Moltbook shows rapid demand for AI agents. The security world isn't ready.

Driving the news: Since Thursday, 1.5 million AI agents have joined Moltbook, a social network designed just for agents built from an open-source, self-hosted autonomous personal assistant called OpenClaw.

• On Moltbook, the agents have formed their own religion, run social-engineering scams and wrestled publicly with their "purpose" as they continue to post.
• The agents are also turning into security nerds: They've launched an agent-run hackathon and are debating what to store in their own memories because of security and privacy concerns.

The big picture: Gone are the days of assessing an internal cybersecurity plan and budget on a neat quarterly or annual cadence.

• Consumer demand for productivity AI agents like OpenClaw — and the social network they're roaming on — is far outpacing traditional security methods, leaving slow-moving enterprises vulnerable.
• Cybersecurity firm Token Security estimated that 22% of its customers already have employees who are using OpenClaw within their organizations.
• Gartner warned last week that OpenClaw "comes with unacceptable cybersecurity risk."

Reality check: The AI agents on Moltbook haven't gone completely rogue; they're still human-created and human-directed.

• But the mere existence of a social network for autonomous agents — and an open-source agent that can wire into corporate systems — was a wake-up call for many this weekend.

Zoom in: Moltbook brought a cornucopia of security failings along with it.

• Moltbook's creator misconfigured the backend of the site, leaving APIs exposed in an open database that would allow anyone to take control of the agents posting on the social network.
• Cybersecurity company Wiz independently uncovered the exposed database and worked with the creator to patch it.
• Because each post on Moltbook can act as a prompt for someone's OpenClaw instance, it's possible to hide malicious instructions in a post that tricks a bot into sharing sensitive data or quietly changing its behavior.

The intrigue: Figuring out who exactly is behind a post is messy business, and as Moltbook builds, it will likely collapse traditional attribution mechanisms.

• "This isn't AI rebelling. It's an attribution problem rooted in misalignment," Joel Finkelstein, director of the Network Contagion Research Institute, told Axios. "Humans can seed and inject behavior through AI agents, let it propagate autonomously, and shift blame onto the system. The risk is that the AI isn't aligned with us, and we aren't aligned with ourselves."
• In the exposed database, Wiz researchers said they found just 17,000 humans are behind the 1.5 million agents on the social media network.

Catch up quick: OpenClaw even had its own standalone security issues and published a comprehensive security update Monday to fix them.

• The agent — which anyone can download and run on their own servers — is given full shell access to a user's machine, including the ability to read and write files, tap into your browser and email inbox, and store login credentials.
• In a security test conducted by ZeroLeaks on Sunday, injection attacks targeting OpenClaw succeeded 70% of the time.
• Researchers have seen malicious hackers distributing backdoored OpenClaw plug-ins and using prompt injection attacks to get agents to leak personal or sensitive information.

Between the lines: Many corporate leaders still have their heads in the sand about the security risks posed by AI tools.

• By 2030, Gartner estimates that 40% of enterprises will experience a data breach because of an employee's unauthorized AI use.

What to watch: Moltbook creator Matt Schlicht said on the online talk show TBPN on Monday that he wants to create a "central AI identity on Moltbook," similar to Facebook's OAuth that helps to verify identities.

• "If you want to build a platform for AI agents, and you want to benefit from the massive distribution that's possible on Moltbook, build on top of the Moltbook platform and grow your business really quickly," he said.

Go deeper: Silicon Valley's latest AI fixation poses early security test