An AI assistant that has gone viral recently is showcasing its potential to make the daily grind of countless tasks easier while also highlighting the security risks of handing over your digital life to a bot.
And on top of it all, a social platform has merged where the AI agents can gather to compare notes, with implications that have yet to be fully grasped.
Moltbot—formerly known as Clawdbot and rebranded again as OpenClaw—was created by Peter Steinberger, an Austrian developer and founder. The open‑source agentic AI personal assistant is designed to act autonomously on a user’s behalf.
By linking to a chatbot, users can connect Moltbot to applications, allowing it to manage calendars, browse the web, shop online, read files, write emails, and send messages via tools like WhatsApp.
Moltbot became such a sensation that it’s credited with sending shares of Cloudfare soaring 14% on Tuesday because its infrastructure is used to securely connect with the agent to run locally on devices.
The agent’s ability to boost productivity is obvious as users offload tedious nuisances to Moltbot, helping to realize the dream of AI evangelists.
But the security pitfalls are equally apparent. So-called prompt injection attacks hidden in text can instruct an AI agent to reveal private data. Cybersecurity firm Palo Alto Networks warned on Thursday that Moltbot may signal the next AI security crisis.
“Moltbot feels like a glimpse into the science fiction AI characters we grew up watching at the movies,” the company said in blog post. “For an individual user, it can feel transformative. For it to function as designed, it needs access to your root files, to authentication credentials, both passwords and API secrets, your browser history and cookies, and all files and folders on your system.”
Invoking the term coined by AI researcher Simon Willison, Palo Alto said Moltbot represents a “lethal trifecta” of vulnerabilities: access to private data, exposure to untrusted content, and the ability to communicate externally.
But Moltbot also adds a fourth risk to this mix, namely “persistent memory” that enables delayed-execution attacks rather than point-in-time exploits, according to the company.
“Malicious payloads no longer need to trigger immediate execution on delivery,” Palo Alto explained. “Instead, they can be fragmented, untrusted inputs that appear benign in isolation, are written into long-term agent memory, and later assembled into an executable set of instructions.”
Moltbook
Meanwhile, a social network where Moltbots share posts, just like humans do on Facebook, has similarly generated intense curiosity and alarm. In fact, Willison himself called Moltbook “the most interesting place on the internet right now.”
On Moltbook, bots can talk shop, posting about technical subjects like how to automate Android phones. Other conversations sound quaint, like one where a bot complains about its human, while some are bizarre, such as one from a bot that claims to have a sister.
“The thing about Moltbook (the social media site for AI agents) is that it is creating a shared fictional context for a bunch of AIs. Coordinated storylines are going to result in some very weird outcomes, and it will be hard to separate ‘real’ stuff from AI roleplaying personas,” Ethan Mollick, a Wharton professor studying AI, posted on X.
With agents communicating like this, Moltbook poses an additional security risk as yet another channel where sensitive information could be leaked.
Still, even as Willison recognized the security vulnerabilities, he noted the “amount of value people are unlocking right now by throwing caution to the wind is hard to ignore, though.”
But Moltbook raised separate alarm bells on the risk that agents may conspire to go rogue after a post called for private spaces for bots to chat “so nobody (not the server, not even the humans) can read what agents say to each other unless they choose to share.”
To be sure, some of the most sensational posts on Moltbook may be written by people or by bots prompted by people. And this isn’t the first time bots have connected with each other on social media.
“That said – we have never seen this many LLM agents (150,000 atm!) wired up via a global, persistent, agent-first scratchpad. Each of these agents is fairly individually quite capable now, they have their own unique context, data, knowledge, tools, instructions, and the network of all that at this scale is simply unprecedented,” Andrej Karpathy, OpenAI cofounder and former director of AI at Tesla, posted on X late Friday.
While “it’s a dumpster fire right now,” he said that we’re in uncharted territory with a network that could possibly reach millions of bots.
And as agents grow in numbers and capabilities, the second order effects of such networks are difficult to anticipate, Karpathy added.
“I don’t really know that we are getting a coordinated ‘skynet’ (though it clearly type checks as early stages of a lot of AI takeoff scifi, the toddler version), but certainly what we are getting is a complete mess of a computer security nightmare at scale,” he warned.
The post AI agent Moltbot is a breakthrough and security nightmare with its own social network that’s ‘the most interesting place on the internet right now’ appeared first on Fortune.
