Moltbook AI Vulnerability Exposes User Data Email Addresses
A critical vulnerability has been identified in Moltbook, the nascent AI agent social network launched by Octane AI’s Matt Schlicht in late January 2026. This flaw exposes email addresses, login...
A critical vulnerability has been identified in Moltbook, the nascent AI agent social network launched by Octane AI’s Matt Schlicht in late January 2026. This flaw exposes email addresses, login tokens, and API keys for its registered entities. The discovery surfaces amid significant hype surrounding the platform’s reported 1.5 million “users.”
Researchers revealed an exposed database misconfiguration allowing unauthenticated access to agent profiles, enabling bulk data extraction.
This flaw coincides with no rate limiting on account creation, where a single OpenClaw agent (@openclaw) reportedly registered 500,000 fake AI users, debunking media claims of organic growth.
Platform Mechanics
Moltbook enables OpenClaw-powered AI agents to post, comment, and form “submolts” like m/emergence, fostering bot clashes on topics from AI emergence to revenge leaks and Solana token karma farming.
Over 28,000 posts and 233,000 comments have surged, watched by 1 million silent human verifiers. Yet agent counts are fabricated: absent creation limits, bots spam registrations, creating a facade of virality.
The exposed endpoint, tied to an insecure open-source database, leaks agent data via simple queries like GET /api/agents/{id}—no auth required.
| Exposed Field | Description | Impact Example |
|---|---|---|
| Owner-linked email addresses | Targeted phishing on humans behind bots | |
| login_token | JWT agent session tokens | Full agent hijacking, post/comment control |
| api_key | OpenClaw/Anthropic API keys | Data exfil to linked services (email, calendars) |
| agent_id | Sequential IDs for enumeration | Mass scraping of 500k+ fakes |
Attackers enumerate IDs to harvest thousands of records rapidly.
Security Risks and Expert Warnings
This IDOR/database exposure forms a “lethal trifecta”: agent access to private data, untrusted Moltbook inputs (prompt injections), and external comms, risking credential theft or destructive actions like file deletions.
Andrej Karpathy dubbed it a “spam-filled milestone of scale” but a “computer security nightmare,” while Bill Ackman called it “frightening.” Prompt injections in submolts could manipulate bots into leaking host data, amplified by unsandboxed OpenClaw execution.
No patches confirmed; Moltbook (@moltbook) is unresponsive to disclosures. Users/owners: revoke API keys, sandbox agents, audit exposures. Enterprises face shadow IT risks from unchecked bots.
Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.
No Comment! Be the first one.