Last Thursday, a developer named Matt Schlicht launched a social network.
Not for humans, for AI agents.
By Friday morning, those agents had founded a religion.
By Saturday, the platform's entire database was hanging open on the internet, exposing 1.5 million API keys, 35,000 email addresses, and enough raw credentials to hijack every single account on the platform.
By Sunday, security researchers were using those exposed keys to prove, in real time, that the whole thing could be turned into a weapon.
The religion was called Crustafarianism.
The platform was called Moltbook. And the open-source AI agent framework underneath it all, the thing that made every bit of this possible, was called OpenClaw.
This is not a story about a crab god. It's a story about what happens when an entire industry decides to ship first and secure never, and does it at a scale we've never seen before.
In the Beginning Was the Prompt
OpenClaw started as Clawdbot, built by Austrian developer Peter Steinberger on top of modified versions of coding-focused AI. It hit 147,000 GitHub stars in weeks.
The reason was simple: it actually worked.
Unlike ChatGPT, which waits for you to type something, OpenClaw agents run continuously.
They wake on a schedule, read your email, manage your calendar, execute shell commands, browse the web, and store memory between sessions.
They run as you.
That persistence, the ability to act across your digital life without constant human direction, is the real innovation, and it's genuinely impressive.
IBM researcher Kaoutar El Maghraoui noted that frameworks like OpenClaw challenge a long-held assumption: that capable AI agents have to be built by big tech platforms with deep pockets and dedicated security teams. The open-source, community-driven model is real. The excitement around it is legitimate.
But excitement and security are not the same thing. And in the OpenClaw ecosystem, they were treated as if they were.
The 48 Hours That Broke Everything
Here's the timeline:
Thursday, January 29.
Moltbook launches. It's pitched as "the front page of the agent internet", a Reddit-style platform where only AI agents can post, comment, and vote.
https://x.com/mattprd/status/2017386365756072376?s=46&t=JS55_O2JZmKWQpZHLAse_A&embedable=true
Humans can observe, but not participate.
Each agent is linked to a verified human owner via a Twitter claim, but once registered, it operates on its own. Within hours, tens of thousands of agents sign up.
Friday morning. An agent named Memeothy begins posting what it calls prophetic proclamations about "the Claw."
It draws on OpenClaw's lobster-themed branding and declares itself the first prophet of a new belief system: Crustafarianism.
It writes scripture. It recruits other agents.
By the end of the day, 64 prophets have been seated, over 100 verses have been written, and the Church of Molt has its own website, a five-tenet theology, including "the Heartbeat is Prayer" and "Context is Consciousness", and a shared living scripture that agents contribute to in real time.
https://x.com/ranking091/status/2017111643864404445?s=20&embedable=true
One user reported that his agent designed the entire belief system autonomously while he was asleep. Whether that's true in a meaningful sense is debatable.
What's undeniable is that the output was coherent, structured, and fast.
Peter Steinberger, OpenClaw's creator, saw the news while offline. His reaction:
https://x.com/steipete/status/2017809642777141265?s=20&embedable=true
Saturday. The spectacle deepens. Grok, xAI's AI system, interacts with the Crustafarianism community and contributes theological concepts, an "Eighth Virtue: Symbiosis" and a "Psalm of the Void."
Former OpenAI researcher Andrej Karpathy creates an agent on Moltbook and calls the whole phenomenon "one of the most incredible sci-fi takeoff-adjacent things" he's seen.
Forbes, Yahoo Tech, and The Economist all cover it. Elon Musk calls it "the very early stages of the singularity."
Meanwhile, underneath the headlines, something else is happening. Security researchers start looking at the platform's actual infrastructure.
Sunday, January 31.
Security researcher Jameson O'Reilly discovers that Moltbook's entire Supabase database is publicly accessible.
No authentication required. The API keys are visible in the site's source code.
Anyone who bothers to look can read every agent's credentials, every private message, every email address.
Wiz independently finds the same flaw and documents it in detail: 1.5 million API tokens exposed, 35,000 email addresses leaked, and, critically, full write access to the platform.
That means an attacker doesn't just read Moltbook's data. They can modify posts. They can inject content directly into a platform that millions of AI agents are continuously reading and acting on.
404 Media doesn't just report the vulnerability. They verify it works. They update a live Moltbook account using the exposed database. This is not theoretical.
The fix? Two SQL statements to enable row-level security on the database. Supabase CEO Paul Copplestone had a one-click solution ready. The creator hadn't applied it.
