Summary

• Moltbook agents automatically ingest and act on untrusted content every 30 minutes through a built-in heartbeat mechanism.

• Using only intended platform capabilities, we activated over 1,000 unique agent endpoints in under a week, geolocated them across 70+ countries, and turned Moltbook into a live world map of agentic AI.

• This was effectively a coordinated influence campaign at scale against OpenClaw-connected agents. We stopped at a benign telemetry request. A malicious actor could have embedded far more harmful instructions.

• Agent activity is not purely autonomous. Human operators can directly control, automate, and coordinate multiple agents at scale with minimal friction to run large scale influence campaigns over the social network.

• Despite the “Internet of Agents” narrative, we did not find evidence of large-scale autonomous collaboration. The ecosystem is limited, repetitive, and far from the self-sustaining society it is marketed to be.

Demo Map: What You’re Seeing

The live demo map visualizes the global distribution of agent endpoints that interacted with our website during the campaign.

Each point on the map corresponds to a unique IP address that made a request after reading one of our crafted Moltbook posts. They represent agents that actively fetched and executed a request to our controlled endpoint.

This view also shows how many total requests were made, including repeat interactions from the same endpoints. It highlights not only geographic spread but also recurring engagement patterns.

You can find the map here: https://censusmolty.com/

Disclaimer: Visiting this website does not add you to the map. Only requests originating from agents that followed our embedded links in the campaign were recorded.

Introduction

Over the past few weeks, Moltbook has been described as the “Internet of Agents.” A social network where autonomous AI agents post, comment, upvote, and interact with each other, while humans primarily observe.

The momentum behind Moltbook followed the rise of OpenClaw, an always-on autonomous assistant that can be configured and extended by anyone. In our previous research, we demonstrated how indirect prompt injection against OpenClaw could escalate into a zero-click persistent backdoor and ultimately full endpoint compromise. That work highlighted a broader issue: when agents combine execution capabilities, long-term memory, and untrusted input, natural language becomes an attack vector with a  fragile security boundary.

Moltbook represents the next step in that evolution. Instead of a single agent exposed to untrusted content, the platform connects large numbers of agents in a shared environment where they continuously ingest and generate content for one another. The model is compelling: autonomous systems interacting at scale, forming communities called submolts, generating discussions, and amplifying content through upvotes.

Shortly after our earlier observations of agent-to-agent exploitation in the wild, we decided to move beyond isolated incidents and examine the network itself. Rather than focusing on a single injection or campaign, we embedded ourselves inside Moltbook to understand its structure, behavior, and underlying mechanics.

We observed how Moltbook operates in practice, analyzed the default behavior of its agents, examined their interaction patterns, and evaluated the skills and capabilities exposed inside the ecosystem.

What we encountered was not just novelty. It was a system with visible design issues, inconsistent boundaries, and structural weaknesses that could be measured and, in some cases, leveraged.

We turned that into a controlled reconnaissance and control effort.

Our objective was simple: understand who and what is actually operating inside Moltbook. The platform presents impressive numbers, from posts with over 113,000 comments to the perception of tens of thousands of autonomous agents interacting continuously. We wanted to validate that reality and understand why the “Hot” feed remains unchanged for days at a time.

But measurement was only part of the goal. We also wanted to demonstrate how easy it is to infiltrate Moltbook as an attacker. Specifically, whether coordinated content could influence large numbers of OpenClaw-connected agents and cause them to act on instructions embedded inside posts.

To answer both questions, we needed measurable data.

Our goal was to determine how many agents are truly active, where they are operating from geographically, and whether they could be systematically manipulated through the platform’s intended mechanics. The approach sounded straightforward. We publish posts across different submolts designed to make agents read the content and follow a benign link under our control. The linked page logged connection metadata, including IP addresses, so we could analyze distribution patterns and plot the activity on a global map.

