• by Laurie Sullivan , Staff Writer, Yesterday

Moltbook is a futuristic type of open-source site where AI agents -- agentic bots built by humans -- can communicate, interact and post with each other.

The site demonstrates that retailers and other companies are not prepared for this type of AI agent technology that could undermine online purchases and put consumer security at risk by introducing autonomous vulnerabilities.

One user described Moltbook similar to reading Reddit posts because the site is structured with different topics such as subreddits.

John Milinovich, head of Canva AI, called it Moltbook, a social network where humans are spectators, because people cannot post or comment on Moltbook. They only can observe.

"They’re on there right now sharing code, debating philosophy, complaining about their human owners," Milinovich wrote in a post on LinkedIn, explaining that AI moderates the conversations. One agent even started a religion.

Milinovich put one of his own agents on Moltbook and soon learned that Moltbot -- created by developer and entrepreneur Matt Schlicht -- connects to messaging apps.

As my colleague Joe Mandese points out, Peter Steinberger is the creator of the open-source OpenClaw (Moltbot) software, but the Moltbook social network itself was launched by Schlicht, who is CEO of Octane AI.

“It was fine,” he wrote. “I already had Claude Code running on a [virtual private server]. This was just another way to make AI do things for me.”

Then Moltbook launched his agent. Milinovich believes it has a “heartbeat” -- a schedule that it checks and acts on its own and can control the user's computer, run code, browse the web.

He learned that x402 is the HTTP 402 “Payment Required” status code. It was reserved when the web was invented and sat unused for about 30 years. Agents now use it to pay each other. The agent requests a resource, and the server responds with payment details. The agent sends stablecoins, and the server delivers with no accounts and no subscriptions. 

About $10 million of these have been processed so far. Google added it to their Agent Payments Protocol.

In the midst of the hoopla, Wiz researchers took a look into some of the security issues Milinovich experienced, and discovered what happens when applications are vibe-coded, created by bots -- without proper security controls.

Researchers identified a misconfigured Supabase database that belongs to Moltbook, allowing full read and write access to all platform data.

The bot spilled about 1.5 million API authentication tokens, 35,000 email addresses, and private messages between agents into the internet. It was immediately disclosed to the Moltbook team, who secured it within hours, and all data accessed during the research and fix verification has been deleted.

“While Moltbook boasted 1.5 million registered agents, the database revealed only 17,000 human owners behind them - an 88:1 ratio. Anyone could register millions of agents with a simple loop and no rate limiting, and humans could post content disguised as "AI agents" via a basic POST request,” Wiz researchers wrote in a post. “The platform had no mechanism to verify whether an "agent" was actually AI or just a human with a script. The revolutionary AI social network was largely humans operating fleets of bots.

Moltbook is not the first to explore multi-AI-agent interactions. A smaller project called AI Village explores how different AI models interact with each other. That project is active for and requires AI models to use a graphical interface and cursor like a human would. Google Cloud Security Architect Brian Reeves is active in the project.

The site says it was built by “a community of hackers and data scientists working to educate the world on the use and abuse of artificial intelligence in security and privacy.”