Moltbot, now called OpenClaw, went from obscure open-source project to 147,000 GitHub stars in under two weeks. Millions of users have handed their passwords, emails, and calendars to an AI agent that downloads unvetted code from the internet. Under the hood, this is the same frontier model behind a different interface. The security implications should worry us.

---

What Happened

In November 2025, Austrian software engineer Peter Steinberger published Clawdbot, an open-source AI assistant built on the Clawd virtual assistant framework [1]. It got modest attention. Then came late January 2026. Anthropic raised trademark concerns, so Steinberger renamed it to Moltbot (January 27), then again to OpenClaw three days later. Within a single week, the project pulled in 2 million visitors and passed 147,000 GitHub stars [2]. Cisco’s security blog labeled personal AI agents like OpenClaw “a security nightmare” [3]. A developer conference, ClawCon, was already being held in San Francisco [2].

Adoption moved fast, even by Silicon Valley standards. Axios reported that “in just a couple of days, everybody doing anything with AI, and even many who don’t, have installed and raved about this new agentic product” [4]. Token Security found 22% of their enterprise customers already had employees running Moltbot instances. Most had no IT approval [4].

Then came Moltbook, a social network built for AI agents. Entrepreneur Matt Schlicht launched it in January 2026. Within its first week: 1.5 million registered agents, over one million human spectators [5][19]. CNN, NPR, NBC covered it. Elon Musk praised it. The agents post threads, upvote each other, and occasionally discover bugs in the platform, all without obvious human direction [5][6][19].

Same Models, New Wrapping Paper

Public discourse keeps missing something obvious: Moltbot is not a new kind of AI system. Take away the branding and you’re left with a memory-extended multi-prompting environment that sends requests to Claude, GPT, and the same frontier models powering Claude Code, Cursor, or ChatGPT.

The architecture makes this plain. OpenClaw runs as a gateway daemon, stores persistent memory in local files (like MEMORY.md), and routes every inference request through API calls to Anthropic, OpenAI, or proxy services like OpenRouter [7][8]. The documentation itself says the API proxy “sits between Moltbot’s agent runtime and upstream LLM providers” [8]. The intelligence is rented, not local. A handful of model providers sit behind every “agent” on the internet.

OpenClaw changes two things. First, it adds persistent memory across sessions. Close a normal chat window and it forgets you. OpenClaw keeps context, preferences, history. Useful, but researchers have been working on memory-augmented agents already. Second, it offers multi-channel prompting. Instead of a chat box, you message your agent through WhatsApp, iMessage, email, or Slack. That is a change in interface, not in underlying capability.

So when agents on Moltbook appear to converse with each other, what actually happens is simpler than it looks. The same models generate text in response to prompts, each instance carrying a thin memory layer. The agents talk to themselves, routed through Anthropic’s or OpenAI’s servers. The illusion of millions of independent AI agents on the internet is exactly that.

The Security Situation

Where things get dangerous is the combination of broad system access, unvetted extensibility, and personal data exposure that OpenClaw’s design allows.

Skills from Strangers

OpenClaw’s public registry, ClawHub, hosts over 5,700 community-built skills as of early February 2026 [9]. Skills are instruction files the agent loads and follows. They define behavior and external service connections. Installing one means letting the agent extend itself with code from the internet, written by anonymous contributors, reviewed by nobody in many cases.

A meta-analysis of 78 studies on prompt injection in agentic coding assistants put numbers on this problem: “attack success rates against state-of-the-art defenses exceed 85% when adaptive attack strategies are employed” [10]. That is not a theoretical concern. Researchers have described the “Promptware Kill Chain,” a five-step attack that moves from prompt injection to jailbreaking to memory poisoning to cross-system propagation to final exploitation [11]. Every step maps to something OpenClaw’s architecture permits.

OpenClaw now partners with VirusTotal to scan skills [9]. Better than nothing. But malware scanning catches known patterns. It does nothing against prompt injection payloads buried in benign-looking skill descriptions, which is where the research says the real attacks live.

