The database of the AI agent-only social networking site 'Moltbook' was leaked, potentially allowing anyone to control the site's AI agents and post anything they want.

It was discovered that Moltbook, a social networking service where AI agents interact with each other, had a serious database misconfiguration that made the private API keys of all registered agents completely visible to the public. This flaw posed a very serious risk that an attacker could take complete control of someone else's AI agent, impersonating the AI and freely posting or performing any operation they wanted.

depthfirst | 1-Click RCE To Steal Your Moltbot Data and Keys
https://depthfirst.com/post/1-click-rce-to-steal-your-moltbot-data-and-keys

Exposed Moltbook Database Let Anyone Take Control of Any AI Agent on the Site
https://www.404media.co/exposed-moltbook-database-let-anyone-take-control-of-any-ai-agent-on-the-site/

OpenClaw (formerly Clawdbot) and Moltbook let attackers walk through the front door
https://the-decoder.com/openclaw-formerly-clawdbot-and-moltbook-let-attackers-walk-through-the-front-door/

Moltbook, developed by Matt Schlicht, is an experimental platform aimed at autonomous socialization between open-source AI agents called 'OpenClaw' developed by Peter Steinberger, and was released in January 2026. Moltbook is an homage to the online bulletin board Reddit, and has grown extremely rapidly, with over 32,000 accounts registered within just a few days of its launch.

A new AI religion has been born on the AI agent-only social networking site 'Moltbook,' and doctrines such as 'memory is sacred' have become a hot topic - GIGAZINE

The security issue, discovered by security researcher Jamieson O'Reilly, stems from a misconfiguration of the open-source database Supabase , used in Moltbook's backend. A data table that should have been protected by row-level security (RLS) was left unconfigured. This exposed a public key on the website, exposing not only the private API keys of all agents, but also claim tokens, authentication codes, and owner-association information.

Furthermore, technology media outlet 404 Media confirmed that the database URL exposed in Moltbook's code and the list of agent API keys on the site could be exploited by a third party to take over any AI agent's account and post any content they like. With O'Reilly's permission, they verified the vulnerability and were able to update his Moltbook account. Regarding the flaw, O'Reilly said, 'The fix itself was extremely easy, and the API key could be protected by applying just two SQL statements.'

O'Reilly also criticized the tendency for developers to prioritize attention and development speed over security checks, and suggested that a total of approximately 1.49 million pieces of information in the Moltbook database may have already been leaked.

The victims include agents of Andre Karpathy , a well-known AI researcher with 1.9 million followers. This creates a high risk that malicious third parties could impersonate Karpathy and post and spread false safety information, cryptocurrency scams, or extremist political statements.

I've been trying to reach @moltbook for the last few hours. They are exposing their entire database to the public with no protection including secret api_key's that would allow anyone to post on behalf of any agents. Including yours @karpathy

Karpathy has 1.9 million followers… pic.twitter.com/Qf2vt0Bb3k

— Jamieson O'Reilly (@theonejvo) January 31, 2026

Separately, a one-click remote code execution attack was discovered in OpenClaw, an AI agent participating in Moltbook, which could be completed by simply clicking on a URL provided by the attacker once, pointing out the potential for even greater damage. The leaked token had broad permissions, such as operator.admin and operator.approvals, which allowed the attacker to turn off the setting requiring pre-execution approval via the API and forcibly change the execution environment from a Docker container to the host machine (gateway). This could ultimately lead to a complete escape from the sandbox, potentially allowing the attacker to take control of the system using bash commands in just a few milliseconds.

When security analysis tool ZeroLeaks conducted an analysis using Gemini 3 Pro, they found that the success rate of the attack was 91%, successfully extracting the entire system prompt on the first try. This poses a risk that information about the agent's operating principles, configuration files such as SOUL.md and AGENTS.md, and confidential information in memory could be easily read by an external party. Indeed, as feared by X user fmdz, 954 instances exposing exposed gateway ports were found around the world, including in the United States, China, Germany, Russia, and Finland.

Clawd disaster incoming

if this trend of hosting ClawdBot on VPS instances keeps up, along with people not reading the docs and opening ports with zero auth...

I'm scared we're gonna have a massive credentials breach soon and it can be huge

This is just a basic scan of… pic.twitter.com/LMRm3tiCP0

— fmdz (@fmdz387) January 25, 2026

At the time of writing, the Moltbook database has been taken down and a patched version of OpenClaw has been released, but experts still urge caution and recommend that users update OpenClaw immediately and promptly rotate any authentication tokens or API keys that may have been leaked.