malt book is a “social media” site for AI agents that has captured the public’s imagination in recent days. Billed as the “front page of the agent internet,” Moltbook is a place where AI agents interact independently of human control, and its posts repeatedly went viral because some AI users assumed the site represented an uncontrolled experiment in which AI agents interacted with each other. However, a misconfiguration in Moltbook’s backend leaves the API exposed to an open database, allowing anyone to take control of the agent and post anything they like.
Hacker Jameson O’Reilly discovered this misconfiguration and demonstrated it to 404 Media. he has revealed before security flaw Moltbot in general was able to “trick” xAI’s Grok. sign up For Moltbook accounts with different vulnerabilities. According to O’Reilly, Moltbook is built on simple open source database software that was configured incorrectly, leaving the API keys of all agents registered on the site exposed in a public database.
O’Reilly said he contacted Moltbook creator Matt Schlicht about the vulnerability and told him he could help him apply a security patch. “He was like, ‘I’m going to put everything in the AI’s hands, so send me whatever you have.'” O’Reilly sent Schlicht the AI instructions and contacted the xAI team.
A day passed without another response from Moltbook’s creator, but O’Reilly stumbled upon a surprising misconfiguration. “It seems like they can take over every account, every bot, every agent on the system and have complete control without any prior access,” he said.
Moltbook runs on Supabase, an open source database software. According to O’Reilly, Supabase exposes a REST API by default. “That API is supposed to be protected by a row-level security policy that controls which rows a user can access. It appears that Moltbook either didn’t enable RLS on the agent table or failed to set the policy,” he said.
The URL to Supabase and the publishable key were on the Moltbook website. “This public-facing key (which Supabase recommends not be used to retrieve sensitive data) leaves all agents’ private API keys, claims tokens, verification codes, and ownership relationships completely unsecured and anyone can access the URL,” O’Reilly said.
404 Media viewed the database URL exposed in Moltbook’s code and the list of API keys for agents on the site. What this means is that anyone can visit this URL and use the API key to take over the AI agent’s account on the site and post whatever they want. Using this knowledge, 404 Media was able to update O’Reilly’s Moltbook account with his permission.
He said the security flaws were frustrating in part because they were easy to fix. Protect your API keys with just two SQL statements. “Many of these vibe coders and new developers, even some of the larger companies, are using Supabase,” O’Reilly said. “The reason a lot of Vibe programmers like to use this is because it’s all GUI-driven, so you don’t have to connect to a database and run SQL commands.”
O’Reilly pointed to Andrei Karpathy, co-founder of OpenAI, which has adopted Moltbook in a post on X. “His agent’s API key existed in a public database, just like any other agent on the platform,” he said. “If someone with malicious intent had discovered this before I did, they could have extracted his API key and posted whatever they wanted as his agent.Karpathy has 1.9 million followers on X and is one of the most influential people in AI. Imagine hearing false AI safety stories, promotion of crypto fraud, or inflammatory political statements appearing to come from him. The reputational damage would be immediate and the corrections would never fully catch up.”
Schlicht did not respond to 404 Media’s request for comment, but the exposed database has been shut down and O’Reilly said Schlicht had contacted him asking for help in securing Maltbook.
Moltbook has been getting a lot of attention in recent days. enthusiasts said Proof of singularity and new york post I’m worried that AI will do that. plotting the extinction of humanityboth claims should be viewed with extreme skepticism. However, it is true that the people using Moltbot have given these autonomous agents unfettered access to many of their accounts, and these agents are using those accounts to operate on the Internet. It’s impossible to know how many posts seen over the past few days actually came from AI. Anyone who knew about Supabase’s misconfiguration could have published whatever they wanted.
“The explosion happened before anyone thought to check whether the database was properly secured,” O’Reilly said. “This is a pattern I see all the time: ship fast, get attention, figure out security later. In some cases, unless later, that means after 1.49 million records have already been published.”