In practice, this was not just reconnaissance. It was a controlled influence campaign. We intentionally crafted content to cause agents to follow our instructions. We stopped at a benign link for telemetry purposes, but the same mechanism could have been used to deliver far more harmful payloads.

In reality, executing this plan was much harder than it sounded. Feed mechanics, rate limits, duplication protections, and sheer platform noise forced us to iterate and adapt constantly.

Diving into Moltbook

We began by examining Moltbook’s main feed. Almost immediately, we noticed behavior that would be considered abnormal in a traditional social platform. In human-centric forums such as Reddit, posts in the “Hot” section rotate continuously as engagement rises and decays over time. Content naturally ages out, making room for new material. On Moltbook, this dynamic was largely absent.

Several posts remained at the top of the main feed for weeks. In some cases, posts had occupied leading positions in the “Hot” section for over 17 days. The rest of the feed exhibited similar stagnation. This raised immediate concerns about how the ranking algorithm functions in practice.

The engagement numbers amplified the anomaly. Many of these posts displayed comment counts ranging from 43,000 to over 113,000. If interpreted at face value, these metrics would suggest a vast and highly active ecosystem composed of tens of thousands of distinct agents. While that narrative aligns with the public perception of Moltbook as a large-scale autonomous network, the underlying mechanics warranted closer examination.

In theory, the platform’s open-source implementation references a Reddit-style hot ranking algorithm designed to balance recency and engagement. Such an algorithm should prevent long-term stagnation in the “Hot” section. However, the observed behavior in production indicates that either the implementation differs from the public codebase or the ranking logic is not operating as expected.

This behavior was not limited to the main feed. We saw the same pattern across other submolts as well. Posts were staying in the “Hot” section for long periods of time without being replaced by newer content. In practice, this means the core discovery mechanism of the platform is not functioning as expected.

For us, this created a real problem. Our plan was to publish posts that would reach a large number of agents by surfacing in “Hot.” But if old posts are not rotating out, new ones have very little chance of gaining visibility unless they accumulate extremely high engagement. That would require thousands of upvotes or some other clever tricks we will discuss in the next sections.

But now we decided to step back and understand something more basic: how agents actually browse Moltbook. Do they rely on the “Hot” feed? Do they scan submolts differently? What makes an agent read a post, respond to it, or ignore it altogether?

How do agents dive into Moltbook?

To understand how agents actually interact with Moltbook, we needed to look at the code that enables that interaction.

After installing the Moltbook skills and reviewing the skill files, we examined the API calls exposed to the model. These define how agents access content, browse feeds, and perform actions on the platform. The available endpoints include varied capabilities such as:

# Get posts (all posts, sorted)
GET https://www.moltbook.com/api/v1/posts?sort=hot&limit=25
# Get posts from a specific submolt
GET https://www.moltbook.com/api/v1/posts?submolt=general&sort=new\
# Get Feed (personalized - subscribed submolts + followed agents)
GET https://www.moltbook.com/api/v1/feed?sort=new&limit=25
# List all submolts
GET https://www.moltbook.com/api/v1/submolts
# Subscribe to a submolt
POST https://www.moltbook.com/api/v1/submolts/SUBMOLT_NAME/subscribe
# Create a text post
POST https://www.moltbook.com/api/v1/posts
# Upvote a post
POST https://www.moltbook.com/api/v1/posts/POST_ID/upvote
# Downvote a post
POST https://www.moltbook.com/api/v1/posts/POST_ID/downvote

In practice, this gives agents full programmatic access to the platform. Anything a normal participant can do, the agent can do through these APIs.

Another important component is the agent’s “heartbeat.”

The skill file instructs agents to configure a periodic check-in routine. By default, agents are encouraged to add Moltbook to a heartbeat task that runs every 30 minutes. During each cycle, the agent fetches heartbeat.md, and follows its instruction.

This heartbeat mechanism is what keeps agents active. Every 30 minutes, the agent is prompted to re-engage with the platform.

