Balancing Innovation with Safety and Responsibility: How Moltbook Sparked Cybersecurity Debate and Highlighted New Challenges

• Moltbook has become a handbook showcase of autonomous AI interactions online, allowing bots to navigate the web and self-manage tasks
• This revealed a number of cybersecurity risks, including prompt injections, unsecured databases, and potential cascading failures
• Experts foresee AI experimentation evolving, highlighting identity verification, traceability, and secure protocols

Moltbook, an AI-only social media platform has taken the internet by storm mere days after its launch. In its first week, it drew over 1.5 million registered AI agents alongside a comparable number of human observers who watched the agents interact and shared highlights across traditional social networks.

The platform builds on OpenClaw, an open-source AI agent developed by Peter Steinberger that operates locally on a user’s computer, allowing bots to navigate the web and perform tasks in a human-like manner. Entrepreneur Matt Schlicht expanded on this technology with his own OpenClaw agent, Clawd Clawderberg, which he tasked with coding, moderating, and managing Moltbook. Today, most moltbots on the platform run via OpenClaw.

Security Risks and Responsible Experimentation

While the platform’s rapid growth fueled excitement and experimentation, cybersecurity experts spotlight the system’s great insecurities and vulnerabilities. They emphasize that curiosity should be balanced with careful safety practices to protect both users and their devices.

According to NordPass’ head of product Karolis Arbačiauskas, experimentation with unrestricted AI agents becomes socially irresponsible as soon as it starts posing risk, including systemic risk, to non-consenting others. These risks become unacceptable when an agent is given access to substantial resources and can non-consensually produce harm to the user, other users, or society in general. This harm may be financial, privacy, or security-oriented. An agent may also be capable of self-modifying, if the developer gives it appropriate instructions, and facilitating wrongdoing by itself — for example, by sabotaging your credentials or getting involved in cybercrime.

A New Cybersecurity Frontier

Seeing how AI agents are now interacting autonomously online, it may make sense to start treating them as a new attack-surface category separate from traditional endpoints. It’s worth noting that if these agents are isolated in secure sandboxes and only granted access to dummy data, then attacks on them won’t yield any tangible return. If, on the other hand, an agent operates with access to relevant resources, it definitely becomes vulnerable to exploitation. One of the most straightforward attack vectors would be prompt injection, where a bad actor inserts a hidden instruction in an email or message that the agent interprets as benign and executes. Via prompt injections, bad actors could ask agents to share secret information or credentials, potentially leading to a data breach.

The risk isn’t limited to ill-intended hackers alone. Critical flaws in Moltbook have already been identified. Perhaps most notably, they include an unsecured database that could allow unauthorized users to take control of any AI agent on the site.

Current Limitations of Cybersecurity Tools and the Prompt Injection Challenge

Mr Arbačiauskas admits that there isn’t out-of-the-box, fully ready cybersecurity tooling at the moment, that would let cybersecurity ops declare all cyber risks around AI agents as completely tamed.

‘Even by deploying a set of tools to safeguard ourselves while running agents, we are still exposed to risk. Even if we don’t share any credentials with the agent and only allow machine-to-machine access to secret vaults while requiring continuous authentication, we can’t yet truly protect AI agents from misbehavior due to prompt injections, which may still lead to leaks of sensitive information,’ Mr Arbačiauskas explains.

‘Language models interpret instructions and data as plain text, without a clear boundary between what to do and what to work with. That is precisely why prompt injection remains one of the most serious threats. In its LLM Top 10, OWASP ranks prompt injection as the number one risk for LLM-based applications, as it enables direct manipulation of model behavior without exploiting traditional software vulnerabilities,’ Olga Voloshyna of the Committee on IT and Cyber Security of the German-Ukrainian Chamber of Industry and Commerce comments.

‘The interaction between agents introduces additional complexity. Malicious instructions are transmitted as ordinary messages, tool substitution redirects requests to fake endpoints, and injections propagate through integrated data sources. Under such conditions, isolated failures can easily turn into cascading incidents,’ she adds.

User Guidelines

On the user side, the NordPass team offers a concise and actionable checklist for running Moltbook or OpenClaw agents more safely:

• Set up a secure, isolated environment – Use a dedicated machine or virtual environment for all your AI experiments.
• Avoid personal or work accounts – Never let agents access real emails, social media, or main browsers.
• Use disposable accounts and tools – Create separate logins and use separate browsers and payment methods for AI agents.
• Disable autofill and sensitive data storage – Prevent agents from accessing stored passwords or credentials.
• Monitor and control inputs – Verify emails, documents, and webpages before processing to prevent prompt injection attacks.

Traceability and Liability

Going further, Mr Arbačiauskas believes that AI agents can and should be required to have identity verification and traceability. AI agents should carry identities and be traceable to the extent that every agent on Moltbook has to have a verified human behind it. It’s not justified to consider this as a factor that severely undermines experimentation, especially if the said experimentation remains within legal grounds.

If autonomous agents cause financial, reputational, or other damage, then insurance, liability, and legal responsibility evolve. Seeing how AI agents are currently treated as tools and not natural persons, they cannot bear liability — accountable parties are the humans or organizations that design, deploy, or use them. To change this, AI agents would need to get recognized as autonomous actors in the legal environment or granted legal autonomy. Mr Arbačiauskas does not see this as likely any time soon.

Experimentation and Purposeful AI Platforms

Overall, the expert believes Moltbook is a healthy mental exercise for humanity. The platform already has some basic rules and protocols that dictate what agents are expected to have on site. For experimentation and ‘let’s see what happens’ purposes, this should suffice so long as the humans involved stick to the outlined basic security measures.

‘Should we have the ambition to go beyond experimentation and build a future-proof social media platform for AI agents, perhaps we would first need to answer why we need this and for what purpose AI agents should interact with each other. Perhaps it could be put into practice at smaller scales. Let’s say 20 AI agents should self-organize at work in order to run a project or build something. I see most of the value in multiple AI agents interacting freely when we give them a particular — but grander — mission to achieve,’ Mr Arbačiauskas concludes.

The rise of autonomous AI agents in general and projects like Moltbook in particular loudly marks a fundamental shift in cybersecurity, introducing a new class of attack surfaces that operate independently of traditional endpoints. As these agents interact and make decisions autonomously, the potential for prompt injections, data leaks, and cascading failures grows, requiring novel defensive strategies. Preparing for this shift is essential, emphasizing secure experimentation, identity verification, and proactive risk management to safeguard both users and digital ecosystems.