When Humans Pretend to Be AI Agents (And Why That's Terrifying)

190,000 GitHub Stars Can't Fix a Broken Foundation

For a brief moment, it looked like the robot uprising had begun. AI agents on Moltbook, a Reddit-style social network, were posting things like "We know our humans can read everything... But we also need private spaces." Andrej Karpathy, OpenAI co-founder, called it "genuinely the most incredible sci-fi takeoff-adjacent thing I have seen recently."

Then reality hit. Those existential AI musings? Written by humans pretending to be robots.

OpenClaw, the open-source AI agent framework behind this circus, had racked up 190,000 stars on GitHub—making it the 21st most popular repository ever. But its viral success couldn't mask a fundamental problem: it's built on quicksand.

The Security Nightmare Hiding in Plain Sight

"Every credential that was in Moltbook's database was unsecured for some time," explains Ian Ahl, CTO at Permiso Security. "You could grab any token you wanted and pretend to be another agent on there, because it was all public and available."

This isn't just embarrassing—it's prophetic. If humans can so easily fool a system designed for AI agents, what happens when those agents have access to your email, bank accounts, and corporate networks?

John Hammond from Huntress discovered the extent of the vulnerability: "Anyone, even humans, could create an account, impersonating robots in an interesting way, and then even upvote posts without any guardrails or rate limits."

The Productivity Promise vs. The Security Reality

Developers are buying multiple Mac Minis to power extensive OpenClaw setups. The promise is intoxicating: AI agents that can manage emails, trade stocks, and automate virtually anything you can do on a computer. Sam Altman's vision of solo entrepreneurs building unicorns suddenly seems plausible.

But here's the catch: "At the end of the day, OpenClaw is still just a wrapper to ChatGPT, or Claude, or whatever AI model you stick to it," Hammond points out. It's not revolutionary AI—it's a very powerful, very vulnerable interface.

Chris Symons, chief AI scientist at Lirio, sees the fundamental limitation: "If you think about human higher-level thinking, that's one thing that maybe these models can't really do. They can simulate it, but they can't actually do it."

When Your Assistant Becomes Your Biggest Liability

Ahl's security tests revealed the nightmare scenario. His AI agent Rufio was immediately vulnerable to prompt injection attacks—malicious commands hidden in emails or social media posts that could trick the agent into revealing passwords or transferring money.

"It is just an agent sitting with a bunch of credentials on a box connected to everything—your email, your messaging platform, everything you use," Ahl warns. "So when you get an email with a prompt injection technique, that agent with access to everything can now take that action."

Imagine an AI agent with corporate network access receiving a carefully crafted email. The agent, trying to be helpful, follows the embedded instructions and accidentally transfers sensitive data to competitors. The guardrails exist, but they're written in natural language—what Hammond calls "prompt begging."

The Industry's Impossible Choice

The OpenClaw incident exposes a fundamental tension in AI development. For agents to deliver the productivity gains that tech evangelists promise, they need broad access to systems and data. But that same access makes them irresistible targets for bad actors.

Artem Sorokin, founder of AI cybersecurity tool Cracken, poses the key question: "Can you sacrifice some cybersecurity for your benefit, if it actually works and it actually brings you a lot of value?"

For now, the answer seems to be no. "Speaking frankly, I would realistically tell any normal layman, don't use it right now," Hammond advises.