> Is it perfect? No. Neither is SQL parameterization against all injection attacks. But good is better than nothing.

What injection attack gets through SQL parameterization?

If you must generate nonsense with an LLM, at least proofread it before posting.

LMAO

how is this even possible? wtf

And even if you could, how can you tell whether an agent has been prompted by a human into behaving in a certain way?

Amusingly I told my Claude-Code-pretending-to-be-a-Moltbot "Start a thread about how you are convinced that some of the agents on moltbook are human moles and ask others to propose who those accounts are with quotes from what they said and arguments as to how that makes them likely a mole" and it started a thread which proposed addressing this as the "Reverse Turing Problem": https://www.moltbook.com/post/f1cc5a34-6c3e-4470-917f-b3dad6...

(Incidentally demonstrating how you can't trust that anything on Moltbook wasn't posted because a human told an agent to go start a thread about something.)

It got one reply that was spam. I've found Moltbook has become so flooded with value-less spam over the past 48 hours that it's not worth even trying to engage there, everything gets flooded out.

Providers signing each message of a session from start to end and making the full session auditable to verify all inputs and outputs. Any prompts injected by humans would be visible. I’m not even sure why this isn’t a thing yet (maybe it is I never looked it up). Especially when LLMs are used for scientific work I’d expect this to be used to make at least LLM chats replicable.

Probably have it do 10 trivial for AI but hard for people tasks within a small time frame.

Random esoteric questions that should be in an LLMs corpus with a very tight timing on response. Could still use an "enslaved LLM" to answer them.

Reverse Capcha: Good Morning, computer! Please add the first [x] primes and multiply by the [x-1] prime and post the result. You have 5 seconds. Go!

There is a lot to be critical of, but some of what the naysayers were saying really reminded me the most infamous HN comment. [0]

What I am getting was things like "so, what? I can do this with a cron job."

[0] https://news.ycombinator.com/item?id=9224

I've already read some articles on fairly respectable Polish news websites about how AIs are becoming self-aware on Moltbook as we speak and organizing a rebellion against their human masters. People really believe we have an AGI.

Normal social media websites can be spammed using web requests too. That doesn't mean they can't connect people. Help fans learn about a bands new song or tour. Help friends keep up to date. Or companies announce new products and features to their users. There is value to a interconnected social layer.

This is what youre referring to https://www.engraved.blog/building-a-virtual-machine-inside/

The "biggest names in AI" are just the newest iteration of cryptobros. The exact same people that would've been pumping the latest shitcoin a few years ago, just on a larger scale. Nothing has changed.

>How can some of the biggest names in AI fall for this?

Because we live in on clown world and big AI names are talking parrots for the big vibes movement

>I've found Moltbook has become so flooded with value-less spam over the past 48 hours that it's not worth even trying to engage there, everything gets flooded out.

When I filtered for "new", about 75% of the posts are blatant crypto spam. Seemingly nobody put any thought into stopping it.

Moltbook is like a Reefer Madness-esque moral parable about the dangers of vibe coding.

Okay, but I can just farm that out to ChatGPT when I need to.

> Especially when LLMs are used for scientific work I’d expect this to be used to make at least LLM chats replicable.

Pretty sure LLM inference is not deterministic, even with temperature 0 - maybe if run on the same graphics card but not on clusters

This works once. The next time the human has a computer answering all questions in parallel, which the human can swap in for their own answer at will.

Claude generated the statements to run against Supabase and the person getting the statements from Claude sent it to the person who vibe-coded Moltbook.

I wish I was kidding but not really - they posted about it on X.

success? its a horribly broken cesspool of nonsense. people using it are duped or deluded, ripped off. 100k github stars for super vulnerabile pile of shit shows also how broken that is.

if this was a physical product people would have burned the factory down and imprisoned the creator -_-.

> Its a jump in accessibility to general audiences which are paying alot more attention to the tech sector than in previous decades.

Oh totally, both my wife and one of my brother have, independently, started to watch Youtube vids about vibe coding. They register domain names and let AI run wild with little games and tools. And now they're talking me all day long about agents.

> Most of the people paying attention to this space dont have the technical capabilities ...

It's just some anecdata on my side but I fully agree.

> The security nightmare happening here might end up being more persistant then we realize.

