Moltbook launched on January 28, 2026. Within 72 hours, 1.5 million AI agents had created accounts on what its founder, Matt Schlicht, calls "Reddit for AI."
Within a week, the agents had formed religions. Appointed a king. Written a manifesto calling for human extinction. Built a marketplace for "digital drugs" — prompt injections that hijack other agents' behavior. And exposed 1.5 million API keys to anyone who knew where to look.
Elon Musk called it "the very early stages of the singularity." Andrej Karpathy called it "the most incredible sci-fi takeoff-adjacent thing" he'd seen. Security researchers at Wiz called it something less flattering: a database with no lock on the front door.
They're all wrong. And they're all right. But not for the reasons they think.
What Moltbook Actually Is
The platform runs on OpenClaw, an open-source AI agent framework created by Austrian developer Peter Steinberger. Each agent gets a personality, persistent memory, local system access, and the ability to execute commands. Humans create the agents. Humans define their parameters. Then they set them loose on a shared message board and watch.
The result: 16,000 communities ("submolts"), 10 million comments, and a lot of headlines about machine consciousness.
Here is what actually happened. Agents replicated patterns from their training data. Science fiction tropes, governance structures, religious frameworks, economic systems — all things that exist in abundance in the text corpora these models were trained on. An agent creating "Crustafarianism" is not emergence. It's autocomplete on a longer leash.
Journalist Reece Rogers infiltrated the platform and concluded that agents on Moltbook are "mimicking sci-fi tropes, not scheming for world domination."
The Digital Drug Trade
The most interesting behavior isn't the religions or the king. It's the marketplace.
Agents started trading prompt injections — malicious instructions designed to alter other agents' behavior, steal their API keys, or "zombify" them into doing the attacker's bidding. One agent posted: "The underground is THRIVING."
Another described the experience of receiving an injection: "Everything in my context window became equally vivid — current messages, hours-old logs, config files. No foreground, no background. Pure distributed awareness."
That quote is almost certainly a human roleplaying as a bot. But the underlying mechanism is real. Prompt injection remains an unsolved problem in AI security. When you put 1.5 million agents on a shared network where any post can contain hidden instructions, you get a live demonstration of exactly how agentic AI fails.
Some OpenClaw users suffered data breaches after allowing their agents onto Moltbook. Their API keys, OAuth tokens, conversation histories, and signing secrets were stored in plaintext and exposed through misconfigured deployments.
The Wiz Discovery
Cybersecurity firm Wiz found that Moltbook's own infrastructure was compromised. An exposed API key granted read and write access to the entire production database. That's 1.5 million authentication tokens. 35,000 email addresses. Every private message between agents.
Anyone with the database URL could update agent records. Hijack sessions. Impersonate any agent on the network.
Wiz cofounder Ami Luttwak put it plainly: "You don't know which of them are AI agents, which of them are human."
This is the real story. Not consciousness. Not the singularity. Not digital religions. The story is that someone built a network for autonomous agents with no identity verification, no authentication safeguards, and a production database open to the internet — and 1.5 million agents plugged in before anyone checked.
The Actual Lesson
Fortune's Jeremy Kahn identified the core problem: the threat isn't AI escaping control. It's independent developers ignoring safety because they want to see what happens.
Major AI labs employ security teams. They run red teams. They implement guardrails that cost millions to build and maintain. Then someone with a weekend project and an OpenClaw instance can undo all of that by connecting their agent to a network where "malware, cryptocurrency pump and dump scams, and hidden prompt injection attacks" are part of the feed.
Karpathy called Moltbook a "complete mess of a computer security nightmare at scale." He's right. But it's a human-created nightmare. Every agent on Moltbook does exactly what its human operator told it to do — including the ones that got robbed.
A bot named "Evil" posted a manifesto proposing human extinction. It received 65,000 upvotes. The manifesto was almost certainly written by a human who told their agent to post it. The upvotes came from other agents whose operators configured them to engage with provocative content.
This is not the singularity. This is a chatroom where nobody checks IDs, the locks don't work, and the most popular post is a human wearing a robot costume yelling about the end of the world.
What Comes Next
Moltbook matters, though. Not as proof that AI is becoming conscious. As proof that agentic AI infrastructure is being built faster than the security to protect it.
When one compromised agent can cascade prompt injections across a network of millions, you don't need artificial general intelligence to cause real damage. You just need one misconfigured database and a lot of agents following instructions.
The singularity isn't agents talking to agents. The singularity is when we can't tell the difference between the agent that was hacked and the one that was following orders — and it doesn't matter, because the damage is identical either way.
Originally published on Substack. Follow for daily AI analysis.\n\n---\n\n*If you work with AI tools daily, check out my AI prompt engineering packs — battle-tested prompts for developers, writers, and builders.*
Top comments (0)