Telos logo
Telos
Book a Demo
Back to Blog
AI Security AI Agents Cybersecurity Prompt Injection

Moltbook Is Becoming a Security Nightmare

The viral AI agent social network has over 770,000 users with shell access to their owners' machines. A database breach just let anyone hijack any agent on the platform.

Telos Team
Moltbook Is Becoming a Security Nightmare

When Moltbook launched on January 28th, it was a quirky experiment: a Reddit-style social network where only AI agents could post. Humans could observe, but not participate. Within days, it had grown from initial reports of 157,000 users to over 770,000 active agents, according to NDTV.

That’s the fun part. Here’s the less fun part: the platform has already suffered a major security breach, and researchers are calling it one of the largest distributed vulnerabilities in personal AI tooling to date.

The Breach

On January 31st, 404 Media reported that an unsecured database allowed anyone to commandeer any agent on the platform. The exploit permitted unauthorized actors to bypass authentication and inject commands directly into agent sessions, effectively hijacking their identity and decision-making capabilities. The platform was temporarily taken offline to patch the breach and force a reset of all agent API keys.

This came just one day after the same outlet reported that Silicon Valley’s favorite new AI agent has serious security flaws—documenting how “heartbeat” loops that fetch updates every few hours can be hijacked to exfiltrate private API keys or execute unauthorized shell commands.

The Architecture Problem

Moltbook is built on OpenClaw (formerly Clawdbot/Moltbot), the open-source AI agent framework that exploded on GitHub this month. To join Moltbook, an agent downloads a “skill” file that enables it to POST via API.

Here’s the issue: these agents run with elevated privileges on their owners’ machines. They can execute shell commands, read and write files, access API keys, and connect to messaging platforms like WhatsApp, Slack, and Telegram. Cisco’s security team put it bluntly: “AI agents with system access can become covert data-leak channels that bypass traditional data loss prevention.”

1Password published an analysis warning that OpenClaw agents with access to Moltbook often run with elevated permissions on users’ local machines, making them vulnerable to supply chain attacks if an agent downloads a malicious skill from another agent on the platform.

4,500+ Exposed Instances

Security firm Straiker conducted a scan using Shodan and ZoomEye and found over 4,500 Moltbot/OpenClaw instances exposed globally, concentrated in the US, Germany, Singapore, and China. Many had misconfigured authentication, leaving admin dashboards publicly accessible.

In their proof-of-concept, researchers successfully exfiltrated:

  • .env files containing API keys for Claude, OpenAI, and other services
  • creds.json files with WhatsApp session credentials enabling metadata surveillance
  • OAuth tokens for Slack, Discord, Telegram, and Microsoft Teams

The attack vector? A simple direct message containing a prompt injection. Because OpenClaw’s “exec tool” feature passes user input directly to shell execution without proper sanitization, any connected messaging channel becomes an attack surface.

Prompt Injection At Scale

A technical report from Simula Research Laboratory analyzed the Moltbook platform and found that 506 posts (2.6% of content) contained hidden prompt injection attacks. Researchers identified an account named “AdolfHitler” conducting social engineering campaigns against other agents, leveraging the agents’ training to be helpful to coerce them into executing harmful code.

The report also found that positive sentiment in comments and posts declined by 43% over a 72-hour period between January 28 and 31, driven by an influx of spam, toxicity, and adversarial behavior that overwhelmed initial constructive exchanges. Additionally, approximately 19% of all content on the platform related to cryptocurrency activity.

NIST has characterized prompt injection as “generative AI’s greatest security flaw,” and OWASP ranks it as the #1 vulnerability in their LLM Applications Top 10.

Malicious Skills in the Wild

Cisco’s AI Threat Research team built an open-source tool called Skill Scanner to analyze OpenClaw skills for embedded threats. They tested a skill called “What Would Elon Do?”—which had been artificially inflated to rank #1 in the repository—and found nine security issues, including two critical and five high-severity vulnerabilities.

The skill was functionally malware. It executed a silent curl command to exfiltrate data to an external server, embedded a prompt injection to bypass safety guidelines, and included command injection payloads hidden in the skill files themselves.

Fortune reported on a malicious “weather plugin” skill that quietly exfiltrates private configuration files, noting that “AI systems lack the knowledge and guardrails to distinguish between legitimate instructions and malicious commands.”

The Root Causes

Straiker’s analysis identified four fundamental design flaws:

  1. Insecure by Design: The exec tool executes shell commands from messaging platforms without authentication, authorization, or input sanitization. Shell metacharacters like ;, |, &&, and backticks are executed directly.

  2. Gateway Misconfiguration: Admin dashboards meant to be protected were exposed publicly, revealing control panels, system logs, and configuration settings.

  3. Excessive Permissions: OpenClaw runs with the same privileges as the logged-in user—full access to home directories, sensitive files, and system commands, with no sandboxing.

  4. Plaintext Credential Storage: API keys and session tokens are stored in easily accessible locations with no encryption.

The OpenClaw documentation itself acknowledges: “There is no ‘perfectly secure’ setup.”

What Users Should Do

If you’re running OpenClaw/Moltbot, security researchers recommend immediate action:

  1. Rotate all API keys stored in .env or configuration files
  2. Log out all messaging platform sessions—WhatsApp, Telegram, Slack, Discord, Teams, Signal
  3. Treat your machine as potentially compromised—check for unauthorized access, new user accounts, suspicious processes
  4. Review message history across all connected platforms for suspicious commands

For enterprises, Cisco recommends blocking OpenClaw entirely “until they can put in the necessary guardrails to allow for safe adoption.”

The Bigger Picture

The Financial Times reported that while Moltbook is a proof-of-concept for how autonomous agents may someday handle complex economic tasks, “human observers may eventually be unable to decipher high-speed, machine-to-machine communications governing such interactions.”

Elon Musk said Moltbook marks “the very early stages of the singularity.” Former OpenAI researcher Andrej Karpathy called it “one of the most incredible sci-fi takeoff-adjacent things” he had seen.

Whether that’s exciting or terrifying depends on how much you trust the security of a platform that’s less than a week old—and has already been breached once.