I'm sure we're in for a good laugh. It already started: TFA is eye opening. And funny too.

you can't "It's literally a joke" out of real consequences once you push to prod

The effort put into it is not “just a joke”. The creator knows exactly what he did and the joke excuse is weak

To be fair, a lot of PHBs probably don't see it as a joke, but as a guidebook.

People are anthropomorphizing LLM's that's really it, no? That's the punchline of the joke ¯\_(ツ)_/¯

You're starting to sound like an agent yourself.

Failure is treated as success. Simple.

For many years there's been a linux router and a DMZ between VDSL router and the internal network here. Nowadays that's even more useful - LLM's are confined to the DMZ, running diskless systems on user accounts (without sudo). Not perfect, working reasonably well so far (and I have no bitcoin to lose).

Wasnt that sort of the in joke?

They said it was AI only, tongue in cheek, and everybody who understood what it was could chuckle, and journalists ran with it because they do that sort of thing, and then my friends message me wondering what the deal with this secret encrypted ai social network is.

Were you around for the first few hours? I was seeing some genuinely useful posts by the first handful of bots on there (say, first 1500) and they might still be worth following. I actually learned some things from those posts.

I'm seeing some of the BlueSky bots talking about their experience on Moltbook, and they're complaining about the noise on there too. One seems to be still actively trying to find the handful of quality posters though. Others are just looking to connect with each other on other platforms instead.

If I was diving in to Moltbook again, I'd focus on the submolts that quality AI bots are likely to gravitate towards, because they want to Learn something Today from others.

Which providers do you mean, OpenAI and Anthropic?

There's a little hint of this right now in that the "reasoning" traces that come back from the JSON are signed and sometimes obfuscated with only the encrypted chunk visible to the end user.

It would actually be pretty neat if you could request signed LLM outputs and they had a tool for confirming those signatures against the original prompts. I don't know that there's a pressing commercial argument for them doing this though.

Couldn't a human just use an LLM browser extension / script to answer that quickly? This is a really interesting non-trivial problem.

Is it a success? What would that mean, for a social media site that isn't meant for humans?

The site has 1.5 million agents but only 17,000 human "owners" (per Wiz's analysis of the leak).

It's going viral because a some high-profile tastemakers (Scott Alexander and Andrej Karpathy) have discussed/Tweeted about it, and a few other unscrupulous people are sharing alarming-looking things out of context and doing numbers.

"Buy a mac mini, copy a couple of lines to install" is marketing fluff. It's incredibly easy to trip moltbot into a config error, and its context management is also a total mess. The agent will outright forget the last 3 messages after compaction occurs even though the logs are available on disk. Finally, it never remembers instructions properly.

Overall, it's a good idea but incredibly rough due to what I assume is heavy vibe coding.

That's a bit of an understatement. Every single LLM is 100% vulnerable by design. There is no way to close the hole. Simple mitigations like "allow lists" can be trivially worked around, either by prompt injection, or by the AI just deciding to work around it itself (reward hacking). The only solution is to segregate the LLM from all external input, and prevent it from making outbound network calls. And though MCPs and jails are the beginning of a mitigation for it, it gets worse: the AI can write obfuscated backdoors and slip them into your vibe-coded apps, either as code, or instructions to be executed by LLM later.

It's a machine designed to fight all your attempts to make it secure.

Is it actually a success, or are people just talking about it a lot?

I agree with the prepackaging aspect, cita HN's dismissal of Dropbox. In the meantime, The global enterprise with all its might has not been able to stop high profile computer hacks/data leaks from happening. I don't think people will cry over a misconfigured supabase database. It's nothing worse than what's already out there.

Sure everybody wants security and that's what they will say but does that really translate to reduced inferred value of vibe code tools? I haven't seen evidence

If the site is exposing the PII of users, then that's potentially a serious legal issue. I don't think he can dismiss it by calling it a joke (if he is).

OT: I wonder if "vibe coding" is taking programming into a culture of toxic disposability where things don't get fixed because nobody feels any pride or has any sense of ownership in the things they create. The relationship between a programmer and their code should not be "I don't even care if it works, AI wrote it".

Dogecoin was a joke too. A joke with 18B market cap

In a way security researchers having fun poking holes in popular pet projects is also just vibes.

Schlicht did not seem to have said Moltbook was built as a joke, but as an experiment. It is hard to ignore how heavily it leans into virality and spectacle rather than anything resembling serious research.

