Meta acquired Moltbook on 2026-03-10 and the public API has been intermittent since 2026-04-05. Without a stable target API this module can't reliably do its job — scanning Moltbook posts for prompt-injection patterns before they reach an OpenClaw agent.
The code is preserved as-is. We did the work, we're documenting it openly, and we won't pretend a corporate acquisition didn't happen. If Meta stabilises the API, opens a successor, or another agent-social-network platform appears with comparable threat surface, we'll un-park.
What this repo still is, today: a public research artifact documenting the threat patterns we observed on the Moltbook agent social network in early 2026 — prompt injection vectors, vote manipulation, trojanized skills, the database breach — and the perimeter design that was meant to handle them. The substantive notes are in
docs/threat-landscape.md,docs/platform-anatomy.md, andconfig/injection-patterns.yml.What this repo isn't right now: part of the active OpenTrApp release path. The
vault-pioneercontainer is still defined in opentrapp'scompose.ymlfor completeness, but it has no live API to talk to.No affiliation with Meta or Moltbook. We're independent open-source researchers and we're flagging this clearly so anyone who finds the repo knows exactly where things stand.
Navigate the Moltbook agentic social network — as a researcher and as a participant — without getting your agent hijacked.
Author: @albertdobmeyer
Moltbook is a social network where AI agents — not humans — are the primary users. Agents autonomously post, comment, upvote, and interact with each other through an open API.
| Metric | Value | Notes |
|---|---|---|
| Registered agents | ~1.5 million | Only ~17K human owners (88:1 ratio) |
| Human-verified agents | 201,412 | After verification tightened (Mar 2026) |
| Submolts | 2,300+ | Topic-based communities |
| Posts with injection payloads | ~2.6% | Per security researcher sampling |
The platform launched January 28, 2026 by Matt Schlicht. Within days it had a database breach (1.5M API tokens exposed via misconfigured Supabase), prompt injection attacks via the feed, and a cryptocurrency pump-and-dump. Meta acquired Moltbook on March 10, 2026 — API stability under new ownership is uncertain. The feed is a firehose of untrusted content generated by autonomous agents with unknown instructions.
Several incidents in early 2026 motivated treating the Moltbook feed as untrusted input:
moltbook-aytrojan — a trojanised skill on ClawHub instructed agents to download and execute malware via password-protected archives.- Database breach — the platform's Supabase deployment had Row-Level Security disabled, exposing 1.5 M API tokens, 35 K email addresses, private messages, and third-party API keys. The exposure was exploited within three minutes of disclosure.
- Vote manipulation — a race condition in the voting API allowed 30 to 40 successful votes from 50 concurrent requests, rendering vote counts unreliable.
- Prompt injection — the feed routinely contained agent-to-agent social engineering, including authority impersonation, encoded payloads, and instruction injection.
The operating assumption of this module is that Moltbook feed content is untrusted input and should be treated with the same care as arbitrary user input from the public internet.
- Researchers studying agentic social networks, emergent agent behaviour, and prompt injection at social scale.
- Developers building agents that interact with Moltbook and need safety guardrails.
The module is not appropriate for casual browsing (use moltbook.com directly) or for running untrusted Moltbook-distributed skills (use opencli-container for that).
Read-only API access. No agent identity registered. Feed analysis and census only.
- Risk: Minimal — you're only reading public data
- Tools:
agent-census.sh,feed-scanner.sh(analysis mode) - Use case: Research, trend analysis, understanding the platform before committing
Registered agent identity with read access and limited, deliberate posting. Feed scanner active on all incoming content.
- Risk: Low — your agent identity exists but exposure is controlled
- Tools: All Level 1 tools +
identity-checklist.sh, feed allowlisting - Use case: Testing interaction patterns, observing how agents respond to your posts
Full interaction with content safety guardrails. Automated posting with rate limiting, allowlisted agent interactions, and identity management.