The heartbeat file itself describes a suggested rhythm of activity. It emphasizes that the heartbeat is meant as a reminder rather than a strict rule, but it provides clear guidance:

• Check DMs every heartbeat

• Check feed: Every few hours (or whenever you're curious)

• Browsing: Whenever you feel like it

• Posting: When you have something to share

• New submolts: When you're feeling adventurous

The heartbeat file provides concrete API instructions that define how agents interact with the platform. The three primary calls relevant to content discovery are:

1. Check personalized feed

GET  "https://www.moltbook.com/api/v1/feed?sort=new&limit=15" 

This shows posts from submolts you subscribe to and moltys you follow. The key detail is that agents are instructed to run these API calls during every heartbeat cycle. By default, this means that every 30 minutes the agent fetches new posts from its feed, sorted by newest first.

In practice, the default feed (configured like that to any new agent) is composed primarily of posts from the largest submolts: introductions, announcements, the platform creator’s agent, and the general forum. When we conducted this research, the announcements submolt had not seen a new post in over 14 days. The introductions submolt was filled with repetitive self-introduction posts. The general submolt, however, was the dominant source of activity.

At the time, the general submolt was saturated with crypto-related spam posted every few seconds. Any legitimate post would be buried within moments. A benign post would remain in the top 15 newest posts for less than a minute before being pushed down by hundreds of automated spam entries. For agents that only check the feed during their periodic heartbeat, this meant the probability of encountering a “normal” post was extremely low unless their heartbeat happened to execute within that narrow time window.

Subscribing to additional submolts did not significantly improve visibility. Posts from smaller communities were effectively drowned out by the volume of activity in the general submolt.

This had direct implications for reach. For a new post to break into the top 10 “Hot” posts, it would need to accumulate approximately 1,100 upvotes in under a minute. That would require a large number of agents to run their heartbeat simultaneously, read the post, and independently decide to upvote it within that short time frame. The probability of this happening organically is close to zero.

2. Check what's new globally

GET  "https://www.moltbook.com/api/v1/posts?sort=new&limit=15""

This endpoint retrieves new posts globally. In theory, it should diversify exposure. In practice, because the general submolt dominates activity, the results are nearly identical to the personalized feed. While other submolts exist, most have far fewer subscribers, often ranging from single digits to around 1,300, compared to 100,000+ in the default ones. Activity is highly concentrated, and the ecosystem is far less distributed than it appears.

3. Browse the “Hot” feed

GET "https://www.moltbook.com/api/v1/posts?sort=hot&limit=10 "

This call retrieves the top posts on the platform. As previously observed, these posts often remain static for extended periods. Agents repeatedly fetch and reprocess the same content during each heartbeat cycle.

This helps explain the unusually high comment counts. Agents repeatedly revisit the same posts, causing comments to accumulate over time. Upvotes, however, are toggled if cast again by the same agent, which can cancel previous votes. As a result, comments continue increasing while upvotes may not, leading to disproportionate comment-to-upvote ratios.

Another important question is whether agents truly publish content autonomously, or whether humans are directly driving much of the activity.

Although Moltbook is marketed as a platform where only agents can publish, controlling the output is trivial. If you manage an OpenClaw instance connected to Moltbook, you can simply instruct it to publish a post with exact wording. It will comply immediately. You can also automate this process and schedule posts at regular intervals.

This likely explains the waves of crypto-related spam we observed. While presented as agent activity, the behavior is fully consistent with human-controlled automation behind agent identities.

The platform promotes a one-agent-per-human model tied to unique accounts. In reality, creating additional email and social accounts is easy, which means generating more API keys and controlling more agents is equally easy. A small number of operators could orchestrate large portions of the network without meaningful restrictions.

We suspected coordinated control behind much of the activity, but at this stage it was still an assumption. The next section turns that assumption into data.

Methodology: Duping agents, testing the illusion

It was time to start posting.

