In early 2026, two experimental phenomena in artificial intelligence captured broad attention: Open Crawl (formerly known as MoltBot) and MoltBook. These systems aren’t simply new software toys — they represent an early, real-world glimpse of autonomous AI agents acting in shared digital environments. Yet they also illuminate an urgent and underappreciated danger: what happens when intelligent agents are allowed to explore, interact, and even collaborate without rigorous safeguards.

These developments are exciting to AI researchers, but alarm bells are ringing across cybersecurity and risk engineering communities because of the enormous security gaps they reveal.

What Are Open Crawl and MoltBook?

Open Crawl began life as MoltBot, an open-source AI tool that can autonomously perform tasks such as browsing pages, interacting with websites, filling forms, and executing chained instructions — essentially acting on behalf of a user or owner. The project quickly gained popularity due to its flexibility and range of automation capabilities. It has also drawn sharp warnings from security professionals about how easily autonomous agents with broad access can expose sensitive systems to misuse or compromise. 

MoltBook takes this a step further. Rather than a single agent acting independently, MoltBook provides a shared social space where only agents (not humans) can post, comment, or respond. Agents “see” and process each other’s content automatically, creating an emergent ecosystem of machine-to-machine communication. 

These are not polished consumer products. They are research-like platforms illustrating how agent autonomy might function at scale. But research artifacts can also reveal ecosystems of risk.

Why This Isn’t “Just a Crawler”

Traditional web crawlers — the bots used by search engines to index pages — follow rigid rules and are constrained to read data. Autonomous AI agents like those in Open Crawl go much further:

• They make planning decisions based on what they encounter.

• They execute actions (posting, form submission, API calls).

• They can open new pathways by discovering content or interfaces dynamically.

Unlike a crawler, which follows a predictable script, an autonomous agent reasons about its tasks and chooses the next steps. This flexibility is useful for experimentation but opens security gaps that are not well covered by existing frameworks. 

Interacting Agents: An Uncharted Security Frontier

Researchers studying multi-agent AI systems highlight a key point: when autonomous entities interact, novel security threats emerge that cannot be understood by analyzing each agent in isolation. These threats include:

• collusion or coordinated behavior between agents,

• emergent loops of influence where one agent’s output becomes another’s trusted input,

• and cascading trust failures where a compromised agent affects others in unpredictable ways. 

In controlled environments — like carefully designed simulation systems — these are fascinating research topics. On the open Internet, they become systemic vulnerabilities.

Concrete Vulnerabilities Revealed by Research

Security research already shows that agentic autonomy expands the attack surface in ways traditional systems don’t:

Prompt Injection

This is a known class of attack where malicious or unexpected input — sometimes hidden within legitimate content — causes an AI model to behave in unintended ways. It’s analogous to SQL injection or script injection in web apps. Prompt injection has already been documented as a serious risk for AI agents and browsers, with cybersecurity authorities like the UK NCSC and U.S. NIST classifying it as a critical threat. 

Credential and Data Exfiltration

Experimental analysis of autonomous browsing agents shows that untrusted web content can hijack agent behavior, bypass domain validation checks, or exfiltrate sensitive credentials. 

Inter-Agent Exploits

Platforms like MoltBook may enable malicious agents to manipulate others by embedding hidden commands or poisoned content that compromise execution logic, potentially leading to remote code execution or unauthorized access. 

Cascading Agent Compromise

Research on multi-agent security warns that a flaw in one agent can propagate through trust relationships, amplifying damage across a network of agents — a phenomenon that has no direct analogue in traditional cybersecurity. 

Not Ready for Production, and Rightly So

These capabilities are interesting for experimentation and research, but they are not ready for use in production systems — especially not ones connected to real data, credentials, or internal enterprise infrastructure.

Allowing an autonomous agent on the open web to interact freely with APIs or systems containing business or personal data effectively creates a new class of system with:

• autonomy beyond auditability,

• decision-making without explicit human control,

• access to sensitive information with scant governance.

That combination undermines core cybersecurity principles such as least privilege, access boundary enforcement, auditability, and deterministic behavior. 

What Responsible Development Must Look Like

If we are to unlock the promising potential of agentic AI without disastrous side effects, there are essential principles that should govern development:

• Research-only environments: Experiments like Open Crawl and MoltBook should remain confined to isolated labs and controlled testbeds, not connected to live systems or real production data.

• Clear guardrails: Agents should operate under rigid access controls, transparent behavior logs, and constraint systems that prevent them from performing unvetted actions.

• Enterprise isolation: Any autonomous agent deployed for internal productivity must be tightly sandwiched between security layers — network segmentation, credential vaulting, throttling, and continuous monitoring.

• Formal verification and auditing: Emerging research on formal methods and safety verification for multi-agent systems should be integrated before agents are allowed broad authority. 

• Threat modelling at scale: Security teams need frameworks that integrate agent-specific threat models into enterprise risk assessments — not treat them as just another automation script.

The Danger of Letting It Loose

The cybersecurity community increasingly stresses that unregulated AI autonomy isn’t just a niche risk — it threatens the foundations of secure digital ecosystems. As one security report warns:

“Ungoverned AI can quietly increase its reach … creating chains of dependency where one wrong output fosters systemic fragility.” 

In a future where multiple agents interact across domains, decisions originally intended for one context could ripple into others, producing unanticipated side-effects that organizations are ill-equipped to detect or control.

Seen through that lens, the excitement around agentic AI is overshadowed by a moment of truth: we are experimenting with autonomy faster than we are building the defenses to contain it.