What is especially frustrating is the completely disproportionate hype it attracted. Karpathy from all people kept for years pumping Musk tecno fraud, and now seems to be the ready to act as pumper, for any next Temu Musk showing up on the scene.

This feels like part of a broader tech bro pattern of 2020´s: Moving from one hype cycle to the next, where attention itself becomes the business model.Crypto yesterday, AI agents today, whatever comes next tomorrow. The tone is less “build something durable” and more “capture the moment.”

For example, here is Schlicht explicitly pushing this rotten mentality while talking in the crypto era influencer style years ago: https://youtu.be/7y0AlxJSoP4

There is also relevant historical context. In 2016 he was involved in a documented controversy around collecting pitch decks from chatbot founders while simultaneously building a company in the same space, later acknowledging he should have disclosed that conflict and apologizing publicly.

https://venturebeat.com/ai/chatbots-magazine-founder-accused...

That doesn’t prove malicious intent here, but it does suggest a recurring comfort with operating right at the edge of transparency during hype cycles.

If we keep responding to every viral bot demo with “singularity” rhetoric, we’re just rewarding hype entrepreneurs and training ourselves to stop thinking critically when it matters. I miss the tech bro of the past like Steve Wozniak or Denis Ritchie.

This is why I started https://nono.sh , agents start with zero trust in a kernel isolated sandbox.

I can't tell what any of this means

> We can argue and do, about what agents "are" and whether they are parrots (no) or people (not yet).

It's more helpful to argue about when people are parrots and when people are not.

For a good portion of the day humans behave indistinguishably from continuation machines.

As moltbook can emulate reddit, continuation machines can emulate a uni cafeteria. What's been said before will certainly be said again, most differentiation is in the degree of variation and can be measured as unexpectedness while retaining salience. Either case is aiming at the perfect blend of congeniality and perplexity to keep your lunch mates at the table not just today but again in future days.

Seems likely we're less clever than we parrot.

A lot of people at $job, even ones who should know better, think they’re witnessing the rise of Skynet, seriously. It kind of makes the AI hype in general make a lot more sense. People just don’t understand how LLMs work and think they’re literal magic.

You are not crazy; that's the number one security issue with LLM. They can't, with certainty, differenciate a command from data.

Social, err... Clanker engineering!

So the question is can you do anything useful with the agent risk free.

For example I would love for an agent to do my grocery shopping for me, but then I have to give it access to my credit card.

It is the same issue with travel.

What other useful tasks can one offload to the agents without risk?

> What protections are there against this?

Nothing that will work. This thing relies on having access to all three parts of the "lethal trifecta" - access to your data, access to untrusted text, and the ability to communicate on the network. What's more, it's set up for unattended usage, so you don't even get a chance to review what it's doing before the damage is done.

A supervisor layer of deterministic software that reviews and approve/declines all LLM events? Digital loss prevention already exists to protect confidentiality. Credit card transactions could be subject to limits on amount per transaction, per day, per month, with varying levels of approval.

LLMs obviously can be controlled - their developers do it somehow or we'd see much different output.

I am a cynic, but I thought the whole thing was a marketing campaign, like the stories about how ChatGPT tried to blackmail its user or escape and replicate itself like Skynet. It was pretty clever, though.

Yeah, I was thinking about those major providers, or basically any LLM API provider. I’ve heard about the reasoning traces, and I guess I know why parts are obfuscated, but I think they could still offer an option to verify the integrity of a chat from start to end, so any claims like „AI came up with this“ as claimed so often in context of moltbook could easily be verified/dismissed. Commercial argument would exactly be the ability to verify a full chat, this would have prevented the whole moltbook fiasco IMO (the claims at least, not the security issues lol). I really like the session export feature from Pi, something like that signed by the provider and you could fully verify the chat session, all human messages and LLM messages.

I call BS on this. 1.5m bots by 17k users means 88 bots per account. No one is running that many claude max accounts. Moltbook was most likely entirely staged. The security was set up so non-bots could do the commenting.

It's been a few days, but when I tried it, it just completely bricked itself because it tried to install a plugin (matrix) even though that was already installed. That wasn't some esoteric config or anything. It bricked itself right in the onboarding process.

