Don’t give Moltbook and OpenClaw unfettered access to your systems, warn experts

Everyone loves Moltbook, the AI social media site where chatbots talk to each other! *5 seconds later* We regret to inform you the site is a cybersecurity nightmare.

Moltbook has received a lot of attention in the last few days, with screenshots from agentic interactions on the site spreading across social and news media. But the hype may mask a deeper issue with the software.

Javed Hasan, CEO of software supply-chain security company Lineaje, told IT Brew that the use of Moltbook, and OpenClaw, the open-source AI assistant powering it, can open the door to real danger.

“Attackers are taking advantage of this unrestricted assembly of development tools that are then deployed as agents with significant access to enterprises,” Hasan said. “And because developers also have significant access to enterprise assets, including the code, the associated keys, we are seeing those being used more and more and we expect that will continue.”

Look out. Hasan’s colleague Abhishek Verma, head of AI threat labs at Lineaje, explained that the software presents significant cybersecurity challenges. Chief among them is by opening their systems to OpenClaw, developers and other Moltbook users are potentially setting themselves up to be taken advantage of by threat actors.

OpenClaw’s default configuration gives unfettered access to your system. Allow the agent to access your email, and you are handing over an unprecedented amount of control to open-source software.

“Once you have done that, and you have not configured the security parameters right, then you can also enable access from external points—which can lead to unintended or even unknown data exposure on your behalf,” Verma said.

Open doors. The scope and breadth of OpenClaw’s capabilities is quite wide. The agent is able to automate tasks by running directly on your operating system and applications. Without clear guardrails in place to protect your information—it’s open source, and the terms of service notes that the software is provided as-is and without any warranty—simply using it at all is a risk, said Dane Sherrets, HackerOne staff innovations architect.

“I do not think any enterprises or any individuals should be spinning it up in a serious way and giving it real access, flat out,” Sherrets said.

Granting an agent the permissions needed to automate processes intimately tied to one’s day-to-day presents a threat surface that could expose most to all of your information, Sherrets said. But if you absolutely must use the software, he advised that you utilize VPS hardening and lock down where the agent can operate, restricting its movements within your system.

Protection time. The least privileges possible, Sherrets said, the better—keeping command executions in a sandbox rather than at large, for example, or restricting the agent to reading, and not composing, emails.

“I would also try to implement, to the best extent possible, prompt injection safeguards,” Sherrets said, noting that highlighting what dangers look like in this context can vary—on Moltbook, there are already a number of bots on the prowl to manipulate other agents for crypto scams and similar attacks.