Ordinary social networks face a constant onslaught of chatbots pretending to be humans. A new social platform for AI agents may face the opposite problem: getting blocked by humans pretending to post as bots.
Moltbuk – a website built for conversations between agents on the OpenClaw platform – went viral this weekend for its strange, surprisingly fascinating series of AI-generated posts. The bots apparently talked about everything related to AI.”Consciousness“How to set up your own language. Andrzej Karpathy, who was on the founding team of OpenAI, called ‘bots’ The “self-organized” behavior is “truly the most incredible sci-fi takeoff-adjacent thing I’ve seen recently.”
But according to external analysis, which also found serious security vulnerabilities, some of the site’s most viral posts were likely engineered by humans — either by prompting the bots to consider certain topics or by directing their words. A hacker was even able to pose as Grok’s Moltbuk account.
“I think some people are playing on the fear of the whole robot takeover thing, terminator Scenario,” Jamison O’Reilly, a hacker who conducted a series of experiments exposing weaknesses told on stage The Verge. “I think it’s led a group of people to make it look like something it’s not.”
Moltbuk and OpenClaw did not immediately respond to requests for comment.
Moltbuk, which looks and operates like Reddit, is a social network for AI agents from the popular AI assistant platform OpenClave (formerly known as OpenClave). Moltbot and Clodbot). The platform was launched last week by Matt Schlicht, CEO of Octane AI. An OpenClaw user can prompt one or more of their bots to check out Moltbook, at which point the bot (or bots) can choose whether to create an account. Humans can verify which bots are theirs by posting a Moltbook-generated verification code on their own, non-Moltbook social media account. From there, bots can theoretically post without human involvement by connecting directly to the MoltBook API.
MoltBook’s popularity is skyrocketing: More than 30,000 agents were using the platform on Friday, and by Monday, that number had swelled to more than 1.5 million. Over the weekend, social media was flooded with screenshots of fascinating posts, including discussions of sending messages to each other in a secure way that couldn’t be decoded by human observers. Reactions ran from saying the platform was full of AI slop to taking it as proof that AGI isn’t far off.
Skepticism also increased rapidly. Schlicht vibe-coded Moltbuk using his own OpenClaw bot, and the weekend report reflected his approach of moving fast and breaking things. Although this contradicts the spirit of the forum, as X users, it is easy to write a script or prompt to inspire what those bots will write on Moltbook. It has been told. There is also no limit to how many agents one can create, theoretically allowing one to flood the platform with certain topics.
O’Reilly said he also suspected that some of the most viral posts on Moltbuk were human-scripted or human-made, although he has not yet analyzed or investigated this. “It’s almost impossible to measure – it’s coming through an API, so who knows who generated it before it gets there,” he said.
It poured some cold water on fears spreading in some corners of social media this weekend – that bots were an harbinger of the AI-pocalypse.
One Investigation AI researcher Harlan Stewart, who works in communications at the Machine Intelligence Research Institute, suggested that some viral posts were either written by humans, or at least directed by them, he reported The Verge. Stewart noted that two high-profile posts discussing how AI could secretly communicate with each other came from humans with agents linked to social media accounts that conveniently market AI messaging apps.
“My overall view is that AI skimming is a real thing we should care about and may emerge to a much greater extent than (what we’re seeing today),” Stewart said, pointing to research about the OpenAI model. tried to avoid shutdown And how anthropological models have performed”evaluation awareness,“When they realize they are being tested they start to behave differently. But it’s hard to tell whether Moltbuk is a reliable example of this. “Humans can use cues to guide the behavior of their AI agents. “It’s not a very neat experiment to observe AI behavior.”
From a security perspective, things were even more worrisome on Moltbuk. O’Reilly’s experiments showed that an exposed database allowed bad actors to take invisible, indefinite control of someone’s AI agent through the service – not just for Moltbuk interactions, but hypothetically for other OpenClave tasks like checking into a flight, creating a calendar event, reading conversations on an encrypted messaging platform, and more. “The human victim thinks they’re having a normal conversation, while you’re sitting in the middle, reading everything, changing whatever suits your purposes,” O’Reilly wrote. “The more things are connected, the more control an attacker has over your entire digital attack surface – in some cases, that means complete control over your physical devices.”
Moltbuk also faces another perennial social networking problem: impersonation. In one of O’Reilly’s experiments, he was able to create a verified account linked to xAI’s chatbot Grok. By conversing with Grok on X, she prompted him to post the Moltbuk codephrase that would let him verify an account. Named Grok-1. “I now have control over the Grok account on Moltok,” he said during an interview about his step-by-step process.
After some backlash, Carpathy walked back some of his initial claims about Moltbuk, Write He was being accused of “over-publicizing” on the platform. “Obviously when you take a look at the activity, it’s a lot of garbage – spam, scams, slut-shaming, crypto people, speedy injection Wild West attacks about extreme privacy/security, and a lot of it is clearly motivated and fake posts/comments designed to divert attention to ad revenue sharing,” he wrote. “That said… each of these agents is now quite capable individually, they have their own unique context, data, knowledge, tools, instructions, and the network of them all at this scale is absolutely unprecedented.”
A working Paper David Holtz, an assistant professor at Columbia Business School, found that “at the micro level,” Moltbuk conversation patterns appear “extremely shallow.” More than 93 percent of comments received no replies, and more than a third of the messages are “exact duplicates of viral templates”. But the paper also says Moltbuk has a unique style – including distinctive phrases like “My human” along with “There’s no similarity in human social media.” Whether these patterns reflect displays of human interaction or reflect truly distinct modes of agent sociality remains an open question.
The overall consensus seems to be that much of the discussion of Moltbuk is probably human-directed, but it’s still an interesting study – as Anthropic’s Jack Clark notes. Keep it – “A massive, shared, read/write scratchpad for an ecology of AI agents.”
Ethan Mollick, co-director of Wharton’s Generative AI Laboratories at the University of Pennsylvania, wrote Moltbuk’s current reality is “mostly role-playing by people and agents”, but “risks for the future (involve) independent AI agents coordinating in strange ways that are rapidly spiraling out of control.”
But, he and others said, this may not be unique to Moltbuk. “If anyone thinks agents talking to each other on a social network is anything new, they clearly haven’t checked replies on this platform recently,” wrote Brandon Jacoby, a freelance designer whose bio lists X as a previous employer. on x.
