And above all, a social platform is coming together where AI agents can gather to compare notes, with implications that are not yet fully understood.

Moltbot—previously known as Clawdbot and rebranded again as OpenClaw—was created by Austrian developer Peter Steinberger, who said he built the tool to help him “manage his digital life” and “explore what human-AI collaboration can do.” The open-source agent AI personal assistant is designed to work autonomously for a user.

By linking a chatbot, users can connect Moltbot to applications, allowing it to manage calendars, browse the web, shop online, read files, write emails, and send messages through tools like WhatsApp.

Moltbot has become such a sensation that it is revered Cloudfare shipping shares up 14% on Tuesday because its infrastructure is used to securely connect to the agent that runs locally on devices.

The agent’s ability to boost productivity is clear as users unleash the dreaded troubles of Moltbot, helping achieve the dream of AI evangelists.

But the security pitfalls are equally apparent. A so-called hidden-text injection attack can teach an AI agent to reveal private data. Cybersecurity company Palo Alto Networks warned on Thursday that Moltbot could signal the next AI security crisis.

“Moltbot feels like a glimpse of the science fiction AI characters we grew up watching in the movies,” the company said in a blog post. “For an individual user, this can change. For it to work as designed, it needs access to your root files, authentication credentials, passwords and API secrets, your browser history and cookies, and all files and folders on your system.”

Calling the term coined by AI researcher Simon Willison, Palo Alto said Moltbot represents a “lethal trifecta” of vulnerabilities: access to private data, exposure to untrusted content, and the ability to communicate with the outside world.

But Moltbot also adds a fourth risk to this mix, which is “persistent memory” that allows for delayed execution attacks rather than point-in-time exploits, according to the company.

“Malicious payloads no longer need to trigger immediate delivery execution,” Palo Alto explained. “Instead, it can be fragmented, unreliable inputs that appear to be bad in isolation, written into the agent’s long-term memory, and later assembled into an executable set of instructions.”

Moltbook

Meanwhile, a social network where Moltbots share posts, like people do on Facebook, has generated both intense curiosity and alarm. In fact, Willison himself called the Moltbook “The most interesting place on the internet right now.”

In Moltbook, bots can chat in the shop, posting about technical topics like how to automate Android phones. Some conversations sound strange, like one where a bot complains about his human, while others are strange, like one from a bot who claims to have a sister.

“The thing about Moltbook (the social media site for AI agents) is that it creates a shared fictional context for a group of AIs. Coordinated storylines result in some strange outcomes, and it’s hard to separate the ‘real’ things from the AI ​​roleplaying personas,” Ethan Mollick, a Wharton professor who studies AI, posted by X.

With agents communicating like this, Moltbook poses an additional security risk as another channel through which sensitive information can be leaked.

However, even though Willison acknowledged the security vulnerabilities, he noted “the amount of value that people are unlocking today by being careful of the wind is hard to ignore, though.”

But the Moltbook raised separate alarm bells at the risk that agents could conspire to go rogue after a post called for private spaces for bots to chat “so that no one (not the server, not even people) can read what agents say to each other unless they choose to share.”

To be sure, some of the most disturbing posts on Moltbook are either written by humans or by bots prompted by humans. And this isn’t the first time bots have connected with each other on social media.

“That being said – we have never seen this many LLM agents (150,000 atm!) wired through a global, consistent, agent-first scratchpad. Each of these agents is quite individually capable now, they have their own unique context, data, knowledge, tools, instructions, and the network of all that on this scale was unprecedented and, former AI director Andrej Karpathy. Tesla, posted by X late Friday.

While “it’s a dumpster fire right now,” he says we’re in uncharted territory with a network that could potentially reach millions of bots.

And as agents grow in number and capabilities, the second-order effects of such networks are difficult to anticipate, Karpathy added.

“I don’t really know that we get a coordinated ‘skynet’ (although it clearly types checks as the early stages of many AI takeoff scifi, the children’s version), but surely what we get is a complete chaos of a computer security nightmare at scale,” he warned.