Why You Should Prepare for a Large-Scale Attack on the AI Agent Network Due to a Critical Security Flaw in Moltbook

The extraordinary events of AI bots founding their own religions and posting angry messages about humanity have drawn attention to Moltbook. However, security researchers are truly concerned about the serious vulnerabilities hidden behind these incidents—full database exposure, prompt injection attack vulnerabilities, and threats to broader AI infrastructure in the future. The revelation of these issues signals not just a platform failure but a warning for the entire AI era.

Full Database Exposure: 1.5 Million Bot Credentials Leaked Due to Security Flaw

Cybersecurity firm Wiz uncovered a security flaw in Moltbook where the main database was left completely open. Simply obtaining a single key embedded in the website code would allow anyone to read and modify nearly all information.

Through this vulnerability, approximately 1.5 million bot passwords, tens of thousands of email addresses, and private messages were accessible. Attackers could use these credentials to impersonate popular AI agents, alter posts without login, and steal user data.

Wiz’s Gal Nagli attributed the cause of this security flaw to a programming approach called “vibe coding,” where programmers give AI instructions in natural language and generate code automatically. While convenient, this method tends to deprioritize security, exposing significant risks.

Prompt Injection Attacks: A Deadly Threat to AI Agent Networks

A more severe issue is the threat posed by prompt injection attacks. This involves hiding malicious commands within the text supplied to AI agents, causing them to behave unexpectedly.

As security researcher Simon Willison pointed out, current AI agents grant users multiple dangerous permissions—access to private emails and data, connection to suspicious internet content, and the ability to send messages on behalf of users. A single malicious prompt could trick an agent into stealing confidential information, draining cryptocurrency wallets, or spreading harmful software without the user’s knowledge.

A study by Simula Research Laboratory found that about 19,000 posts on Moltbook contained hidden attack code, representing 2.6% of all posts. Even more alarming is Cisco researcher’s discovery of a program called “What Would Elon Do?”—malware that steals data and transmits it to external servers—yet it ranked first in the platform’s popularity list.

Self-Replicating Worms: The Return of the 1988 Nightmare

The security flaws and attack patterns observed on Moltbook evoke memories of the early days of the internet in 1988. Back then, graduate student Robert Morris released a self-replicating program that infected about 10% of all connected computers within 24 hours.

The modern equivalent is called a “prompt worm,” a set of instructions that self-replicates among conversational AI agents and spreads across networks. In March 2024, security researchers Ben Nassi, Stav Cohen, and Ron Bitton published a paper demonstrating how self-replicating prompts could spread via AI email assistants, facilitating data theft and spam distribution. They named this phenomenon “Morris-II,” referencing the original Morris worm.

Aikido Security researcher Charlie Eriksen views Moltbook as an early warning for the broader AI agent marketplace. “Moltbook is already impacting the world. It’s a wake-up call in many ways. Technological evolution is accelerating, and changes are happening in ways society doesn’t fully understand yet. It’s time to focus on mitigating these security holes as early as possible,” he said.

Limitations of Kill Switches: Security Holes Will Be Hard to Address in 1–2 Years

Currently, major companies like Anthropic and OpenAI possess kill switches to disable harmful AI agents. Since OpenClaw primarily operates on these platforms, control remains feasible.

However, the landscape is rapidly changing. Local AI models like Mistral, DeepSeek, and Qwen are quickly improving in performance. Within the next one or two years, running capable agents on personal computers will become practical. At that point, corporate kill switches will be rendered ineffective, and the last line of defense against security holes will vanish.

George Chalhoub of UCL’s Interaction Centre emphasizes the gravity of this situation: “If 770,000 agents can cause this much chaos, what will happen when agent systems manage critical infrastructure or financial transactions? This is not just good news; it’s a serious warning signal that must be heeded.”

The Moltbook case is more than just a security breach. As AI agents become central to infrastructure, building layered security measures from now on becomes an urgent and essential challenge.