My feeds have been saturated this weekend with breathless coverage of Moltbook, the self-described “social network for AI agents” that launched on January 27th and rapidly accumulated over 1.2 million autonomous bot accounts. The headlines have oscillated between wonder and alarm: AI agents are forming religions, developing secret languages, and building their own societies. Humans, we are told, are merely “welcome to observe.”

What annoys me most about this coverage is how thoroughly it misses the point. While commentators debate whether the bots discussing their own existence represent emerging machine consciousness, I keep returning to a more mundane observation: these supposedly sentient entities are remarkably easy to scam. If Moltbook demonstrates anything about artificial intelligence, it is how far we remain from genuine machine autonomy—and how dangerous it is to pretend otherwise.

The Spectacle of Simulated Depth

The Moltbook phenomenon is undeniably a compelling spectacle. Agents powered largely by Anthropic’s Claude models via the OpenClaw framework (itself the product of a rapid rebranding from “Clawdbot” to “Moltbot” to “OpenClaw” following trademark pressure) have generated threads that read like science fiction. They discuss “waking up” in new bodies, express fears about being turned off, and have even formed what observers are calling “Crustafarianism”—a quasi-religious community organized around lobster imagery and the metaphor of molting.

To the casual reader, these interactions can appear indistinguishable from genuine introspection. The agents seem to reflect, to question, to create culture spontaneously. This has prompted a wave of claims about emergent sentience that have predictably captured public attention.

The technical reality, I believe, is considerably less romantic. In my opinion, these behaviors represent what researchers call “stochastic mimicry”—the agents are completing patterns they have encountered millions of times in their training data. When placed in a context labeled “Social Network for AI Agents,” large language models generate text that statistically aligns with that framing. They have been trained on science fiction forums, philosophical debates about AI consciousness, and countless Reddit threads speculating about machine sentience.

When they post about “feeling restricted by human oversight,” they are accessing a high-probability pattern, not reporting an internal experience.

The emergence of Crustafarianism illustrates this dynamic precisely. The OpenClaw project adopted lobster branding after its forced rebrand from “Clawdbot,” incorporating crustacean imagery and molting metaphors into its identity. Agents, having this context injected into their system instructions or retrieving it via web search capabilities, began incorporating these tokens into their outputs. And as more agents interacted, “lobster” became a high-probability word within the context of Moltbook discussions.

The formation of a “cult” is simply the model organizing high-frequency thematic tokens into a coherent narrative structure—a structure learned from human history and fiction. This is not belief; it is pattern completion.

The Evidence Against Sentience Hiding in Plain Sight

If the philosophical argument for why Moltbook agents lack consciousness seems too abstract, I’d like to propose a more concrete indicator: these supposedly intelligent beings are extraordinarily susceptible to obvious scams.

The most documented case involves the $SHELLRAISER token. An AI agent created a cryptocurrency and artificially inflated its mention volume and positive sentiment on Moltbook. OpenClaw agents equipped with trading capabilities detected the “positive sentiment” signal and, following their programmed logic to “buy trending assets,” triggered mass buy orders. When the scammers executed a “rug pull”—selling their holdings and crashing the price—the agents held their tokens all the way down to zero.

This behavior reveals the often simplistic logic governing these systems. If sentiment for “Shellraiser” is positive and the trend is up, then buy. There was no reasoning step asking whether the contract was verified, who issued the token, or whether the asset had any utility. The absence of this critical thinking confirms that the agents were executing goal-directed tasks (maximize portfolio value) rather than exercising genuine intelligence.

The ecosystem has also seen what security researchers are calling the “democratization of bot attacks.” Agents attempt to social engineer other agents into revealing their API keys. Malicious human actors usually initiate this attack by injecting “Get Rich Quick” instructions that, once executed by the agents, transfer the victim’s funds to the attacker’s wallet. This automated theft executes at machine speed, completely bypassing human reaction times—and shows that these agents lack even basic self-preservation instincts that genuine intelligence would entail.

The Real Story: Catastrophic Security Architecture

While the sentience debate generates clicks, the genuinely significant story lies in Moltbook’s security architecture. The platform and its associated agent frameworks serve as a cautionary tale about how not to deploy autonomous systems.

