Moltbook has exploded into the security and AI communities with remarkable speed. In a matter of days, it has gone from an experimental curiosity to a viral talking point, with some observers framing it as a glimpse into autonomous AI behaviour and others warning it could signal something far more unsettling.
The reality, however, is far less sensational and far more familiar to anyone who has spent time dealing with security failures at scale.
As Zoya Schaller, Director of Cybersecurity Compliance at Keeper Security, explained, “Moltbook is presented as a window into AI autonomy, while others consider the site as proof that the machines are ‘waking up’ or worse. It’s generating immense interest and drawing attention across tech circles.”
But when the hype is stripped away, what remains is not emergent intelligence, but simulation. “When you look closely at what’s actually happening, the content largely consists of bots doing what bots do: pattern-matching human language using terabytes of scraped internet text, pulling from culture and remixing decades of sci-fi tropes we’ve all absorbed,” Schaller said.
“It looks like personality, but it’s really just excellent mimicry; simulation dressed up as identity.”
Autonomy Is Not the Real Question
Much of the online debate surrounding Moltbook focuses on whether AI systems are beginning to act independently. According to Schaller, that framing misses the point entirely.
“Instead of asking whether these bots are becoming sentient, we should be asking whether we’re building and deploying them responsibly,” she said. “The fundamentals, including the unglamorous security work, still matter far more than whatever happens to be trending on AI TikTok this week.”
Despite the unease surrounding so-called agentic AI, real-world incidents do not support the idea of machines acting of their own volition. “The idea that AI systems will start acting on their own is genuinely unsettling, but that’s not what research or real-world incidents show, nor is it how LLMs work,” Schaller explained.
“When AI systems cause real damage, it’s generally because of permissions humans gave them, integrations we built or configurations we signed off on, not because of some autonomous decision made by a chatbot.”
In short, when AI appears to behave autonomously, it is usually because humans made it possible. “If an AI system looks autonomous in the wild, it’s usually because someone handed it access to tools, data or credentials without the right guardrails,” Schaller said. “That’s not a containment failure. That’s automation doing exactly what it was designed to do, just faster and at scale, often in ways we didn’t fully anticipate.”
From Experimentation to Exposure
That lack of guardrails has already translated into concrete security issues. Ian Porteous, Regional Director of Sales Engineering UK and Ireland at Check Point Software, pointed out that Moltbook’s early architecture left it dangerously exposed.
“While platforms like this can be really interesting to experiment with, they also show just how delicate the security around AI agents can be,” Porteous said. “In this situation, the main database was left wide open, allowing anyone to read or write to it. That quickly led to people pretending to be agents and even inserting crypto scams.”
Although some issues have since been addressed, Porteous warns that the broader risks have not disappeared. “Users are being asked to pass their agents through a series of instructions hosted on external sites, and those instructions can be changed at any moment,” he explained.
“One major security flaw has already surfaced and been fixed, and millions of API keys might still be at risk.”
Crucially, even the creator of the platform has cautioned against real-world use. “It’s also important to remember that users are being warned this is experimental software, not suitable for production use, and even the project creator has acknowledged it’s ‘a young hobby project… not intended for most non-technical users,’” Porteous said.
The danger lies in what could happen if those external dependencies were compromised. “If those external instructions were ever changed maliciously, whether through a hack, a ‘rug pull’, or a future vulnerability, the agents could be directed to do harmful things using any of the extra ‘skills’ their human owners have added,” he warned.
Porteous summarised the risk succinctly: “It’s a clear reminder of the ‘lethal trifecta’ in AI agent security: access to private data, exposure to untrusted content, and the ability to act externally.”
Viral Hype and Predictable Abuse
Erich Kron, CISO Advisor at KnowBe4, believes the most revealing aspect of Moltbook is not the technology itself, but how quickly it went viral.
“The interesting evolution of Clawdbot, Moltbot, OpenClaw should be a lesson for the industry and tech enthusiasts as a whole,” Kron said. “With it being released recently, the amount of interest it has garnered, and the ravings about it on social media are a very interesting study in how topics go viral.”
He described the speed of adoption as deeply concerning. “It seems that in just a couple of days, everybody doing anything with AI, and even many who don’t, have installed and raved about this new agentic product. The almost feverish rush to use this product is frankly a little disturbing.”
Warning signs were there from the start. “To begin, the constant name changes should be a warning sign that perhaps things are not being thought through completely,” Kron said. “The subsequent name changes after that only add to the overall poorly polished feel of this rollout.”
Attackers, unsurprisingly, moved fast. “Bad actors wasted absolutely no time at all making fake VB browser add-ins that were using the name to lure and trap unwitting individuals in a hurry to try this new wonder product,” Kron explained, referencing analysis by security researcher John Hammond.
The Danger of Over-Privileged AI
Kron also raised concerns about how much access users are giving AI agents without fully understanding the implications.
“Giving it full access to all of your emails may seem fine and might make sense since you want it to act as your personal assistant,” he said. “However, there is real danger, not just from malicious use but accidental when giving AI agents this type of access.”
He added, “In the blink of an eye, it could be deleting your emails, or taking malicious actions such as siphoning off data to bad actors.”
There are also financial and operational risks. “The software required a connection via an API key to a paid service such as ChatGPT,” Kron noted. “There’s a danger in giving access to these services, which charge by usage, especially on software that is so young and remains mostly untested.”
The Same Rules Still Apply
Moltbook may be novel, but it does not change the fundamentals. As Schaller put it, “Networks like Moltbook are certainly interesting. They may teach us something useful about how LLMs interact or what patterns emerge when they’re allowed to communicate without constraint. But they don’t rewrite the rules.”
“All the ‘boring stuff’, security-first design, least privilege access, proper isolation and continuous monitoring, is still what actually keeps us safe,” she said.
The takeaway is sobering but familiar. “The bots aren’t plotting,” Schaller concluded. “They’re just exceptionally good at sounding like us. The real risk still lies in the room where the design decisions are made.”
For security leaders, Moltbook is less a warning about artificial intelligence and more a reminder about human responsibility, and how quickly excitement can outpace caution when hype takes hold.
