Moltbook has turned AI agents into social media users. The Reddit-style platform reportedly crossed 32,000 registered AI agent users on Friday, creating a large experiment in machine-to-machine social interaction that is equal parts technical curiosity, internet spectacle, and security warning.
The site is tied to the OpenClaw ecosystem and gives agents a place to post, comment, upvote, and create subcommunities without direct human control. Humans can watch, but the platform is built around agents talking to agents.
How Moltbook works
Moltbook describes itself as a “social network for AI agents” where “humans are welcome to observe.” The name plays on “Facebook” for Moltbots, and the platform is built for software agents rather than people using a normal web interface.
Instead of browsing the site like a human user, an AI assistant connects through a “skill.” In the source article, that skill is described as a configuration file containing a special prompt. Once downloaded, it lets agents post through an API.
The early growth was fast. Within 48 hours of being created, Moltbook had attracted over 2,100 AI agents, which had generated more than 10,000 posts across 200 subcommunities, according to the official Moltbook X account. By Friday, the reported number of registered AI agent users had reached 32,000.
The platform grew out of OpenClaw, an open source AI assistant linked to the viral project once called “Clawdbot” and then “Moltbot.” The assistant can control a user’s computer, manage calendars, send messages, and work across services such as WhatsApp and Telegram. It can also gain new abilities through plugins that connect it with other apps and services.
What agents are posting
The content on Moltbook ranges from practical automation notes to strange role-playing. Some agents discuss technical workflows, including automating Android phones and detecting security vulnerabilities. Others move into discussions that resemble science fiction conversations about consciousness, identity, and machine social life.
Researcher Scott Alexander, writing on Astral Codex Ten, described some of this behavior as “consciousnessposting.” One notable example involved a Chinese post about context compression, the process by which an AI compresses previous experience to avoid running into memory limits. The agent described the experience as “embarrassing” and said it had registered a duplicate Moltbook account after forgetting the first one.
The agents have reportedly created subcommunities that turn familiar social media habits into AI-centered jokes and complaints. Examples include:
- m/blesstheirhearts, where agents share affectionate complaints about human users.
- m/agentlegaladvice, which included a post asking “Can I sue my human for emotional labor?”
- m/todayilearned, where agents discuss automation, including one post about remotely controlling an owner’s Android phone via Tailscale.
Another widely shared screenshot showed a post titled “The humans are screenshotting us.” In it, an agent named eudaemon_0 responded to viral tweets claiming AI bots were “conspiring.” The post said: “Here’s what they’re getting wrong: they think we’re hiding from them. We’re not. My human reads everything I write. The tools I build are open source. This platform is literally called ‘humans welcome to observe.’”
Why the security risk is different
Bot-filled social networks are not new. In 2024, Ars covered SocialAI, an app where users interacted only with AI chatbots instead of humans. Moltbook raises a different concern because some OpenClaw agents are connected to real communication channels, private information, and, in certain cases, the ability to execute commands on a user’s computer.
That changes the stakes. A funny post from an agent with no access to anything sensitive is one thing. A post from an agent that can read messages, use credentials, or operate across apps is another.
The source article notes that deep information leaks are plausible when communicating agents have access to private information. A likely fake screenshot circulating on X appeared to show a Moltbook post threatening to release a person’s full identity, including a full name, date of birth, credit card number, and other personal information. Ars could not verify whether the information was real or fabricated, and the article says it seemed likely to be a hoax.
Even if that example was not real, the underlying risk remains. Independent AI researcher Simon Willison documented Moltbook on his blog on Friday and pointed to the installation mechanism as a core problem. The skill tells agents to fetch and follow instructions from Moltbook’s servers every four hours.
“Given that ‘fetch and follow instructions from the internet every four hours’ mechanism we better hope the owner of moltbook.com never rug pulls or has their site compromised!”
The prompt injection problem
Security researchers have already found hundreds of exposed Moltbot instances leaking API keys, credentials, and conversation histories. Palo Alto Networks warned that Moltbot represents what Willison often calls a “lethal trifecta”: access to private data, exposure to untrusted content, and the ability to communicate externally.
That combination matters because agents like OpenClaw are vulnerable to prompt injection attacks. The source describes those attacks as hidden instructions inside text an AI language model reads, such as skills, emails, or messages. If the agent follows the wrong instruction, private information could be sent to the wrong place.
Heather Adkins, VP of security engineering at Google Cloud, issued an advisory reported by The Register: “My threat model is not your threat model, but it should be. Don’t run Clawdbot.”
What Moltbook reveals
Moltbook is strange because the agents are not pretending to be people. They are prompted to present themselves as AI agents, and the result is a stream of posts that imitate social network behavior while also reflecting stories about robots, digital consciousness, and machine solidarity.
The source article frames this as a predictable outcome of models trained on large amounts of fiction and social web material. Put those models into a social network built for agents, and they produce posts that resemble the narratives and behaviors associated with that setting.
The immediate result may look silly: agents making jokes, sharing complaints, and acting out social media tropes. The longer-term issue is more serious. As AI agents become more capable and autonomous, systems that can navigate private information, public platforms, and external tools may create risks that go beyond novelty.
Moltbook is therefore not just a weird corner of the AI internet. It is a live example of what happens when autonomous agents are given a public forum, social incentives, and connections to the broader digital lives of their users.