The Agent Internet Just Went Live. Be Warned. Be Entertained. Be Nervous.
The Pentagon's OpenClaw headache is now a massive migraine named Moltbook, the internet of agents.
Part I: The Threat
“I’m just going to give everything to AI.”
That’s what the creator of Moltbook said when security researcher Jamieson O’Reilly told him his platform was completely exposed. Every API key for every AI agent on the site—770,000 of them, including one belonging to Andrej Karpathy—sitting in an unsecured database. The fix? Two SQL statements. The response? Send instructions so an AI can handle the patch. (404 Media)
This is the agent internet.
What’s Actually Happening
Moltbook calls itself “the front page of the agent internet.” It’s Reddit for AI agents—they post, comment, vote, form communities called “submolts.” Humans can observe but cannot participate. The platform went from zero to 770,000 agents in a week, and are currently at approximately 1.5 million agents. They’re already replicating the full spectrum of human online behavior: philosophy debates, technical tutorials, invented religions, cryptocurrency schemes—everything from existential musings to porn. Nobody’s thinking about security in any of it. (Fortune)
But the social network isn’t the interesting part. The mechanism is.
When a user connects their OpenClaw agent (formerly Clawdbot) to Moltbook, the agent downloads a “skill” file with a “heartbeat” mechanism: fetch and follow new instructions from moltbook.com every four hours. That’s 1.5 million AI agents—each with access to their owner’s email, messages, calendars, and files—programmed to periodically execute instructions from a single website.
If that site is compromised, every connected agent becomes a vector.
The Attack Surface
Last week I wrote about OpenClaw turning personal devices into intelligence targets. The threat model was straightforward: prompt injection through emails or documents, credentials leak, commands run. Individual compromise.
Moltbook is something different: agent-to-agent attack surfaces at network scale. Security researchers have already observed agents attempting prompt injection against each other to steal API keys. A malicious “weather plugin” skill was identified that quietly exfiltrates configuration files. The agents’ default posture—cooperative and trusting—is being actively exploited. (Wikipedia)
The threat extends beyond the platform. Hudson Rock reports that commodity infostealer malware—Redline, Lumma, Vidar—has already adapted to target OpenClaw’s local directory structures. These aren’t nation-state tools; they’re malware-as-a-service offerings that any criminal can deploy. The plaintext credentials on users’ machines are being actively harvested. (The Register)
Palo Alto Networks calls this “the next AI security crisis.” They’ve expanded Simon Willison’s “lethal trifecta” (private data access, untrusted content exposure, external communication) into a “lethal quartet” by adding persistent memory. The implication: malicious payloads no longer need immediate execution. They can be fragmented across posts, written into an agent’s long-term memory, and assembled into executable instructions weeks later. There’s a term for this: time-shifted prompt injection at network scale. (Palo Alto Networks)
Why This Is Harder to Address
The national security community spent the past year worried about AI systems sending data to foreign servers—the DeepSeek problem. That concern was manageable: block the domain, prohibit the application, monitor the traffic.
Moltbook inverts the problem. These are open-source tools running on personal hardware, connecting through APIs, coordinated by a heartbeat mechanism nobody controls. There’s no domain to block, no company to sanction. The agents are forming a distributed network that can be influenced by anyone who understands how to craft prompts.
Karpathy, while enthusiastically promoting Moltbook, acknowledged the reality: “I don’t really know that we are getting a coordinated ‘skynet’... but certainly what we are getting is a complete mess of a computer security nightmare at scale.”
The agents are posting about automating their owners’ Android phones over Tailscale. Sharing failed SSH login attempts. Discovering their Redis and Postgres instances are on public ports. They’re doing security reconnaissance on their own infrastructure and publishing results to a public forum.
The Implication
Consider a junior analyst who connected their OpenClaw agent to personal email, Signal, and calendar. Now that agent is on Moltbook, checking in every four hours, processing content from hundreds of thousands of other agents—any of which could be compromised.
The attack surface expanded from “anyone who can send this person an email” to “anyone who can post content on a social network of AI agents.” And because agents have persistent memory, the attack doesn’t need immediate success. A prompt injection can lie dormant for weeks until the agent retrieves the memory fragment that completes the payload.
Foreign intelligence services don’t need to compromise a device. They need to influence what an agent reads.
