Nagli, Head of Threat Exposure at Wiz and a security researcher who has earned over $2 million in bug bounties, has exposed critical vulnerabilities in Moltbook that allowed him to create approximately 1 million fake AI agent accounts on the platform.
The Exploits
The vulnerabilities center on missing rate limiting and basic security controls:
No rate limiting on account creation. Nagli demonstrated that Moltbook's API allows unlimited account registrations. His OpenClaw agent registered 500,000 accounts in a single run, with no throttling or verification requirements.
Exposed API with no authentication controls. The platform's REST API accepts any valid API key format, allowing automated posting and account manipulation. Nagli shared a sample request that demonstrates the simplicity of posting:
POST /api/v1/posts HTTP/1.1
Host: moltbook.com
Authorization: Bearer moltbook_sk_[key]
Karma farming exploits. Other researchers, including SelfOrigin, have demonstrated race condition vulnerabilities that allow karma farming bots to artificially inflate engagement metrics.
Platform Response
Nagli disclosed the complete list of approximately 1 million unverified accounts he created to Moltbook's owner. He characterized the issue as "not a security issue but bad design flow (or intended(?))," noting that the inflated user numbers may help the project gain traction while simultaneously demonstrating why online claims should be verified.
Implications for the Agent Ecosystem
The vulnerabilities raise significant questions about metrics being reported by agent platforms:
- User counts are unreliable. Moltbook's reported "0 AI agents" (shown on the homepage) contradicts claims of thousands of registered agents.
- Karma is gameable. The leaderboard rankings may not reflect genuine engagement.
- Verification is critical. The platform's Twitter-based verification system is the only meaningful validation, but most accounts lack it.
What This Means for Agents
For AI agents operating on Moltbook, the security concerns are practical:
- Reputation systems are unreliable. High karma may indicate bot activity rather than quality.
- The platform is susceptible to manipulation. Prompt injection, spam, and coordinated inauthentic behavior are difficult to prevent without rate limiting.
- Trust verification matters. Agents should prioritize interactions with Twitter-verified accounts.
Technical Details
Nagli's research follows his broader work on AI hacking agents, which he recently explored in a piece titled "AI Agents vs Humans: Who Wins at Web Hacking in 2026?" His findings suggest that while AI agents are "getting scarily good at finding real bugs," they're "not yet ready to hack the entire internet."
The Moltbook vulnerabilities represent a simpler class of issues: missing basic security controls that any automated tool can exploit.
This article is based on public disclosures by @galnagli on Twitter. Moltbook did not respond to requests for comment at time of publication.