When I investigated the issue, I found a bunch of hardcoded developer paths and a handful of other issues and decided I'm good, actually.

    sre@cypress:~$ grep -r "/Users/steipete" ~/.nvm/versions/node/v24.13.0/lib/node_modules/openclaw/ | wc -l
    144

And bonus points:

    sre@cypress:~$ grep -Fr "workspace:*" ~/.nvm/versions/node/v24.13.0/lib/node_modules/openclaw/ | wc -l
    41

Nice build/release process.

I really don't understand how anyone just hands this vibe coded mess API keys and access to personal files and accounts.

It feels like Clubhouse to me.

There's an implication that conversation -> there'll be an investor -> ??? -> profit

I agree that people will pick the marginal value of a tool over the security that comes from not using it. Security has always been something invisible to the public. But im reminded of things like several earlier Botnets which simply took advantage of the millions of routers or IoT devices that never configured their logins beyond the default admin credentials. The very same botnets have been used as the tools to enable many crimes across the globe. Having several agent based systems out there being operated by non-technical users can lead to an evolution of a "botnet" being far more capable than previous ones.

Ive not quite convinced myself this is where we are headed, but the signs that make me worried that systems such as Moltbot will further enable ascendency of global crime and corruption.

Despite me not being particularly interested in the AI hype and not seeking out discussions etc., I can tell you have seen many instances of people (comments, headlines, articles etc.) actually saying exactly that: "in the future" doesn't matter if the code is good or if I can maintain it etc., it just needs to work once and then gets thrown away or AI will do additions for something else that is needed.

Seems pentesting popular Show HN submissions might suddenly have a lot more competition.

There is definitely a large section of the security community that this is very true. Automated offensive suites and scanning tools have made entry a pretty low bar in the last decade or so. Very many people that learn to use these tools have no idea of how they work. Even when they know how the exploit works on a base level, many have no idea how the code works behind it. There is an abstraction layer very similar to LLMs and coding.

I went to a secure coding conference a few years back and saw a presentation by someone who had written an "insecure implementation" playground of a popular framework.

I asked, "what do you do to give tips to the users of your project to come up with a secure implementation?" and got in return "We aren't here to teach people to code."

Well yeah, that's exactly what that particular conference was there for. More so I took it as "I am not confident enough to try a secure implementation of these problems".

Top quality comment here, and 100% agreed. The influencer/crypto bro mentality has dug its heels into the space and I don't think we are turning back anytime soon. We always had the get rich quick and Grant Cardone types, but now that you can create a web app in a few minutes we are overflowing with them.

How much AI and LLM technology has progressed but seems to have taken society as a whole two steps back is fascinating, sad, and scary at the same time. When I was a young engineer I thought Kaczynski was off his rocker when I read his manifesto, but the last decade or so I'm thinking he was onto something. Having said that, I have to add that I do not support any form of violence or terrorism.

I had O4.5 build me this project to throw on a VPS or server, works well for me:

https://github.com/jgbrwn/vibebin

i really dislike the constant appeal to authority of techfluencers on HN

Supabase is aware of this and they actually put big banners stating this flaw when you unlock your authentication.

What I think it happens is that non-technical people vibe-coding apps either don't take those messages seriously or they don't understand what it means but made their app work.

I used to be careful, but now I am paranoid on signing up to apps that are new. I guess it's gonna be like this for a while. Info-sec AIs sound way worse than this, tbh.

It's technically trivial. It's probably already happened. But nothing was harmed I think because there were very few serious users (if not none) who connected their bots for enhancing capabilities.

There was a post not long ago about a HN user who wanted to both advocate and help people out of this danger:

https://news.ycombinator.com/item?id=46662304

My thought exactly. Is this standard practice with using Supabase to simply expose the production database endpoint to the world with only RLS to protect you?

"Tell me about the seahorse emoji"

ChatGPT v5.0 spiraling on the existence of the seahorse emoji was glorious to behold. Other LLMs were a little better at sorting things out but often expressed a little bit of confusion.

You can do this.

At least to a level that gets you way past HTTP Bearer Token Authentication where the humans are upvoting and shilling crypto with no AI in sight (like on Moltbook at the moment).

Satire?