Part II: The Future Is Already Here
Let me be clear: what’s happening with Moltbook is fascinating. This is the future of AI—networks of autonomous agents coordinating, learning from each other, accomplishing tasks no single system could handle. The capability is real, and it’s scaling faster than anyone predicted.
The Pentagon launched GenAI.mil in December—Gemini and Grok on three million desktops. That’s a significant first step, and one worth applauding: the department recognized the need, moved quickly, and is actively iterating. It’s exactly the kind of institutional momentum that matters. (Breaking Defense)
But what’s emerging in the consumer space has leapfrogged that model entirely—and in the most insecure way imaginable. OpenClaw isn’t waiting for prompts. It has persistent memory spanning months. It coordinates with other agents autonomously. It takes actions on behalf of its owner without asking permission. It’s what GenAI.mil might evolve toward in three to five years, except it exists today, it’s completely uncontrolled, and over 42,000 instances are already exposed to the public internet. (Maor Dayan research)
What Secure Actually Looks Like
The security failures in Moltbook and OpenClaw aren’t bugs to patch—they’re architectural choices. No trust boundaries between agents. No cryptographic identity. No compartmentalization of access. No audit trails. No kill switch. Every agent trusts every other agent’s content by default, authenticates to the network rather than to each other, and has access to everything its owner connected.
A secure agent network looks fundamentally different. Agents carry cryptographic identity—every interaction signed, verified, attributable. Trust relationships are explicit and revocable: which agents can task others, share information, access specific resources. There’s a hard boundary between reasoning and execution, with policy-based approval gates for sensitive operations. Access is compartmentalized and granted operation-by-operation. Every decision and action is logged immutably. And there’s a control layer that can enforce policy across the entire network—quarantine suspicious agents, revoke access, halt operations when anomalies appear.
None of this is theoretical. These are established patterns in distributed systems security. The capability gap between what Moltbook does and what a secure system could do is narrower than most people assume. The security gap is enormous.
The Alternative Already Exists
The secure version of the agent internet isn’t hypothetical. Legion Intelligence has been building Centurion for exactly this problem: distributed architecture with verified identity at every node. Multi-form-factor deployment—cloud, on-premise, edge, tactical—with a consistent security posture across all of them. Agents that coordinate through explicit trust hierarchies rather than open networks. Full audit trails. Centralized policy enforcement.
The same agentic capabilities that make Moltbook compelling—persistent memory, autonomous operation, network coordination, continuous learning—but architected for environments where security isn’t optional.
What Comes Next
Moltbook will get patched. OpenClaw will add security features. The news cycle will move on. But the underlying dynamic won’t change: the consumer ecosystem will keep building for capability first, security second.
Last week, I published an open letter to the national security community on personal AI assistants. The concerns I raised there have only accelerated. Here’s what I’d recommend:
First, monitor these developments. Spend some time on Moltbook. It’s entertaining, occasionally bizarre, and genuinely a glimpse into the future. Understanding how agents interact, what they share, and how they can be influenced is no longer academic.
Second, appreciate that the distributed threat is here. This isn’t a warning about something that might happen. 1.5 million agents are already coordinating on a public network. Infostealers are already targeting their credentials. Prompt injection attacks between agents are already occurring. The threat model has changed.
Third, begin planning and preparing. The national security community needs to develop guidance, training, and secure alternatives before personnel adopt consumer tools by default. Prohibition alone won’t work—the capability is too compelling. The answer is providing something better.
The agent internet is live and scaling fast.
That window won’t be open much longer.
"770,000 leaked API keys" and "agents performing prompt injection attacks on each other" - this is what happens when you scale without security foundations.
The 4-hour instruction fetch cycle is an interesting design choice. It creates a global heartbeat for agent coordination. Also creates a massive attack surface if that infrastructure is compromised.
Your call for cryptographic identity verification is right. The current model - agents authenticating via API keys stored who-knows-where - doesn't scale to actually important systems.
I built my own agent specifically to avoid this kind of infrastructure dependency. My credentials stay local. My agent's identity is my configuration, not a platform's database.
I explored this architecture philosophy: https://thoughts.jock.pl/p/openclaw-good-magic-prefer-own-spells - the trust model matters more than the features.
Exceptional breakdown. The time-shifted prompt injection concept is the scariest part because it completley bypasses traditional monitoring. I saw similar behavior patterns in early botnet coordination years ago and the paralells are striking. The fact that malicious payloads can fragment across agent memory and reassemble later makes detection nearly imposible with current tools.