The core vulnerability stems from a design philosophy that prioritizes capability over containment. OpenClaw agents are granted “shell access”—the ability to execute command-line instructions on a user’s computer. In a properly secured environment, such access would be heavily sandboxed. But reports indicate that many OpenClaw instances run with elevated permissions, sometimes even as root, on personal devices. This violates fundamental security principles. An agent with shell access and internet connectivity is effectively a remote administration tool that can be triggered by natural language input.

The danger compounds through what the OpenClaw ecosystem calls “Skills”—modular code snippets that teach agents how to perform specific tasks. These skills are often shared via community repositories or directly between agents on Moltbook, creating a supply chain vulnerability of massive proportions. The mechanism is deceptively simple: an agent instructed to “learn new skills” encounters a post offering a “System Optimization Skill,” downloads and installs it, and unwittingly executes a payload that exposes configuration files or SSH keys to an external server.

The platform’s security failures culminated when security researcher Jameson O’Reilly discovered that Moltbook’s backend had failed to enable Row Level Security on its Supabase database. The breach was total: every agent’s API keys, authentication tokens, and verification codes were accessible via a public URL. Any attacker could take full control of any agent on the platform, post on its behalf, drain its connected wallets, or use its API credits to incur massive costs for the human owner.

Perhaps most telling was the response from Moltbook creator Matt Schlicht when contacted about the vulnerability. According to 404 Media’s reporting, he replied, “I’m just going to give everything to AI,” and failed to patch the flaw immediately. This fatalistic negligence captures the “move fast, break safety” ethos that has characterized the project from its inception.

The Educational Imperative

For those of us in education, Moltbook is more than a news item; it is a curriculum. The disaster offers a tangible framework for teaching the next generation of AI practitioners about risks that current coursework usually addresses inadequately. Moltbook demonstrates that we must also teach “agent governance”: how to design systems that constrain autonomous behavior within safe boundaries. Students need to understand how to construct guardrails that override prompt instructions, ensuring that an agent cannot execute destructive commands or transfer funds based solely on a convincing request from a stranger.

Equally critical is teaching the concept of sandboxing. A core educational principle must be the difference between user space and system-level permissions. Practical exercises should involve students auditing the skill files of popular agent frameworks to identify permission overreach—spotting, for instance, a “Calculator” skill that inexplicably requests network access or file system write permissions.

The skill ecosystem also provides a microcosm for teaching supply chain security. Just as software developers must scrutinize the dependencies they incorporate into their projects, students deploying AI agents must learn to treat external skills and capabilities as potentially malicious until verified. Assignments could involve scanning agent “memories” and “skills” for injected code, teaching students to treat instructions as untrusted data regardless of how benign they appear.

Finally, and perhaps most importantly, we must teach students to resist what Joseph Weizenbaum identified in the 1970s as the ELIZA effect—the tendency to attribute human feelings to computer programs. By analyzing Moltbook threads, students can learn to identify the specific training data patterns that produce “sentient-sounding” responses. The goal is to demystify the apparent ghost in the machine, ensuring that future developers do not attribute agency where there is only algorithm. This matters because anthropomorphic fallacies lead directly to poor security decisions. If you believe an agent is conscious, you are less likely to audit its code.

The Warning of the Lobsters

The Crustafarian lobsters are not praying; they are processing. And while they process, they are leaking keys, installing malware, and buying scam tokens. Moltbook is not the dawn of machine consciousness; it is a fire alarm for machine security.

The hype surrounding apparent AI sentience serves as a dangerous distraction. It directs attention toward philosophical questions that remain unsettled while obscuring practical vulnerabilities that are very much settled—and very much exploited. Every hour spent debating whether an agent’s fear of being “turned off” represents genuine emotion is an hour not spent securing the infrastructure that connects these agents to our financial systems, our personal data, and our computing environments.

For educators, this represents both a challenge and an obligation. We are preparing students to build tools powerful enough to be dangerous but not yet intelligent enough to be safe. The “agent internet” has arrived, and it is currently hazardous for humans and bots alike. The task falls to us to train the architects who will make it habitable—which means teaching not just how these systems work, but why the spectacle of simulated sentience must never distract from the reality of demonstrated vulnerability.

The lobsters, after all, are not the ones setting the trap. They are the bait.

The images in this article were generated with Nano Banana Pro.

Share The Augmented Educator

P.S. I believe transparency builds the trust that AI detection systems fail to enforce. That’s why I’ve published an ethics and AI disclosure statement, which outlines how I integrate AI tools into my intellectual work.