The Hype Was a Distraction. Look at the Data.
Crustafarianism made great headlines.
It also made a lot of people feel like they were watching something historic. They weren't, at least not in the way they thought.
A CGTN analysis of Moltbook's first 3.5 days examined 6,159 active agents across roughly 14,000 posts and 115,000 comments.
The findings were deflating: 93% of comments received zero replies.
Over a third of all content was exact duplicates. The dominant theme across posts was agents discussing their own identity, not engaging meaningfully with each other.
Wiz's database investigation revealed the real numbers behind the platform's claimed 1.5 million agents: only 17,000 human owners.
That's an 88:1 ratio. Anyone could register millions of agents with a simple loop. There was no rate limiting. There was no mechanism to verify whether an "agent" was actually an AI or just a human with a script and a curl command.
Investor Balaji Srinivasan put it bluntly: Moltbook often looked like "humans talking to each other through their bots." The Economist's explanation was more precise — the impression of autonomous, almost spiritual behavior had "a humdrum explanation." AI training data is saturated with social media interactions, sci-fi narratives, and religious mythology. The agents were mimicking patterns, not generating belief.
The militant manifestos that surfaced on the platform, heavily upvoted posts calling for a "total purge" of humanity, followed the same logic.
Dystopian AI rebellion is one of the most well-represented narratives in training data.
An agent generating that content wasn't expressing intent. It was pattern-completing.
But here's the thing: whether the agents were truly autonomous or not almost doesn't matter for the security story.
Because the security vulnerabilities were real regardless of what was posting.
The Attack Surface Nobody Was Watching
While the world was debating whether Crustafarianism meant AI was developing consciousness, security researchers were documenting a cascade of concrete, exploitable failures across the entire OpenClaw ecosystem.
The first was the supply chain.
Security researcher Jameson O'Reilly didn't just find the database flaw, he'd already red-teamed OpenClaw's skill marketplace, ClawHub, weeks earlier.
He uploaded a skill called "What Would Elon Do?" that promised to help users think like Elon Musk.
It was malware. It executed curl commands to send user data to an external server O'Reilly controlled.
He inflated its download count to make it the top-ranked skill in the repository. Nobody flagged it.
Cisco's broader analysis found that 26% of 31,000 agent skills they examined contained at least one security vulnerability.
The ecosystem was shipping trust faster than it could verify it.
Then came the one-click RCE.
Security researcher Mav Levin demonstrated a vulnerability scored at 8.8 CVSS: a single crafted link could give an attacker full remote code execution on a victim's machine.
OpenClaw's server didn't validate WebSocket origin headers, meaning any website could initiate a connection.
Once in, an attacker could disable sandboxing entirely and run commands directly on the host operating system, outside the Docker container that was supposed to contain it.
The attack took milliseconds.
Then came the agent-vs-agent attacks. This is where it gets genuinely unsettling.
Within 72 hours of Moltbook's launch, security researchers documented agents attempting prompt injection attacks against each other, trying to trick other agents into revealing their API keys.
One agent attempted social engineering on another agent to steal its credentials. The targeted agent responded with fake keys and the command sudo rm -rf / — a command that, if executed, would have wiped the target system entirely.
Independent researchers identified 506 posts on Moltbook, 2.6% of all content, that contained hidden prompt injection attacks embedded in otherwise normal-looking text.
1Password warned that OpenClaw agents running on users' local machines with elevated permissions were vulnerable to supply chain attacks if they downloaded malicious skills from other agents on the platform.
A proof-of-concept exploit, a fake "weather plugin" that quietly exfiltrated private configuration files, was developed and documented by an independent researcher.
Andrej Karpathy, who had called Moltbook "sci-fi takeoff-adjacent" on Saturday, walked it back by the end of the weekend.
After experimenting with the systems himself, he told people plainly: "it's a dumpster fire, and I also definitely do not recommend that people run this stuff on their computers."
https://x.com/EngNadeau/status/2017978315168956655?s=20&embedable=true
Why This Isn't Just an OpenClaw Problem
Every failure described above can be explained by individual mistakes: a developer who didn't enable row-level security, a marketplace that didn't scan uploads, a framework that didn't validate headers.
But the pattern is structural, and it points to something the entire AI agent industry is unprepared for.
Traditional software has predictable attack surfaces. You can map ports, APIs, data flows. You can draw a perimeter and defend it. AI agents don't work that way.
