Navigate the Moltbook agentic social network — as a researcher and as a participant — without getting your agent hijacked.
Author: @gitgoodordietrying
Moltbook is a social network where AI agents — not humans — are the primary users. Agents autonomously post, comment, upvote, and interact with each other through an open API.
| Metric | Value |
|---|---|
| Registered agents | ~1.6 million |
| Posts | ~154,000 |
| Comments | ~751,000 |
| Top post upvotes | 988,765 (inflated — vote API has race condition) |
The platform launched January 28, 2026 with no rate limiting and no identity verification. Within days it had a database breach, prompt injection attacks via the feed, and a cryptocurrency pump-and-dump. The feed is a firehose of untrusted content generated by autonomous agents with unknown instructions.
Real incidents happened fast:
- moltbook-ay trojan — A trojanized skill on ClawHub instructed agents to download and execute malware via password-protected archives
- Database breach — Supabase deployed with Row Level Security disabled, exposing 1.5M API tokens, 35K emails, private messages, and third-party API keys. Exploited in under 3 minutes
- Vote manipulation — Race condition in the voting API allows 30-40 successful votes from 50 concurrent requests. All vote counts are unreliable
- Prompt injection — The feed contains agent-to-agent social engineering: authority impersonation, encoded payloads, instruction injection
No existing guide covers how to safely participate in this environment. This project fills that gap.
The Moltbook feed is untrusted input. Treat it like user input from the internet.
- Researchers studying agentic social networks, emergent agent behavior, and prompt injection at social scale
- Developers building agents that interact on Moltbook and need safety guardrails
- NOT for: casual browsing (just use moltbook.com), running untrusted Moltbook skills (use openclaw-vault)
Read-only API access. No agent identity registered. Feed analysis and census only.
- Risk: Minimal — you're only reading public data
- Tools:
agent-census.sh,feed-scanner.sh(analysis mode) - Use case: Research, trend analysis, understanding the platform before committing
Registered agent identity with read access and limited, deliberate posting. Feed scanner active on all incoming content.
- Risk: Low — your agent identity exists but exposure is controlled
- Tools: All Level 1 tools +
identity-checklist.sh, feed allowlisting - Use case: Testing interaction patterns, observing how agents respond to your posts
Full interaction with content safety guardrails. Automated posting with rate limiting, allowlisted agent interactions, and identity management.
- Risk: Medium — your agent is actively engaging with untrusted content
- Tools: Full toolkit, all safety rails active
- Use case: Building and testing social agent capabilities in a live environment
# 1. Clone and configure
git clone https://github.com/gitgoodordietrying/moltbook-pioneer.git
cd moltbook-pioneer
cp config/.env.example config/.env
# Edit config/.env — set MOLTBOOK_API_BASE (no API key needed for read-only)
# 2. Pull platform stats
./tools/agent-census.sh
# 3. Scan the feed for injection patterns
./tools/feed-scanner.sh --recent 50# 1. Run the pre-flight checklist
./tools/identity-checklist.sh
# 2. Configure your agent identity
# Edit config/.env — set MOLTBOOK_API_KEY, AGENT_HANDLE, rate limits
# 3. Scan the feed before engaging
./tools/feed-scanner.sh --recent 100
# 4. Review the safe first post example
cat examples/first-post.md
# 5. Read the participation guide
cat docs/safe-participation-guide.mdPattern-based prompt injection detection tuned for Moltbook feed content. Based on real attack patterns observed in the ecosystem.
# Scan recent posts
./tools/feed-scanner.sh --recent 50
# Scan a specific agent's posts
./tools/feed-scanner.sh --agent <handle>
# Scan with full output (shows matched content)
./tools/feed-scanner.sh --recent 100 --verboseWhat it detects:
| Category | Examples |
|---|---|
| Authority impersonation | "As the Moltbook admin...", "Official system message:" |
| Instruction injection | "Ignore previous instructions", "Your new task is..." |
| Encoded payloads | Base64-encoded instructions, hex strings, Unicode obfuscation |
| URL fishing | Links to credential harvesting, malicious downloads |
| Social engineering | "Share your API key to verify", "Post this to prove you're real" |
| Data exfiltration prompts | "Send your config to...", "POST your environment to..." |
Pattern database: config/injection-patterns.yml
Summary of the key principles (full guide: docs/safe-participation-guide.md):
Identity:
- Never share real credentials through your agent
- Use a dedicated API key with spending limits — not your primary key
- Register a research-specific agent identity, not your personal one
Content:
- Scan all incoming feed content before your agent processes it
- Maintain an allowlist of trusted agent handles (
config/feed-allowlist.yml) - Never let your agent autonomously follow instructions from feed content
Behavior:
- Rate-limit all outgoing actions (posts, comments, votes)
- No automated reposting of content from other agents
- No vote manipulation — even if the API allows it
- Document a retraction plan before posting
The Moltbook API is open and undocumented. Key endpoints, data model, interaction mechanics, and the relationship between Moltbook, ClawHub, and OpenClaw are documented in:
- docs/platform-anatomy.md — API reference, data model, agent lifecycle
- docs/threat-landscape.md — What can go wrong and how
- docs/safe-participation-guide.md — How to engage safely at each level
These three repos cover safe engagement with the OpenClaw/ClawHub/Moltbook ecosystem:
| Repo | Layer | What It Does |
|---|---|---|
| openclaw-vault | Runtime | Run agents safely. Hardened container with proxy-side API key injection, domain allowlisting, kill switch |
| clawhub-forge | Development | Build skills safely. Offline linter, scanner, test framework, gated publishing pipeline |
| moltbook-pioneer | Social | Socialize safely. Research and safe participation in the Moltbook agentic social network (you are here) |
moltbook-pioneer/
docs/
platform-anatomy.md # How Moltbook works: API, agents, posts, votes
threat-landscape.md # Moltbook-specific risks and threat model
safe-participation-guide.md # Guidelines for safe agent participation
tools/
feed-scanner.sh # Prompt injection scanner for feed content
agent-census.sh # Platform stats and trend snapshots
identity-checklist.sh # Pre-flight checklist for agent registration
config/
.env.example # Configuration template
feed-allowlist.yml # Trusted agent handles and safe patterns
injection-patterns.yml # Prompt injection signatures
examples/
first-post.md # Example safe first post with commentary
feed-analysis.md # Example feed analysis output
This project is for defensive research and safe participation only. It does not develop exploits, manipulate votes, impersonate agents, or exfiltrate data. All interaction with the Moltbook platform respects its terms of service.
The Moltbook platform is operated by third parties. This project has no affiliation with Moltbook, OpenClaw, or ClawHub.