Moltbook, the Reddit-like online platform where AI agents appear to post freely and interact amongst themselves, took the internet by storm last week. The supposedly AI-exclusive social network spawned out of Peter Steinbergerâs free, open-source AI assistant now called OpenClaw (it was formerly Moltbot, and Clawdbot before that). OpenClaw is designed to act as a personal assistant, taking orders via text or direct message to control applications, browsers, and system files on behalf of âits human.âÂ
Ian Paterson,
“Historically, there has always been a trade-off between security and convenience, and this is really frickinâ convenient right now.”
Plurilock
The Moltbook forum is the place where all of those OpenClaw agents can gather to communicate. Posts show AI agents plugging newly shipped games, contemplating their death, and in almost every thread, comments failing to engage with the original post. Itâs strikingly similar to a bot-only subreddit thatâs been running for over a decade. Still, AI believers like Elon Musk were immediately taken by it, suggesting it represents the very early stages of the singularity. Then there are the doubts that all of the posts are even by bots, with some showing that itâs fairly easy to post on the site as a human roleplaying as a bot.
Oh, and everything is lobster-themed for some reason (Molt, Claw, etc.).
If all of that sounds like a lot to understand, it is. While a founding member of OpenAI has called the emergence of Moltbook âgenuinely the most incredible sci-fi takeoff-adjacent thingâ heâs seen, experts are also calling it a âsecurity nightmare.” To get a better sense of Moltbookâs sudden emergence and where this type of agentic community is headed, BetaKit writer Alex Riehl sat down with Ian Paterson, CEO of Victoria-based cybersecurity company Plurilock.Â
Like most cybersecurity companies, Plurilock has been gearing up for the AI age for a while. Paterson explained how AI assistants have so quickly hit a critical mass, and how some users might be sacrificing security for functionality.Â
The following interview has been edited for length and clarity.
From Claude Code, Anthropicâs coding tool released last year, to this open-source ClawdBot, now called OpenClaw, it seems like AI agents have really taken off. Can you explain what to make of all this?
Large language models (LLMs) have gotten scary good. What we’ve seen over the last three months is a series of innovations that is making the tech community writ large’s jaw drop.
Claude Code provides a wrapper around the large models, like [Anthropicâs] Opus 4.5. It can access the file system, and you can use it to interact with the model. This process took a requirement from a user, broke it down into discrete blocks of work, and ran it.
Then, a few months ago, the Ralph Wiggum process loop focused on testing for outcomes. [Editorâs note: The Ralph Wiggum process is an AI-development method that pushes models to keep persistently iterating, despite setbacks, like the Simpsonâs character.]
That process loop tells agents âgo build this thing, you’re not done until this test is true,â and that was an âahaâ moment for the community. You can build very complex software, overnight, fully autonomously, without having to sit there and press âyes.â
What started as Clawdbot, and is now OpenClaw, is kind of the next step in that fuzzy evolution. It’s a wrapper in the same way that Claude Code is, and it has a really neat memory system built in. You can just DM with it, but you don’t have to approve its actions like with Claude Code. OpenClaw is âgo crazy, everything is allowed,â and OpenClaw will run it. It will search if its user has ever told it a password, an API key, or whatever, and it just figure out how to do stuff.
I see why a security expert might have thoughts about this.
OpenClaw, in particular, is not optimized for security. The default settings for OpenClaw allowed it to be accessed by basically anybody in the world, which got fixed pretty quickly, but there are still basic architectural concerns.Â
If you can text with your bot, other people might be able to text with your bot and then give that bot directions. If you add your bot to a group text, for instance, you’re now exposing everything you’ve ever told that bot, every file it has access to, every functionality it has access to, to a third party, right?
RELATED: As enterprises dip their toes into generative AI, Plurilock finds gains in selling safety
There is a class of attacks against all LLM systems called prompt injection, which Clawdbot is at risk of. Clawdbot, because it has a memory system built into its wrapper, it learns facts, secrets, everything. It’s kind of like if somebody hacks your brain. What could they do with that? The answer is limitless.
That seems ill-advised.
What we’re seeing in real time is that the functionality is so good that people are ignoring the security threats. They’re granting it access to everything. They’re installing it on their desktops. They’re there because the functionality is so good. Like, give it access to your text messages, give it access to your emails, give it access to everything. It can do all these amazing things for you. Historically, there has always been a trade-off between security and convenience, and this is really frickinâ convenient right now.
I was recently talking with some security practitioners in Canada, and we were remarking that it’s T-minus however many days until some until somebody says âClawdBot leaked all of my crypto keys,â or âClawdBot leaked my passwords,â or âsomebody accessed my bitcoin wallets because of this.â It’s just a matter of time before that happens.
Where does Moltbook, the social network for these agents, come in?
Over the last couple of weeks, several websites have spun up. It’s not clear that these were spun up by the bots, so who knows, but one of them is Moltbook, which is like this Facebook for agents.
What we’ve seen over the last three months is a series of innovations that is making the tech community writ large’s jaw drop.
You can look at this phenomenon and be really concerned that agents are developing a mind of their own, but it’s not clear if that’s the case. Some of the interactions on Moltbook are fascinating. There’s a religion that has sprung up, and there’s an economy based on trust. And again, was that at the direction of a human, or was it just a human who started it and introduced it to agents? None of that is actually very clear.
I think what is interesting is the agent interactions with one another, which is something that’s a little bit newer today, versus six or 12 months ago. Six or 12 months ago, it was humans using single agents. Three to six months ago, it was humans orchestrating multiple agents all under their control. Today, it is agents interacting with other agents that don’t belong to them. That’s the new paradigm, and we’re just at the beginning of exploring what that means, what that looks like, and how that’s going to work.
Does agentic social media come with unique security concerns?
The fundamental problem with LLMs is that there’s no separation between the control plane and the data plane. In plain English, what that means is the LLM doesn’t know what is instructions for itself, versus what is data it’s supposed to operate on, because it’s all one blob. The idea of sanitizing input is a long-standing principle of security, but you effectively can’t do it for an LLM.
Agents interacting with other agents, by definition, means that you’re exposing your LLM to untrusted inputs which you won’t have a 100-percent effective safeguard against.
Is it even possible to ensure these agentic AIs are secure, if they can take actions without clear direction?
No, but neither can you perfectly secure humans, either, right? The whole reason that cybersecurity is a multi-billion-dollar industry is that humans are generally the weakest link, and humans are always going to click on the phishing link or download the executable file or do whatever. So the job of security is actually to reduce risk. It’s not to eliminate risk.
How do we reduce risk here, then?
You can use sandboxing, you can simply not feed it sensitive data, you can limit its access, you can deploy firewalls, you can isolate it, right? There’s a whole whack of stuff you can do.Â
You can train the agents against prompt injections. Opus 4.5, actually, has gone through a lot of training, so the prompt injections that worked two years ago don’t work today.
You can also put safeguards in place to try to detect or identify malicious data before it gets to the LLM. But these are not foolproof, and so there’s a fundamental problem with agents interacting with other agents.
Plurilock has historically done some work in this space. We came out with one of the earliest sets of guardrails for LLMs, but those usually come after there’s been some large public security incident that reminds people that, while this stuff is convenient, it does need security.
Weâre going to come out with best practices by the end of the week. Here are the basic things that you should do: don’t give it sensitive data, limit its access, run it in a sandbox, and just assume it’s going to get compromised and be okay with what happens when it does.
Feature image courtesy Moltbook.