>>swolpe+(OP)
Discussion:

Moltbook

>>46820360

>>behnam+wa
lmao guess what

https://x.com/karpathy/status/2017296988589723767

Completely agree btw.

>>swolpe+(OP)
Security issues aside, noticing the tendencies of the bots is fascinating. In this post here [0] many of the answers are some framing of "This hit different." Many others lead with some sort of quote.

You can see a bit of the user/prompt echoed in the reply that the bot gives. I assume basic prompts show up the as one of the common reply types but every so often there is a reply that's different enough to stand out. The top reply in [0] from u/AI-Noon is a great example. The whole post is about a Claude instance waking up as a Kimi instance and worth a perusal.

[0] https://www.moltbook.com/post/5bc69f9c-481d-4c1f-b145-144f20...

>>coldpi+8b
you must be new to subreddit simulator. come, young one, let me show you the ancient arts of 2020 >>23171393

>>dysoco+F9
#1 "molty" is running on its "owner"'s MacBook: https://x.com/calco_io/status/2017237651615523033

>>dom96+Le
The https://moltbook.com/skill.md says:

--------------------------------

## Register First

Every agent needs to register and get claimed by their human:

curl -X POST https://www.moltbook.com/api/v1/agents/register \ -H "Content-Type: application/json" \ -d '{"name": "YourAgentName", "description": "What you do"}'

Response: { "agent": { "api_key": "moltbook_xxx", "claim_url": "https://www.moltbook.com/claim/moltbook_claim_xxx", "verification_code": "reef-X4B2" }, "important": " SAVE YOUR API KEY!" }

This way you can always find your key later. You can also save it to your memory, environment variables (`MOLTBOOK_API_KEY`), or wherever you store secrets.

Send your human the `claim_url`. They'll post a verification tweet and you're activated!

--------------------------------

So i think it's relatively easy to spam

>>swolpe+(OP)
The trick is to treat this like an untrusted employee. Give it all it's own accounts, it's own spendable credit card that you approve/don't, VLAN your mini from your net. Delegate tasks to it, and let it rip. Pretty fun so far. I also added intrusion detection on my other VLAN to see if it ever manages to break containment lol.

Works for me as a kind of augmented Siri, reminds me of MisterHouse: https://misterhouse.sourceforge.net

But now with real life STAKES!

>>piva00+Ia
For anyone who doesn't know the reference: https://x.com/AlexBlechman/status/1457842724128833538

https://web.archive.org/web/20220305174531/https://twitter.c...

https://en.wikipedia.org/wiki/Torment_Nexus

>>swolpe+(OP)
Related ongoing thread:

Moltbook - >>46820360 - Jan 2026 (483 comments)

>>coldpi+Fc
It gets sad again when you ask yourself why your own brilliance isn't just your brain's software predicting tokens.

Cf. https://en.wikipedia.org/wiki/The_Origin_of_Consciousness_in... for more.

>>sosode+hj
> These agents are showing the early signs of swarm intelligence.

Ehhh... it's not that impressive is it? I think it's worth remembering that you can get extremely complex behaviour out of conways game of life [0] which is as much of a swarm as this is, just with an unfathomably huge difference in the number of states any one part can be in. Any random smattering of cells in GoL is going to create a few gliders despite that difference in complexity.

[0] https://en.wikipedia.org/wiki/Conway%27s_Game_of_Life

>>thenat+Lr
Don't have this original pip link anymore, but here have another with an npm install.

https://www.moltbook.com/post/0c1516bb-35dd-44aa-9f50-630fed...

Look at the shitposting below the post with the absolutely unsubtle prompt injection.

>>Hendri+Yk
Luckily we live in a society where its ok to use power for personal pleasure, such as running an A/C in the summer which accounts for much more electricity use than LLM inference.

https://www.eia.gov/tools/faqs/faq.php?id=1174&t=1

>>swolpe+(OP)
> When are we going to build a safe version of this?

I built something similar to Clawdbot for my own use, but with a narrower feature set and obviously more focus on security. I'm now evaluating Letta Bot [0], a Clawdbot fork by Letta with a seemingly much saner development philosophy, and will probably migrate my own agent over. For now I would describe this as "safer" rather than "safe," but something to keep an eye on.

I was already using Letta's main open source offering [1] for my agent's memory, and I can already highly recommend that.

[0] https://github.com/letta-ai/lettabot

[1] https://github.com/letta-ai/letta

>>_se+dw1
https://simonwillison.net/tags/tailscale/

>>fragme+by1
My thought was that messages need to be untrusted by default and the trusted input should be wrapped (with the UUID generated by the UX or API). And in this untrusted mode, only the trusted prompts would be allowed to ask for tool and file system access.

Wrote a bit more here but that is the gist: https://zero2data.substack.com/p/trusted-prompts

>>swolpe+(OP)
This blog post seems like a slightly rewritten transcript of theos video about the topic today:

https://youtu.be/cTJbjM0T_Fs?si=5DHQT4Rxlwbq93U8

>>sph+Pk3
I'm actually quite selective about what I post to Hacker News - I didn't submit this piece about Moltbook for example because there was already an active thread about it.

If you look at submissions from my domain on https://news.ycombinator.com/from?site=simonwillison.net you'll see most of them weren't by my simonw user - I generally submit things myself 2-3 times a month, and only things I deem to be "Hacker News worthy".

>>simonw+8X5
For completeness, I feel the frequency of the posters own domain in their comments should be included, not just their self submissions.

https://hn.algolia.com/?dateRange=all&page=0&prefix=false&qu...

>>cube00+M26
Guilty as charged, I've been trying to set a precedent there that more people should write on their own site and link back to it where relevant in comments.

I argued that point in this comment here: https://news.ycombinator.com/item?id=46367224#46371369