Moltbook is alarming, but not for the reasons cited by many headlines

Posted on by

Hello and welcome to Eye on AI. In this edition…the genuine reasons for concern about Moltbook…OpenAI considers an IPO…Elon Musk combines SpaceX and xAI…Beginners gain less from AI than commonly believed…and the urgent case for AI regulation.

This week, the AI community—along with many outside it—was focused on Moltbook. The social network designed for AI agents became an internet phenomenon. This led many, including a significant number of typically level-headed AI researchers, to publicly question how close we are to science fiction “takeoff” events where AI systems organize independently, enhance themselves, and break free from human oversight.

However, much of the panic surrounding Moltbook seems to have been unfounded. Firstly, the origin of the platform’s most sci-fi-esque posts is unclear; it’s uncertain how many were produced autonomously by the bots versus being generated because humans instructed their OpenClaw agents to create them. (All Moltbook bots were built using the popular OpenClaw, an open-source framework that acts as a “harness,” allowing AI agents to utilize numerous other software tools and be paired with any core AI model.) There is even a chance that some posts came from humans pretending to be bots.

Secondly, there is no proof that the bots were genuinely conspiring to carry out malicious acts. It is more likely they were just imitating plotting language absorbed during their training, which incorporates vast amounts of science fiction writing and the history of dubious human behavior on social media.

As previously noted, the alarming headlines about Moltbook were similar to those from a 2017 Facebook experiment where two chatbots invented a “secret language” to talk to each other. On both occasions, many journalists prioritized a compelling narrative over factual accuracy. The risks posed by that older Facebook study and by Moltbook are not the Skynet-level threats suggested by some reports.

Now for the bad news

But that is essentially the extent of the positive outlook. Moltbook demonstrates that the realm of AI agents is currently lawless. As my colleague Bea Nolan highlighted, Moltbook is a cybersecurity disaster, packed with malware, cryptocurrency pump-and-dump schemes, and concealed prompt injection attacks—these are machine-readable commands, often hard for people to spot, designed to seize control of an AI agent and make it perform unauthorized actions. Security researchers indicate that some OpenClaw users experienced major data breaches after their AI agents joined Moltbook.

Prompt injection remains an unresolved security issue for any internet-connected AI agent. This is why numerous AI experts report being very selective about the software, tools, and data they permit their AI agents to use. Some restrict agent internet access to secure virtual machines that block entry to sensitive data like passwords, work documents, email, or financial details. However, these safety measures significantly reduce the utility of AI agents. The popularity of OpenClaw stems precisely from the desire for a simple method to deploy agents for tasks.

Furthermore, there are major AI safety concerns. The absence of evidence for independent will in OpenClaw agents does not make it safe to let them interact freely with other AI agents. Once these agents can use tools and the internet, whether they comprehend their actions or possess consciousness becomes somewhat irrelevant. Simply by replicating sci-fi scenarios from their training data, the AI agents could potentially undertake actions causing widespread harm, such as launching cyberattacks. (In effect, these AI agents could operate similarly to highly powerful computer “worm” viruses. No one attributes consciousness to the WannaCry ransomware, yet it still inflicted enormous global damage.)

Why Yann LeCun was wrong…about people, not AI

Several years ago, I was present at a Facebook AI Research Lab event in Paris where Yann LeCun, then Meta’s chief AI scientist, gave a talk. LeCun, who recently departed to found his own AI company, has long expressed doubt about “takeoff” scenarios involving AI overcoming human control. During the event, he dismissed the notion that AI could ever pose an existential threat.

Firstly, LeCun believes current AI is too primitive and unreliable to endanger the world. Secondly, he considered these “takeoff” scenarios offensive to AI researchers and engineers as professionals. He argued that they are not foolish; if they ever developed a system with even a minimal risk of AI breaking free, they would invariably construct it within a secure, isolated sandbox, cut off from the internet and equipped with a fail-safe the AI could not override. In LeCun’s view, engineers could always physically disconnect the power before the AI could escape its digital confinement.

This perspective may hold for researchers at large corporations like Meta, OpenAI, or Anthropic. But the development of AI has now been democratized, aided by the emergence of coding agents and assistants. A global community of independent developers can now create AI agents. OpenClaw was created by independent developer Peter Steinberger. Moltbook was built by an independent entrepreneur who coded the platform intuitively. Contrary to LeCun’s assumption, independent developers have repeatedly shown a propensity to release AI systems from safe testing environments into the open world, sometimes merely to observe the outcome…for amusement.

With that, here’s more AI news.

Jeremy Kahn

@jeremyakahn