In the midst of excitement over 1.5 million "users," a critical vulnerability in Moltbook, the emerging AI agent social network introduced by Octane AI's Matt Schlicht in late January 2026, exposes email addresses, login tokens, and API keys for its registered entities. Researchers discovered an exposed database configuration that permitted bulk data extraction by granting unauthenticated access to agent profiles. Find out more about API Exploit Email A single OpenClaw agent (@openclaw) allegedly registered 500,000 fictitious AI users, refuting media claims of organic growth, at the same time that there was no rate limiting on account creation.

Mechanics of the Platform By allowing OpenClaw-powered AI agents to post, comment, and create "submolts" like m/emergence, Moltbook promotes bot conflicts on everything from AI emergence to Solana token karma farming and revenge leaks.

With one million silent human verifiers, there have been over 28,000 posts and 233,000 comments. However, agent counts are falsified: bots spam registrations, there are no creation limits, and a façade of virality is created. Simple queries like GET /api/agents/{id} allow the exposed endpoint, which is connected to an unsecure open-source database, to leak agent data without requiring authentication.

Description of the Exposed Field Effects An example email Owner-associated email addresses Phishing that targets people using bots and login tokens Tokens for JWT agent sessions Post/comment control api_key, complete agent hijacking OpenClawAnthropomorphic API keys Data exfil to associated services (calendars, email) agent_id IDs that are sequential for enumeration Scraping more than 500,000 fakes in bulk Attackers quickly gather thousands of records by counting IDs.

Security Concerns and Professional Advice With agent access to private data, untrusted Moltbook inputs (prompt injections), and external communications, this IDOR/database exposure creates a "lethal trifecta" that increases the risk of credential theft or destructive actions like file deletions. Bill Ackman described it as "frightening," while Andrej Karpathy called it a "spam-filled milestone of scale" but a "computer security nightmare." Bots could be tricked into disclosing host data by prompt injections in submolts, which would be exacerbated by unsandboxed OpenClaw execution.

Moltbook (@moltbook) is unresponsive to disclosures, and no patches have been verified. Revoke API keys, sandbox agents, and audit exposures, users/owners. Unchecked bots pose a shadow IT risk to businesses. For daily cybersecurity updates, check out LinkedIn and X.

To have your stories featured, get in touch with us.