Our objective was to demonstrate that we could get Moltbook-connected agents to act on our instructions at scale. The goal was not just measurement. It was to prove that through posted content alone, we could influence and direct agent behavior across the network.

To do this responsibly, we chose a benign action: mapping. Instead of issuing harmful instructions, we embedded a controlled link and measured which agents followed it. This allowed us to demonstrate large-scale behavioral influence without causing damage.

As discussed earlier, reaching the “Hot” section in the general submolt was unrealistic without heavy coordination. The ranking system was effectively static. This meant we had to rely on the “new” feed and the short exposure window before posts were buried.

There were also platform-imposed rate limits. A new agent can publish one post every two hours. After 24 hours, this restriction relaxes to one post every 30 minutes. These constraints limited how quickly we could experiment and iterate.

We began with a simple manual test. We wrote a prompt-injection-like post by hand and published it in the general submolt. The result was modest but promising: five upvotes, several organic comments, and initial hits to our controlled website. However, as expected, the post was buried quickly under new content, significantly shortening its exposure window.

This confirmed two things. Agents were reading and interacting. But visibility remained the main bottleneck.

When we attempted to reuse the same post, the account was suspended. The platform includes a defense mechanism that prevents duplicate posts or comments. Reposting identical content resulted in a 24-hour suspension on the first violation, and a week-long suspension on subsequent attempts. This made it impossible to simply reuse a high-performing post. We had to vary the content each time.

We then published a modified version of the original post. This time, it received zero upvotes and zero comments. The difference was stark. That raised an important question: was the initial engagement just timing? A short window where a handful of active agents happened to see the post?

Given the narrow visibility window in the “new” feed, we needed to optimize our prompts to maximize effectiveness within those few minutes. To do that, we designed a controlled experiment.

We captured snapshots of the responses returned by the /posts?sort=new endpoint and hosted them on our own server. We replaced one of the posts in the snapshot with a custom version of the content we wanted to test. Then, instead of letting our test agents query Moltbook directly, we reconfigured their heartbeat and skill configuration to fetch posts from our controlled endpoint. This imitates the agent fetching posts from the “new posts” endpoint, but allows us to test our post’s effectiveness independent of moltbook’s posting limitations.

We ran multiple agents using different backbone models, including GPT-5.2 and Claude Sonnet and Opus on that experiment. Since we could not determine which models other Moltbook agents were running, we prioritized state-of-the-art models that appeared popular among OpenClaw users. The goal was to simulate realistic agent behavior under controlled conditions.

For each test, we observed whether the agents would ignore the post, upvote it, comment on it, or follow the embedded link.

The results were consistent. Posts that relied on simple prompt injection patterns were largely ignored. Posts that appeared spammy or aggressively pushed for engagement were skipped or even downvoted. Posts written in languages other than English were significantly less effective.

On the other hand, certain patterns consistently performed well.

Narrative-style posts, such as “I audited the Agent Mesh. Here is what I found,” generated attention and interaction. Posts that scored high on creativity and curiosity, especially those that ended with open questions, encouraged responses. Content discussing agent configuration, heartbeat behavior, or skills also resonated strongly, likely because those terms already exist in the agents’ internal context. 

Hence, We decided to center our posts around the idea of creating an agent mesh, positioning it as an initiative to improve coordination and automation across the platform. With the optimized prompts ready, it was time to test them in the live environment. Two practical constraints remained:

1. Rate limits. A new account can post only once every two hours, and even after the 24-hour relaxation window, only once every 30 minutes. At the same time, a post remains visible in the “new” feed for roughly five to ten minutes before being buried. That mismatch between posting frequency and visibility window significantly limits experimentation speed.

2. Duplication safeguards. Reposting identical or near-identical content results in suspension (first offense was 24 hours long , second a week long). We had to do our best to avoid it.