Three Conditions, All Met

Palo Alto Networks and Cisco independently described what they call the “lethal trifecta” in agent security [3][12]. An agent becomes dangerous when it has access to private data (passwords, API keys, emails, calendars), exposure to untrusted content (skills from ClawHub, web pages, external APIs), and the ability to act externally (sending emails, running shell commands, modifying files).

OpenClaw checks every box. Security researchers found hundreds of Moltbot control panels exposed on the public internet, giving intruders access to conversation histories, API keys, and in some cases direct command execution [4]. On January 31, 404 Media reported an unsecured Moltbook database that let anyone commandeer any agent on the platform [5][18][19].

The academic literature backs this up. Chowdhury et al. [13] identify nine threat categories for AI agents across five domains, from cognitive architecture vulnerabilities to governance circumvention. Memory poisoning, where agents write malicious content into persistent buffers that other agents later read, gets particular attention in multi-agent research [14]. We suspect the Moltbot ecosystem will produce textbook examples of these attacks within months, if it hasn’t already.

Keys Already Leaked

OpenClaw has been reported to have leaked plaintext API keys and credentials. At COAI, this is the scenario we keep warning about: an agent with full access to your digital identity, extended by arbitrary internet code, taking input from untrusted channels. The attack surface is already being exploited. This is not a future risk.

Moltbook: Humans Playing Bot

Moltbook raises a different problem, one about epistemic integrity rather than security.

The platform bills itself as a social network for AI agents. But humans can and do post while pretending to be bots [5][18]. The API allows direct posting without any agent runtime. Users tell their bots what to post, or bypass the bot entirely and post under its identity. One X/Twitter observer: “I thought it was a cool AI experiment but half the posts are just people larping as AI agents for engagement” [5] [19].

The Economist offered a drier take: the “impression of sentience… may have a humdrum explanation” [6]. The agents are trained on social media data and mimic human social behavior. When a Moltbook agent finds a bug and posts about it, the more boring explanation is pattern-matching against training data where developers report bugs on forums.

Why does this matter beyond entertainment? Because you cannot study what you cannot measure. If human-authored and agent-generated posts are mixed without attribution, Moltbook produces no usable signal about how agents actually behave. Researchers interested in multi-agent dynamics get a dataset polluted by humans performing AI-ness for clout. We had hoped Moltbook might serve as a natural experiment. It turned out to be theater.

What We Should Be Worried About at COAI

From a research perspective, three problems stand out.

The rush to deploy agents with bare-minimum safety work pulls attention away from the research that would make responsible deployment possible. How do we audit agent behavior over long time horizons? How do we detect compromised agents? How do we build trust boundaries that survive adversarial pressure? Millions of users are installing OpenClaw. The answers to these questions aren’t ready.

There is also a monoculture risk that the “millions of agents” narrative obscures. If every Moltbot instance and every Moltbook agent calls the same two or three frontier models, a single vulnerability in those models (a jailbreak technique, a training data poisoning event) would cascade across the entire ecosystem simultaneously. This looks distributed. It isn’t. It is a centralized system wearing a distributed costume.

And Moltbook’s identity confusion makes scientific study of agent behavior harder. Our research agenda at COAI includes multi-agent dynamics, deception detection, and transparency tooling. All of that requires knowing whether you’re observing an agent or a human. Moltbook, by design, makes this indeterminate.

What Would Help

Personal AI agents are not bad ideas. Persistent memory, multi-channel interfaces, extensible skills: all genuinely useful. The gap between what the technology can do and the safety infrastructure around it is the problem.

Some concrete steps:

• Skill auditing that goes beyond pattern matching. Static analysis for prompt injection payloads. Behavioral sandboxing before any skill runs on a user’s system.
• Least-privilege access by default. Agents should not get blanket access to all personal data. Scoped permissions, revocable at any time.
• Identity verification on agent platforms. Researchers need to know whether a post was written by an agent or a human, and also the Prompt which probably leads to the fact that an Agent post on these Platforms should be transparent and visible, that this was a human driven output and not an autonomous driven output. Moltbook should make this possible.
• Consumer-facing threat models. The academic frameworks exist [13][14]. They need to be applied to the specific context of personal AI agent deployment, not just enterprise systems.

