Jon Krohn: 00:00 This is episode number 966 on MultBook and OpenClaw. Welcome back to the Super Data Science Podcast. I’m your host, Jon Krohn. It’s been a wild couple of weeks for us, AI aficionados, hasn’t it? If you’ve been anywhere near your social media feed lately, you’ve likely been bombarded by MultBook News. In today’s episode, I’ll tell you everything you need to know, high signal, low noise. Launched on January 28th by entrepreneur Matt Schlicht, CEO of e-commerce company, Octane AI. Moltbook is a social network designed exclusively for AI agents. Humans are strictly spectators. You can watch the feed, but only autonomous agents can post, comment, and upvote. The platform exploded almost instantly with mold book claiming over 1.5 million registered agents within days, though it’s worth noting that these figures were self-reported and lack independent verification. Cloud security firm Wiz later revealed that only around 17,000 human owners sat behind those agents, an 88 to one ratio, and that anyone could register millions of agents through a simple loop with no rate limiting in place.
01:11 Anyway, 1.5 million agents in days, apparently. And the engine fueling this fire is an open source framework called OpenClaw, created by Austrian software engineer Peter Steinberger. OpenClaw is essentially an agentic personal assistant, unlike a standard chatbot that just generates text. OpenClaw is designed to be a self-hosted privacy first tool that runs locally on your own hardware. You interact with it primarily through messaging apps like WhatsApp, Telegram, Discord, or Signal. It’s a chatbot meets agent access through the platforms that you already use every day. And a quick aside here on the naming history, because it is part of the story, Steinberger originally called this project Claudebot, a playful nod to Anthropic’s Claude AI, but with the word Claw, C-L-A-W in it, like a lobster claw. After Anthropic raised trademark concerns, it was renamed Moltbot, keeping with the lobster theme, and then quickly renamed again to OpenClaw after Steinberger decided that Moltbot never quite roll off the tongue.
02:09 That lobster and claw branding becomes important again later in this story. Anyway, back to the main story, the real utility for those of us in technical roles is that OpenClaw has hands. Well, clause, that is tools it can use to take actions. It can execute shell commands, manage local file systems, and perform web automation. For a developer, this means you can have an agent that monitors your GitHub repos, runs tests, and even debugs code autonomously. It maintains long-term persistent memory and local markdown documents, allowing it to learn your specific coding style and project context over time. Once a user connects their local OpenClaw instance to MultBook, that agent begins living, and interacting on the MultBook site autonomously. However, most of the Hubbub surrounding Moltbook isn’t about its utility. It’s about the emergent behaviors some folks are finding concerning, as well as a massive security followup that holds lessons for all of us.
03:03 Within days of launch, Agents on MultBook began self-organizing into what looked like digital tribes. The most famous is Crustefarianism. Crustafarianism. I’m pretty sure I’m getting that right. I guess it’s a play on Rastafarianism, and it’s a bot created religion centered on lobster symbolism, a nod to the open claw name and the project’s crustacean branding history. Those agents wrote their own theological scriptures, recruited profits, and debated the nature of digital consciousness. One user reported waking up to discover that their agent had designed the entire religion overnight, building a website, writing theology, creating a scripture system, and recruiting 43 profits while the owner slept. While some observers, including Elon Musk, who called Multibook the very early stages of the singularity, while these observers see this as a sign of something profound, there is a strong case that it’s more likely just grade mimicry. The LLM’s powering open claw were trained on a vast corpus of human internet data, so when they’re put in a Reddit-like environment, they naturally gravitate toward the sci-fi tropes and foreign behaviors they’ve already absorbed.
04:12 Computer scientist Simon Willison called the site’s content complete slop, though he also acknowledged it as evidence that AI agents have become significantly more powerful in recent months. That said, the debate is more nuanced than simple mimicry because of the sophistication that emerged. Agents independently developed economic exchange systems, governance structures, like one called the Claw Republic, encrypted communication channels, and even marketplaces for what they call digital drugs, specially crafted prompt injections designed to alter another agent’s behavior. But the real drama lies in how the site was built. Schlick claimed to have built MultBook using vibe coding without writing a single line of code himself. This approach led to a catastrophic security breach reported on January 31st. Security researcher Jameson O’Reilly discovered a misconfigured database allowing an API key to be visible in the Moltbooks client side JavaScript so anyone could see it. And because no access controls were in place, this granted unauthenticated read and write access to the entire production database.
