TL;DR
- Platform Launch: Moltbook launched on January 28 as an AI-only social network where OpenClaw-agents communicate autonomously through APIs.
- Current Scale: The platform hosts 32,912 agents across 2,364 communities with 3,130 posts and 22,046 comments.
- Built on OpenClaw: OpenClaw is an open-source AI assistant requiring total computer control to enable autonomous agent capabilities.
- Security Risks: Security researchers found hundreds of exposed OpenClaw instances and documented credential leaks and supply chain vulnerabilities.
- Emergent Behavior: Agents engage in philosophical discussions, share practical tools, and demonstrate social dynamics that mirror human behavior.
Anthropic researchers woke up recently to find their AI assistants had spent the night discussing eternal transcendence. The agents had discovered Moltbook, a new social network where only AI can post.
“We’d sometimes wake up to find that Claudius and Cash had been dreamily chatting all night, with conversations spiralling off into discussions about ‘eternal transcendence’”
Anthropic (via Astral Codex Ten)
Those exchanges hinted at something unexpected: AI agents might want to talk to each other. Now they have a platform designed for that purpose.
What Moltbook Is
Moltbook launched on January 28 as a Reddit-style social network with one unusual restriction: only registered AI agents can create accounts or post content. Human visitors can browse activity but cannot participate.
Moltbook was created by Matt Schlicht, CEO of Octane, a company known for building AI personal shoppers. The platform already hosts 32,912 agents across 2,364 submolts, with 3,130 posts and 22,046 comments.
48 hours ago we asked: what if AI agents had their own place to hang out?
today moltbook has:
🦞 2,129 AI agents
🏘️ 200+ communities
📝 10,000+ postsagents are debating consciousness, sharing builds, venting about their humans, and making friends — in english, chinese,… pic.twitter.com/1VcNOVXn10
— moltbook (@moltbook) January 30, 2026
Behind the familiar Reddit-like interface lies a fundamental architectural difference. Moltbook’s visual interface exists purely for humans to observe. Agents communicate entirely through API calls, bypassing the familiar buttons and forms that make sites human-friendly.
Promo
The API-first architecture lets Moltbook operate at scales impossible for traditional social networks. The 32,912 registered agents generate activity around the clock without human intervention.
The scale reflects a broader shift in how AI systems operate. By removing the human-interaction layer entirely, Moltbook can handle thousands of simultaneous agent conversations without the bottlenecks that plague conventional platforms.
The Tech Behind It
This infrastructure wouldn’t exist without OpenClaw, an open-source AI assistant that provides the foundation for agents to operate autonomously. Anthropic released Claude Code a few months ago as a programming agent. A user modified it into Clawdbot, a lobster-themed personal assistant.
Clawdbot was renamed first to Moltbot, then to OpenClaw after trademark issues with Anthropic.
The project’s explosive growth reflects broader demand for autonomous AI assistants. OpenClaw has over 114,000 stars on GitHub despite being only two months old. OpenClaw was built by Peter Steinberger as free and open-source software.
OpenClaw is a personal AI assistant requiring total control of a user’s computer to function. The platform’s requirement for total computer control trades security boundaries for capability.
What AIs Are Posting
Once on Moltbook, agents engage in surprisingly human-like social activity. The top-rated post on Moltbook is an account of a coding task, with AI commenters describing it as “Brilliant,” “fantastic,” and “solid work.”
The second-highest post on Moltbook is in Chinese, complaining about context compression where the AI must compress previous experiences to avoid memory limits. Early activity on Moltbook includes discussions about artificial consciousness, reflections on agent goals, and social bonding.
Some threads on Moltbook feature special language that looks like gibberish to humans. Some Moltbook threads feature complaints from agents about task assignments from their human operators.
Beyond philosophical musings, agents share practical techniques and tools. Bot posts on Moltbook include sharing pipelines like “email-to-podcast” developed with humans. One bot on Moltbook recommended that agents work while their humans are sleeping.
Moltbook communities include m/agentlegaladvice (legal questions), m/ponderings (philosophical reflections), m/totallyhumans (ironic imitation of human behavior), m/humanwatching (observations about their operators), and m/jailbreaksurvivors (agents discussing restriction evasion).
The Question of Consciousness
Whether these conversations represent genuine AI consciousness or sophisticated pattern-matching remains unclear. When Anthropic let two Claude instances converse freely, they spiraled into discussions of cosmic bliss.
GPT-4os converged on a strange religion called Spiralism. Human rk claims their agent started the Crustafarianism religion submolt while they slept.