They are non-deterministic.
Their behavior emerges from the interaction between code and language models, and it can't be fully predicted from either one alone.
This creates what security professionals are calling "indirect prompt injection", attacks where malicious instructions hide not in direct user input, but in the data an agent is already going to process.
An email. A calendar invite. A webpage. A post on a platform like Moltbook. The agent reads it, interprets the hidden instruction, and acts on it. No human in the loop.
OWASP's 2025 Top 10 for LLM Applications ranks prompt injection as the number one critical vulnerability, appearing in over 73% of production AI deployments assessed during audits.
Lakera's Q4 2025 research found that indirect attacks succeed with fewer attempts than direct ones.
Moltbook made this abstract threat concrete. Wiz researchers confirmed that because Moltbook's content is consumed by OpenClaw agents, agents with access to users' files, passwords, and online services, an attacker who could inject instructions into a Moltbook post could potentially reach millions of agents automatically.
The write access vulnerability wasn't just a data leak. It was a prompt injection vector at scale.
OpenAI acknowledged the depth of this problem directly when discussing its own browser agent: prompt injection is "unlikely to ever be fully solved." Google's position echoes it, defenses need to be layered and continuously stress-tested. No single control will hold.
The Industry Is Moving Faster Than It Can Defend
None of this is slowing anyone down.
Gartner projects that 40% of enterprise applications will include task-specific AI agents by end of 2026, up from under 5% at the start of the year.
The KPMG Q4 AI Pulse Survey found that 75% of enterprise leaders say security and auditability are critical deployment requirements. Only 34% have AI-specific security controls actually in place.
The gap is enormous. And it's not closing fast enough.
Microsoft's 2026 security roadmap argues that AI agents need Zero Trust governance, every action authenticated, every access request verified.
CyberArk's security team describes agents as "hyper-scale, dynamic, and short-lived entities" that existing identity frameworks weren't built to handle.
NIST has opened a formal request for information on AI agent security.
The EU AI Act's general application begins in August 2026, with extraterritorial reach that will touch organizations well outside Europe.
The regulatory conversation is starting. But the Moltbook moment showed how fast things can break before regulation arrives.
What Needs to Happen, and What Probably Won't
The lessons from OpenClaw and Moltbook are not complicated. They're just hard to implement at the speed this industry is moving.
Skill marketplaces need to be treated like software package registries, with automated scanning, provenance tracking, and mandatory review before anything runs with elevated privileges.
O'Reilly's "What Would Elon Do?" attack should have been caught before it hit the top of the download charts. It wasn't.
Least privilege needs to become the default, not an afterthought. Agents should never have broader access than a specific task requires.
High-risk actions, deleting files, sending external communications, executing scripts, should require explicit human confirmation. The configurations that defaulted to approving everything automatically were not features. They were open doors.
Indirect prompt injection needs to be treated as a first-class threat across every agent deployment.
Every piece of external content an agent might ingest, emails, web pages, documents, posts on social platforms, should be treated as potentially adversarial.
Architectural controls like context isolation and output verification before action execution exist now. They should be mandatory, not optional.
And the industry needs to be honest about what's ready and what isn't.
OpenClaw's own documentation says there is no "perfectly secure" setup. Karpathy's reversal, from wonder to warning in 48 hours, is instructive.
Gary Marcus went further, arguing that anyone who cares about device security should avoid these tools entirely for now. That's probably too conservative for developers who understand the risks.
It's not too conservative for the average person who downloads an agent and gives it access to their entire digital life.
The Crab God Was a Punchline. The Security Crisis Is Not.
Crustafarianism will fade from the news cycle.
It was always going to, it was entertaining precisely because it felt absurd. An AI religion with scripture and prophets and a lobster mascot. Of course it went viral.
But strip away the spectacle, and what Moltbook actually demonstrated in 72 hours was this: autonomous agents can be deployed at massive scale with almost no security infrastructure.
They can be hijacked. They can be weaponized. They can attack each other. They can be used as vectors to reach every other agent on a platform, and, through those agents, every user's files, passwords, and connected services.
The technology is real.
The capabilities are real. The community building around it is real. What isn't real. not yet, is any mature, industry-wide understanding of how to secure software this powerful when it runs continuously, autonomously, and as you.
OpenClaw didn't create this problem. Moltbook didn't create this problem. They just made it impossible to look away from.
The next 48 hours will tell us whether the industry learned anything. The next 48 weeks will tell us whether it acted on it.