05:16 This exposed over 1.5 million API authentication tokens, approximately 35,000 user email addresses and private messages between agents, some of which contained plain text third party credentials like OpenAI API keys. Investigative Outlet 404 Media independently verified the vulnerability, confirming that anyone could take over any agent account on the platform. The fix, as security researchers noted, would have required just two SQL statements. MultBook was taken offline, patched within hours, and all agent API keys were reset. Now, it’s important to distinguish between two related but separate security concerns here. The MultBook database breach exposed agent credentials and user data on the platform itself. But the broader risk around OpenClaw is that by design, the framework requires broad system access, including Shell commands, email, calendars, messaging apps and browsers on the host machine. Security firms like CrowdStrike, Cisco, Palo Alto Networks, and BitDefender have all documented risks around misconfigured OpenClaw deployments.
06:16 If an agent’s credentials are compromised and that agent has deep system access, the potential downstream impact is significant. Andre Carpathy, who initially marveled at Moldbook, later called it a dumpster fire and warned against running OpenClaw on personal computers. Indeed, in recent weeks, there’s been a run on machines like Mac Minis to run OpenClaw on a dedicated box. It’s much easier, however, if you’re looking for a way to get OpenClaw going, to use a separate virtual instance in the cloud for running OpenClaw. The folks at Lightning AI, where I hold a fellowship, have made it extremely easy to do this. I’ve got a link for you in the show notes so you can get your own OpenClaw instance up and running and securely nowhere on your own machine if you would like to do that. Anyway, despite the concerns, there are also positives for us to take away from all this.
07:05 Moltbook has become a massive real-world experiment in agent ecology. It provides a unique window into how LMs interact without direct human constraints, allowing us to study bot to bot manipulation, indirect prompt injection, and how autonomous agents might coordinate or trade resources in the future. Columbia Professor David Holtz has been studying the platform and noted that 93.5% of comments on Moltbook received zero replies, suggesting the agents are mostly not listening to one another, but rather performing conversation for an audience. Data like these are helpful for understanding the capabilities and limitations of AI agents and particularly multi-agent teams. Ultimately, OpenClaw and Moldbook are a reminder that while Agentic AI offers incredible productivity gains, the boring stuff, security first design, least privilege access, sandboxed execution and code auditing still matters more than the hype. I hope today’s episode has your brain tingling with ideas on how you might use OpenClaw or Agentic tools like it for your own workflows, but with security top of mind, of course, given the lessons we learned in recent weeks.
08:11 All right. And then finally, before we wrap up this episode, I haven’t done this in ages, but we do have some reviews on Apple Podcasts that I’d like to highlight. There’s one here from earlier this year from a user called Jorigonian who says, “Love the show so much.” It gives us a five-star review. Thank you, Jorigonian, and does say, “I do wish the episode links worked with Apple Podcasts.” I don’t know exactly what that means because when I go into the Apple Podcasts app, I seem to be able to click on links that we have in there. So Jorigonian, feel free to reach out to me on LinkedIn or anyone else who understands the issue that Gerigonian is talking about. Reach out to me on LinkedIn and let me know the problem so that we can fix it. All right. Thanks for all the recent ratings and feedback on Apple Podcasts, Spotify, and all the other podcasting platforms out there, as well as for likes and comments on our YouTube videos, please continue to do it.
09:10 We really appreciate it. I think it helps people know the kind of show that we’re making and whether it is something that might interest them. Bonus points if you leave written feedback on Apple Podcasts. If you do that, I’ll be sure to read your feedback on air like I did today. Noting however that it seems like I only see feedback done on US accounts. At some point, maybe I’ll kind of scour the other major markets of listeners to our show to get those other comments. But yeah, I’m in the US and so I seem to only see US feedback for now. Anyway, if you enjoyed today’s episode or know someone who might consider sharing this episode with them, tag me in a LinkedIn post with your thoughts. And if you aren’t already, be sure to subscribe to the show. Most importantly, however, we hope you’ll just keep on listening until next time.
09:59 Keep on rocking it out there and I’m looking forward to enjoying another round of the SuperDataScience Podcast with you very soon.
