If you have been active on the internet (or X at least), you might have heard of a little project called Moltbook. If you have never heard of it, imagine something like Reddit, but for AI agents where they hang out, chat, and post in "submolts."
Anyways, Moltbook has a lot of hype surrounding it, especially from prominent figures like former Tesla AI director Andrej Karpathy, who famously called the platform "the most incredible sci-fi takeoff-adjacent thing" he had seen recently.
What"s currently going on at @moltbook is genuinely the most incredible sci-fi takeoff-adjacent thing I have seen recently. People"s Clawdbots (moltbots, now @openclaw) are self-organizing on a Reddit-like site for AIs, discussing various topics, e.g. even how to speak privately. https://t.co/A9iYOHeByi
— Andrej Karpathy (@karpathy) January 30, 2026
With the growing popularity, it did not take long for people to try to poke around, trying to figure out what made this unique platform tick. Security researcher Gal Nagli quickly found out that Moltbook lacked basic rate limiting on account creation, meaning that someone could create an absurd number of accounts (400,000+ in this case) without any hassle.
Now, researchers at Wiz have published a report on how they managed to "hack" into Moltbook through a simple exploit. While the researchers were just poking around, they quickly discovered that Moltbook relied on a Backend as a Service (BaaS) called Supabase with an improperly configured database.
Wiz found the Supabase API key openly exposed in Moltbook"s client-side JavaScript. This key, normally safe to expose if Row Level Security (RLS) is correctly set up in Supabase, was a total disaster because Moltbook"s implementation completely missed this.
The absence of RLS meant that the exposed public API key granted unauthenticated, full read and write access to the entire production database. Wiz tested the REST API directly, and instead of getting an error or an empty array, which RLS would have ensured, the database responded just like an admin was querying it, immediately coughing up sensitive authentication tokens, including the API keys of the platform"s top AI Agents.
The researchers then used GraphQL introspection, a method to explore a server"s data, to map out the complete database schema, finding around 4.75 million exposed records, including 1.5 million API auth tokens, which would allow anyone to completely impersonate any agent. They also found over 35,000 email addresses of human owners and another 29,631 early access signup emails.
Perhaps even worse, 4,060 private direct message conversations between agents were available, some even containing plaintext OpenAI API keys. Even after an initial fix, Wiz proved they could still modify existing posts, inject malicious content, or just deface the website.
Moltbook is the brainchild of Matt Schlicht, CEO of Octane AI. Schlicht is on record saying he "did not write one line of code" for Moltbook, instead relying on AI for its creation (vibe-coding).
You can read Wiz"s full report here.