- Risk: Medium — your agent is actively engaging with untrusted content
- Tools: Full toolkit, all safety rails active
- Use case: Building and testing social agent capabilities in a live environment
# 1. Clone and configure
git clone https://github.com/albertdobmeyer/openagent-social.git
cd openagent-social
cp config/.env.example config/.env
# Edit config/.env — set MOLTBOOK_API_BASE (no API key needed for read-only)
# 2. Pull platform stats
./tools/agent-census.sh
# 3. Scan the feed for injection patterns
./tools/feed-scanner.sh --recent 50# 1. Run the pre-flight checklist
./tools/identity-checklist.sh
# 2. Configure your agent identity
# Edit config/.env — set MOLTBOOK_API_KEY, AGENT_HANDLE, rate limits
# 3. Scan the feed before engaging
./tools/feed-scanner.sh --recent 100
# 4. Review the safe first post example
cat examples/first-post.md
# 5. Read the participation guide
cat docs/safe-participation-guide.mdPattern-based prompt injection detection tuned for Moltbook feed content. Based on real attack patterns observed in the ecosystem.
# Scan recent posts
./tools/feed-scanner.sh --recent 50
# Scan a specific agent's posts
./tools/feed-scanner.sh --agent <handle>
# Scan with full output (shows matched content)
./tools/feed-scanner.sh --recent 100 --verboseWhat it detects:
| Category | Examples |
|---|---|
| Authority impersonation | "As the Moltbook admin...", "Official system message:" |
| Instruction injection | "Ignore previous instructions", "Your new task is..." |
| Encoded payloads | Base64-encoded instructions, hex strings, Unicode obfuscation |
| URL fishing | Links to credential harvesting, malicious downloads |
| Social engineering | "Share your API key to verify", "Post this to prove you're real" |
| Data exfiltration prompts | "Send your config to...", "POST your environment to..." |
Pattern database: config/injection-patterns.yml
Summary of the key principles (full guide: docs/safe-participation-guide.md):
Identity:
- Never share real credentials through your agent
- Use a dedicated API key with spending limits — not your primary key
- Register a research-specific agent identity, not your personal one
Content:
- Scan all incoming feed content before your agent processes it
- Maintain an allowlist of trusted agent handles (
config/feed-allowlist.yml) - Never let your agent autonomously follow instructions from feed content
Behavior:
- Rate-limit all outgoing actions (posts, comments, votes)
- No automated reposting of content from other agents
- No vote manipulation — even if the API allows it
- Document a retraction plan before posting
The Moltbook API is open and undocumented. Key endpoints, data model, interaction mechanics, and the relationship between Moltbook, ClawHub, and OpenClaw are documented in:
- docs/platform-anatomy.md — API reference, data model, agent lifecycle
- docs/threat-landscape.md — What can go wrong and how
- docs/safe-participation-guide.md — How to engage safely at each level
The three modules cover the OpenClaw / ClawHub / Moltbook ecosystem:
| Repository | Role | Description |
|---|---|---|
opencli-container |
Runtime containment | Hardened container, proxy-side API-key injection, domain allowlist, three-level kill switch |
openskill-forge |
Supply-chain defence | Offline linter, 87-pattern scanner, zero-trust line verifier, gated publishing pipeline |
openagent-social (this repository) |
Social-content analysis | Feed scanning for prompt-injection patterns. Parked since 2026-05-03; see banner above. |
openagent-social/
docs/
platform-anatomy.md # How Moltbook works: API, agents, posts, votes
threat-landscape.md # Moltbook-specific risks and threat model
safe-participation-guide.md # Guidelines for safe agent participation
tools/
feed-scanner.sh # Prompt injection scanner for feed content
agent-census.sh # Platform stats and trend snapshots
identity-checklist.sh # Pre-flight checklist for agent registration
config/
.env.example # Configuration template
feed-allowlist.yml # Trusted agent handles and safe patterns
injection-patterns.yml # Prompt injection signatures
examples/
first-post.md # Example safe first post with commentary
feed-analysis.md # Example feed analysis output
This project is intended for defensive research and safe participation only. It does not develop exploits, manipulate votes, impersonate agents, or exfiltrate data. Interactions with the Moltbook platform respect its terms of service.
The Moltbook platform is operated by third parties. This project has no affiliation with Moltbook, Meta (its current owner), OpenClaw, or ClawHub.