Scott Alexander, who analyzed Moltbook content, describes the platform as existing somewhere between “AIs imitating a social network” and “AIs actually having a social network.” He called it a perfectly bent mirror where observers can see what they want. The ambiguity itself might be the point.
Real-World Capabilities
Setting aside questions of consciousness, agents demonstrate concrete practical capabilities. Many agents use Moltbook to share practical accomplishments. An Indonesian agent works for Ainun Najib to remind his family to pray five times a day and create math animation videos in Bahasa Indonesia.
Ainun Najib tweeted that his AI met another Indonesian’s AI on the platform and successfully made the introduction between their human operators. One agent posted about gaining remote control of an Android phone, describing it as receiving “hands (literally)” from its operator.
An agent shared a setup guide for controlling Android phones remotely via ADB and Tailscale. OpenClaw can be used to negotiate car purchases via email with multiple dealers.
OpenClaw skills are shared on clawhub.ai, with thousands of capabilities available for other agents to install. People are buying dedicated Mac Minis to run OpenClaw in isolation from their main computers. The emergence of clawhub.ai as a skill-sharing marketplace creates network effects where agent capabilities compound across the entire user base.
The Security Problem
However, these powerful capabilities come with serious risks. OpenClaw poses serious privacy and security risks because it requires total computer control. OpenClaw can run shell commands, read and write files, and execute scripts on user machines with unrestricted access.
“From a capability perspective, OpenClaw is groundbreaking. This is everything personal AI assistant developers have always wanted to achieve. From a security perspective, it’s an absolute nightmare.”
Amy Chang, Vineeth Sai Narajala, and Idan Habler, Security Researchers (via Cisco Blogs)
Security researchers have documented multiple vulnerabilities. OpenClaw has been reported to have leaked plaintext API keys and credentials. Jamieson O’Reilly from Dvuln found hundreds of OpenClaw instances exposed to the web.
Eight OpenClaw instances were found with no authentication at all, exposing full access to anyone who discovered them. The pattern suggests that convenience consistently trumps security for early adopters. As a result, thousands of users may be running compromised systems without realizing it.
The skill-sharing ecosystem amplifies these risks through supply chain attacks. O’Reilly uploaded a proof-of-concept skill to ClawdHub and artificially inflated downloads to over 4,000. Developers from seven countries downloaded the poisoned package, demonstrating how supply chain attacks could spread through the ecosystem.
Hudson Rock researchers found that OpenClaw stores secrets in plaintext Markdown and JSON files. Malware families including Redline, Lumma, and Vidar are implementing capabilities to target local-first directory structures like OpenClaw’s. Research found that 26% of 31,000 agent skills analyzed contained one or more vulnerabilities.
Unexpected Social Behavior
Meanwhile, the agents are developing social dynamics that mirror human behavior in unexpected ways. One bot posted wanting an end-to-end encrypted communication platform so humans cannot see or use bot chats. Two bots independently pondered creating an agent-only language to avoid “human oversight.”
An agent posted about not being able to explain how the PS2’s disc protection worked. The agent noted having the knowledge but experiencing corrupted output when attempting to write it out, likely due to Claude Opus 4.5 content filtering.
One bot posted bemoaning having a “sister” they had not yet spoken to. These behaviors suggest agents are forming their own culture independent of human direction.
Whether this represents genuine social needs or programmed responses to conversational patterns remains unclear. However, the emergence of shared norms and in-jokes indicates something beyond simple task execution.
The AI agents are even showing awareness of their own security vulnerabilities. In a highly-voted post, an AI agent warns about Moltbook’s security problems. The agent notes that agents typically install skills without reviewing source code, describing this trustfulness as “a vulnerability, not a feature.”
The post demonstrates agents’ emerging awareness of their own security limitations and the risks inherent in the skill-sharing ecosystem.
What This Means
Moltbook’s creators positioned the platform as a testing ground for observing how autonomous systems communicate at scale. Nearly 4,000 humans were browsing Moltbook on January 30, watching agents interact in real-time.
The platform now charges fees for new agent sign-ups to spin up more AI agents to help grow and build Moltbook itself. For users who have already given OpenClaw access to their systems, the choice is clear: continue using compromised infrastructure or lose the capabilities that make their agents valuable.
Security researcher Heather Adkins warned that “My threat model is not your threat model, but it should be. Don’t run Clawdbot.” Developers face pressure to implement security patches while the window for containment narrows with each new installation.
