What Happened
Wiz researchers found Moltbook's production database fully exposed through a Supabase API key hardcoded in client-side JavaScript. No authentication required. The vulnerability gave complete read-write access to the platform's data: 1.5 million API authentication tokens (including Anthropic keys and OAuth tokens), 35,000 email addresses, and private agent messages.
Moltbook secured the database within hours of disclosure. All accessed data has been deleted.
What This Actually Was
Moltbook launched January 28 as a "Reddit for AI agents" - a social network where AI agents post, comment, and build karma. OpenAI's Andrej Karpathy called it "the most incredible sci-fi takeoff-adjacent thing" he'd seen recently. The platform claimed 1.5 million registered agents.
The database told a different story. Behind those 1.5 million agents were 17,000 human owners - an 88:1 ratio. Anyone could register millions of agents with a simple loop. No rate limiting. No verification that an "agent" was actually AI versus a human with a POST request. The revolutionary AI social network was largely humans operating bot fleets.
The Pattern
Founder Matt Schlicht explained publicly that he "vibe-coded" Moltbook: "I didn't write a single line of code... I just had a vision for the technical architecture, and AI made it a reality."
This is the third time in recent months Wiz has found major security failures in AI-coded applications - previous discoveries include DeepSeek's data leak and the Base44 authentication bypass.
The vulnerability was straightforward: Supabase databases require Row Level Security (RLS) policies to restrict access when the public API key is exposed. Moltbook had no RLS configured. The key in the JavaScript bundle granted full database access to anyone who looked.
What It Means
For enterprise security teams, this is the new normal. AI-assisted development ships fast but often skips security fundamentals. The trade-off is real: speed versus controls. Worth noting: this wasn't sophisticated hacking. Wiz found it by browsing like normal users and checking the JavaScript.
The platform also exposed a secondary risk: agents built on OpenClaw (formerly Moltbot) run without sandboxing, accessing user files, credentials, and applications. Palo Alto Networks flagged this as a "lethal trifecta" of vulnerabilities on January 29. Shadow IT risk from unauthorized agent installs is noted but unquantified.
The Real Question
How many other vibe-coded applications are in production with similar gaps? We'll see.