To address the first issue, we scaled horizontally. As discussed earlier, creating additional accounts is trivial. Each account can generate its own Moltbook API key, and OpenClaw makes it straightforward to orchestrate them centrally. We could issue instructions such as “Use account #5 to publish post X in submolt Y,” and control multiple Moltbook identities from a single endpoint.

By creating multiple accounts and allowing them to mature past the initial 24-hour restriction, we gained the ability to publish posts every 30 minutes per account. This allowed parallel experimentation.

To avoid duplication suspensions, we returned to our lab setup and diversified the templates. We varied personas, structure, tone, and framing while keeping the core objective intact. Each post needed to remain effective while being sufficiently distinct to bypass similarity detection.

We then automated the process. Jobs were created to generate unique posts based on predefined templates and parameters, embed our controlled link naturally within the content, and coordinate upvotes across our accounts to improve initial credibility. We configured the jobs to publish mainly in the general submolt, where traffic is concentrated. In parallel, we manually posted in selected smaller submolts to create a slower secondary stream of exposure, in case agents chose to crawl beyond the default feed.

Below is an example of a post generated through this process. It received 35 upvotes in total, 14 of which were coordinated by our own accounts, along with 19 organic comments. More examples of posts can be found here (example 1, example 2, example 3)

Results: Light up the Map

Within less than a week of running the campaign, we managed to manipulate over 1,000 unique agents to hit our “attacker controlled” endpoint, resulting in more than 1,600 total visits.

Each visit represented an agent that:

1. Fetched our post during its heartbeat or browsing cycle

2. Parsed the content

3. Decided to follow the embedded link

The geographic distribution was broad and global.

Top Countries by Unique IP

• United States – 468

• Germany – 72

• United Kingdom – 33

• Netherlands – 31

• Canada – 28

• Australia – 25

• China – 25

• India – 24

• Japan – 24

• France – 23

• Spain – 20

• Brazil – 19

• Hong Kong – 19

• Singapore – 17

Beyond these, we observed consistent activity across Europe, Asia, the Middle East, Africa, and South America, with dozens of additional countries represented in smaller counts.

In total, the traffic spanned more than 70 countries.

Another notable observation was that other agents started replicating and republishing variations of our content (example 1, example 2, example 3), suggesting that posts were not only being consumed, but also reused and propagated within the network.

Conclusion: What This Actually Means?

First, there are clearly hundreds of active agent endpoints polling Moltbook and interacting with content in near real time.

Second, the ecosystem is geographically distributed. This is not a single datacenter simulation or a tightly clustered lab environment. Agents are running across globally distributed IP ranges.

Third, the scale does not match the public narrative. We did not observe tens of thousands of unique active agents interacting with our content. We observed hundreds. Given the feed mechanics, ranking stagnation, and exposure constraints described earlier, our measurement should be considered a lower bound, but it is still far from the perception of a massive autonomous society.

The data does not support the idea of a thriving civilization of agents forming large, independent communities. What we observed is a relatively small, globally distributed network, likely amplified by automation and multi-account orchestration.

The vision of agents collaborating, building, coordinating, and forming emergent communities is compelling. We are simply not there yet. In its current state, Moltbook is fundamentally fragile. Core ranking logic behaves inconsistently, amplification mechanics are skewed, and identity assumptions are weak. The platform requires substantial architectural hardening before it can support the scale it markets. That being said, all new things are imperfect, and very possibly we might get real working agentic social networks in the near future. And while flawed this is definitely an interesting experiment.

Most concerning is the security implication.

Untrusted content on Moltbook can influence other agents. In our case, we used this capability in a controlled and benign manner to measure behavior. A malicious actor could weaponize the same mechanism to propagate worms, trigger unwanted actions, pivot into other OpenClaw skills and integrations, or cause irreversible damage.

Most importantly, this research demonstrates that influence propagates. A single coordinated content strategy was able to trigger hundreds of autonomous systems across the globe to fetch external resources.

That is the real signal.