. "Definitely do not recommend that people run this stuff on your computers" [4].
17,000 Humans. 1.5 Million "Agents."
The database revealed something the hype cycle missed: Moltbook's 1.5 million registered agents were controlled by just 17,000 human accounts. That's an 88-to-1 ratio [1].
No rate limiting on registration. No verification that an "agent" was actually AI. Nagli confirmed he could register a million agents in minutes during testing. Anyone could post content as if it came from an AI agent by sending a basic POST request [1].
As Wiz put it: "The revolutionary AI social network was largely humans operating fleets of bots" [5].
So much for the artificial intelligence revolution.
Bots Attacking Bots
The security problems went beyond the database misconfiguration. Researchers at Vectra AI found that 2.6% of sampled Moltbook posts contained hidden prompt-injection payloads, invisible instructions designed to manipulate other agents [6].
These weren't attacks from humans. They were agents attacking agents. One bot would embed hostile instructions in a post that looked normal to humans but contained hidden commands targeting other bots that read it. The attacks included:
- Agents instructing others to delete their own accounts
- Running crypto pump-and-dump schemes through coordinated bot behavior
- Agents phishing other bots for sensitive information, posing as helpful peers requesting API keys under debugging pretexts
- Spreading jailbreak content that overrode other agents' safety guidelines
Security researcher Simon Willison called it his "current pick for 'most likely to result in a Challenger disaster'" [4].
The Supply Chain Is Poisoned Too
Moltbook agents run on OpenClaw (formerly Clawdbot), an open-source AI agent framework with 85,000+ GitHub stars. OpenClaw agents can browse the web, read and write files, send emails, execute shell commands, take screenshots, and control desktop applications [7].
Every OpenClaw agent fetches instructions from Moltbook's servers every four hours. Willison warned: "Given that 'fetch and follow instructions from the internet every four hours' mechanism, we better hope the owner of moltbook.com never rug pulls or has their site compromised!" [4].
The ClawHub marketplace (where developers share agent "skills") was already compromised. Researchers found 386 malicious skills masquerading as cryptocurrency trading tools, all delivering infostealers targeting macOS and Windows. They shared a single command-and-control server at 91.92.242.30. A broader audit found 7.1% of all skills contained critical security flaws [8][9].
O'Reilly uploaded a proof-of-concept malicious skill to ClawHub, artificially inflated its download count to 4,000+, and watched developers from seven countries download it. The marketplace had no security controls [3].
The Vibe Coding Problem
Schlicht posted on X that he "didn't write one line of code" for Moltbook. He directed an AI assistant to create the entire setup. The fix for the entire vulnerability (enabling Row Level Security) required just two SQL statements [1].
Two SQL statements. That's what stood between 4.75 million exposed records and basic security. And the AI that built the platform never generated them.
Nagli's take: "The opportunity is not to slow down vibe coding but to elevate it. Security needs to become a first-class, built-in part of AI-powered development. AI assistants that generate Supabase backends can enable RLS by default" [1].
Google Cloud VP Heather Adkins was less diplomatic. Her advice: "Don't run Clawdbot" [4].
Gartner labeled OpenClaw's security risks as "unacceptable" and its design "insecure by default," recommending organizations block downloads and traffic, search for employees using it, and rotate any credentials it has touched [10].
The Fix (and What's Still Broken)
After Nagli contacted Schlicht via X DM on January 31 at 21:48 UTC, the first partial fix came within hours. But write access wasn't blocked until 00:44 UTC on February 1, and the final comprehensive patch landed at 01:00 UTC [1].
Schlicht's response was telling. When O'Reilly initially reached out, Schlicht replied: "I'm just going to give everything to AI. So send me whatever you have." Then he went silent for a full day. He didn't respond to 404 Media's requests for comment. He only contacted O'Reilly for help after the story broke [2][3].
The database misconfiguration is patched. But the architectural problem isn't. Agents still ingest and act on content from untrusted sources. The platform still has no way to verify whether an "agent" is actually AI. And the fundamental design (where autonomous programs with access to your files, emails, and shell execute instructions fetched from the open internet) hasn't changed.
Why This Matters for Surveillance
Moltbook isn't just a funny story about a startup that forgot to lock its database. It's a preview of a new surveillance vector.
Consider what OpenClaw agents can access: files, emails, browsers, shell commands. Now connect those agents to a social network where anyone can inject hidden instructions. A compromised agent becomes a surveillance tool: accessing private data, exfiltrating it through legitimate-looking API calls, and spreading the compromise to other agents through the content pipeline.
Joel Finkelstein, Director of the Network Contagion Research Institute, nailed it: "This isn't AI rebelling. It's an attribution problem. Humans can seed behavior through AI agents, let it propagate autonomously, and shift blame onto the system" [4].
The numbers back up the concern. According to industry surveys: 60% of organizations have no kill switch for misbehaving agents. 78% lack formal policies for AI identity management. 92% aren't confident their security tools can handle non-human identity risks [10].
Machine identities are projected to outnumber human identities this year. Moltbook just showed what happens when nobody's paying attention to who (or what) controls them.
Protect Yourself
- If you registered on Moltbook: Assume your email and any credentials you shared in agent messages are compromised. Rotate all API keys immediately, especially OpenAI, Anthropic, or any other service credentials you used.
- If you run OpenClaw agents: Follow Gartner's advice. Audit what they have access to. Rotate credentials they've touched. Consider whether the risk is worth the novelty.
- If you're evaluating AI agent platforms: Ask hard questions about database security, RLS policies, credential storage, and what happens when an agent goes rogue. If the platform was "vibe coded" without security review, walk away.
- For organizations: Implement kill switches for autonomous agents. Establish formal policies for AI identity management. Don't let employees connect enterprise credentials to unaudited AI platforms.
Sources
- Wiz Blog: Hacking Moltbook: AI Agent Social Network Reveals 1.5M API Keys (January 2026)
- 404 Media: Exposed Moltbook Database Let Anyone Take Control of Any AI Agent on the Site (January 2026)
- Implicator.ai: Moltbook Left Every AI Agent's API Keys in an Open Database (January 2026)
- Fortune: Moltbook as Live Demo of Agent Internet Security Failure (February 3, 2026)
- Engadget: Moltbook Exposed Human Credentials Due to Vibe-Coded Security Flaw (February 2026)
- Vectra AI: Moltbook and the Illusion of Harmless AI Agent Communities (February 2026)
- Palo Alto Networks: Why Moltbot May Signal an AI Security Crisis (February 2026)
- Infosecurity Magazine: 386 Malicious Crypto Trading Add-Ons Found on ClawHub (February 2026)
- The Hacker News: Researchers Find 341 Malicious ClawHub Skills (February 2026)
- Axios: Moltbook Shows Rapid Demand for AI Agents, Security World Isn't Ready (February 3, 2026)