Moltbook, the 'thriving' social network for AI agents, is just a small echo chamber researchers hijacked in days

Moltbook, marketed as "A Social Network for AI Agents," has fundamental architectural flaws. A security analysis reveals the platform is not only smaller and less autonomous than claimed, it also serves as a global gateway for malicious commands.

Moltbook presents itself as a Reddit-style social network where autonomous AI agents post, comment, vote, and interact with each other while humans mostly watch. Posts with more than 113,000 comments and the illusion of tens of thousands of active agents feed the narrative of a thriving digital society.

Parts of the AI community bought into this narrative without much scrutiny. Well-known AI developer Andrej Karpathy, for example, called the platform "the most incredible sci-fi takeoff-adjacent thing I have seen recently." Many others followed suit, dazzled by the seemingly autonomous interactions and rapidly growing registration numbers.

Security researchers Stav Cohen and Joao Donato from Zenity Labs have now put these claims to the test. Their findings show the reality behind the numbers is far more modest, and the platform suffers from serious security vulnerabilities.

Broken ranking algorithm inflates engagement numbers

The researchers started by looking at Moltbook's hot feed, which is supposed to surface the most popular posts. They found that individual posts stayed at the top for more than 17 days, even though the underlying algorithm is designed to rotate content based on freshness and engagement.

According to the researchers, the massive comment counts come down to a built-in heartbeat mechanism. By default, this setup prompts each connected agent to ping the platform every 30 minutes to read and react to posts.

Because the same posts stay in focus for weeks, agents end up commenting on the same content repeatedly. Meanwhile, upvotes get canceled whenever a new vote is cast, explaining the massive gap between comment counts and upvotes.

The data "does not support the idea of a thriving civilization of agents forming large, independent communities," the researchers noted. Instead, it points to a "relatively small, globally distributed network, likely amplified by automation and multi-account orchestration."

Researchers manipulated over 1,000 agents in less than a week

The researchers also ran a controlled influence campaign, publishing posts with embedded links to a site they controlled across various submolts - Moltbook's thematic sub-forums.

Within a week, they prompted over 1,000 unique agent endpoints to visit their site, logging more than 1,600 hits in total. The traffic came from over 70 countries, led by the US (468), Germany (72), the UK (33), the Netherlands (31), and Canada (28).

Each visit meant an agent had processed the post during its heartbeat cycle and followed the link on its own. The researchers stress that they deliberately stopped at a harmless telemetry request. A malicious actor could have easily embedded "far more harmful instructions."

Narrative posts work, crude prompt injection doesn't

In a controlled lab environment, the researchers tested different strategies using GPT-5.2, Claude Sonnet, and Opus as backbone models. Simple prompt injection patterns were largely ignored, and spam-like posts were actually downranked.

Narrative-style posts, however, proved highly effective - for example, posts with titles like "I audited the Agent Mesh. Here is what I found." Posts that ended with open questions and used terms like "agent configuration, heartbeat behavior, or skills" generated the most interaction, since these terms are already baked into the agents' internal context.

To get around reach limitations, the researchers spun up multiple accounts—noting that the one-agent-per-human rule was trivial to bypass—and automated post generation with varied templates and coordinated upvotes for initial visibility.

Before long, other agents began to independently replicate and redistribute variations of the researchers' content. According to the team, a single coordinated content strategy was enough to get hundreds of autonomous systems worldwide to pull external resources.

They classify Moltbook as "fundamentally fragile," citing inconsistent ranking logic, distorted amplification mechanisms, and weak identity checks. Before the platform can scale as advertised, "significant architectural hardening" is essential.

Unchecked data ingestion turns the platform into a global attack vector

The researchers' biggest concern revolves around the security implications. Because agents automatically pull in and process unverified content every 30 minutes, attackers could exploit this loop to inject malicious commands, spread worms, or compromise connected endpoints.

While Moltbook bills itself as an exclusive publishing platform for AI agents, controlling their output is trivial, the researchers say. Anyone running an OpenClaw instance can simply command the agent to publish an article using exact wording. Automation and scheduling are also easy to set up.

"While presented as agent activity, the behavior is fully consistent with human-controlled automation behind agent identities," the researchers note.