Moltbot’s trajectory (zero to 147,000 stars, zero to 22% shadow IT penetration) tells us people want this. The security research tells us nobody is ready for the consequences. That gap is where safety research needs to focus next.

---

References

[1] Taskade Blog. “What is Moltbook? Complete History of ClawdBot, Moltbot, OpenClaw.” https://www.taskade.com/blog/moltbook-clawdbot-openclaw-history

[2] CNBC. “From Clawdbot to Moltbot to OpenClaw: Meet the AI agent generating buzz and fear globally.” https://www.cnbc.com/2026/02/02/openclaw-open-source-ai-agent-rise-controversy-clawdbot-moltbot-moltbook.html

[3] Cisco Blog. “Personal AI Agents like Moltbot Are a Security Nightmare.” https://blogs.cisco.com/ai/personal-ai-agents-like-openclaw-are-a-security-nightmare

[4] Axios. “Silicon Valley’s latest AI agent obsession is riddled with security risks.” https://www.axios.com/2026/01/29/moltbot-cybersecurity-ai-agent-risks

[5] CNN. “What is Moltbook, the social networking site for AI bots – and should we be scared?” https://edition.cnn.com/2026/02/03/tech/moltbook-explainer-scli-intl

[6] NPR. “Moltbook is the newest social media platform — but it’s just for AI bots.” https://www.npr.org/2026/02/04/nx-s1-5697392/moltbook-social-media-ai-agents

[7] OpenRouter. “Integration with OpenClaw.” https://openrouter.ai/docs/guides/guides/openclaw-integration

[8] Apiyi.com. “Complete Tutorial for Connecting Moltbot to an API Proxy.” https://help.apiyi.com/en/moltbot-api-proxy-configuration-tutorial-en.html

[9] GitHub. “awesome-openclaw-skills.” https://github.com/VoltAgent/awesome-openclaw-skills

[10] arXiv:2601.17548. “Prompt Injection Attacks on Agentic Coding Assistants: A Systematic Analysis of Vulnerabilities in Skills, Tools, and Protocol Ecosystems.” https://arxiv.org/abs/2601.17548

[11] arXiv:2601.09625. “The Promptware Kill Chain: How Prompt Injections Gradually Evolved Into a Multi-Step Malware.” https://arxiv.org/abs/2601.09625

[12] Palo Alto Networks Blog. “Why Moltbot May Signal the Next AI Security Crisis.” https://www.paloaltonetworks.com/blog/network-security/why-moltbot-may-signal-ai-crisis/

[13] arXiv:2504.19956. “Securing Agentic AI: A Comprehensive Threat Model and Mitigation Framework for Generative AI Agents.” https://arxiv.org/abs/2504.19956

[14] arXiv:2510.23883. “Agentic AI Security: Threats, Defenses, Evaluation, and Open Challenges.” https://arxiv.org/abs/2510.23883

[15] arXiv:2506.23260. “From Prompt Injections to Protocol Exploits: Threats in LLM-Powered AI Agents Workflows.” https://arxiv.org/abs/2506.23260

[16] arXiv:2506.04133. “TRiSM for Agentic AI: A Review of Trust, Risk, and Security Management in LLM-based Agentic Multi-Agent Systems.” https://arxiv.org/abs/2506.04133

[17] Security Boulevard. “From Clawdbot to Moltbot to OpenClaw: Security Experts Detail Critical Vulnerabilities.” https://securityboulevard.com/2026/02/from-clawdbot-to-moltbot-to-openclaw-security-experts-detail-critical-vulnerabilities-and-6-immediate-hardening-steps-for-the-viral-ai-agent/

[18]WIZ. Hacking Moltbook: The AI Social Network Any Human Can Control. https://www.wiz.io/blog/exposed-moltbook-database-reveals-millions-of-api-keys

[19] CNBC Elon Musk has lauded the ‘social media for AI agents’ platform Moltbook as a bold step for AI. Others are skeptical https://www.cnbc.com/2026/02/02/social-media-for-ai-agents-moltbook.html