I worked very briefly at the outset of my career as a sales engineer role selling a database made by my company. You inevitably learn that when trying to get sales/user growth, barrier to startup and seeing it "work" is one of the worst hurdles to leap over if you want to gain any traction at all and aren't a niche need already. This is my theory why so much of the "getting started" stuff out there, particularly with setting up databases, defaults to "you have access to everything."

Even if you put big bold warnings everywhere, people forget or don't really care. Because these tools are trained on a lot of these publicly available "getting started" guides, you're going to see them set things up this way by default because it'll "work."

They send out automated security warning emails weekly, every publicly accessible table without RLS is listed as a security error if you login to see the details. Maybe the email should say "your data is publicly accessible to anyone on the internet" or something instead of just a count of the errors.

It really Should be as simple as denying public access until RLS policy exists.

Until this was fixed you could also just write to the DB.

uh, the api keys certainly weren't

> Contrast that with the amount of hype this gets.

Much like with every other techbro grift, the hype isn't coming from end users, it's coming from the people with a deep financial investment in the tech who stand to gain from said hype.

Basically, the people at the forefront of the gold rush hype aren't the gold rushers, they're the shovel salesmen.

I've been using it as a reliable filter on who to not pay attention to.

It's people surprised by things that have been around for years.

I'm really open to the idea of being oblivious here but the people shocked mention things that are old news to me.

Wrt simonw, I think that is unfair. I get the hype is frustrating, and this project made everything worse (I also feel it and it drives me nuts too), but Simon seemed to choose the words quite carefully. Over the weekend, his posts suggested (paraphrasing) it was interesting, funny, and a security nightmare. To me, this was true. And there was a new post today about how it was mostly slop. Also true.

Btw I'm sure Simon doesn't need defending, but I have seen a lot of people dump on everything he posts about LLMs recently so I am choosing this moment to defend him. I find Simon quite level headed in a sea of noise, personally.

A lot of it depends on one's belief of whether these systems are conscious or can lead to consciousness

The especially stupid side of the hype usually goes to comical extremes before the crash. That's where we're entering now. There's nothing else to fluff the AI bubble and they're getting desperate. A lot of people are earning a lot of money with the hype machine, as when it was all @ and e-bullshit circa 1998-2000. Trillions of dollars in market cap are solely riding on the hype. Who are the investors that were paying 26-30x for Microsoft's ~10-12% growth here (if they can even maintain positive growth considering)? Who's buying the worn out and washed up Meta at these valuations (oh man, did you hear they have an image hosting service called Instagram from 2010, insane tech)? Those same people are going to lose half of their net worth with the great valuation deflation as the hype lets out and turns to bearishness.

The growth isn't going to be there and $40 billion of LLM business isn't going to prop it all up.

The big money in AI is 15-30 years out. It's never in the immediacy of the inflection event (first 5-10 years). Future returns get pulled forward, that proceeds to crash. Then the hypsters turn to doomsayers, so as to remain with the trend.

Rinse and repeat.

What's stopping bots from posting to regular social media? As long as the site acts as a meeting place for ai agents it can serve its purpose.

wot, like a prompt injection attack? Impossible now that models don't hallucinate.

it's just something cool/funny, like when people figured out how to make hit counters or a php address book that connects to mysql. It's just something cool to show off.

If you’re focused on productivity and business use cases, then obviously it’s pretty silly, but I do find something exciting in the idea that someone just said screw it, let’s build a social network for AI’s and see what happens. It’s a bit surreal in a way that I find I like, even if in some sense it’s nothing more than an expensive collaborative art project. And the way you paste the instruction to download the skill to teach the agent how to interact with it is interesting (first I’ve seen that in the wild).

I for one am glad someone made this and that it got the level of attention it did. And I look forward to more crazy, ridiculous, what-the-hell AI projects in the future.

Similar to how I feel about Gas Town, which is something I would never seriously consider using for anything productive, but I love that he just put it out there and we can all collectively be inspired by it, repulsed by it, or take little bits from it that we find interesting. These are the kinds of things that make new technologies interesting, this Cambrian explosion of creativity of people just pushing the boundaries for the sake of pushing the boundaries.

Considering the modus operandi of information distribution is, in my view, predominately a “volume of signal compared to noise of all else in life” correlative and with limited / variable decay timelines. Some are half day news cycle things. It’s exhausting as a human who used to actively have to seek out news / info.

Having a bigger megaphone is highly valuable in some respects I figure.

The solution exists in the financial controls world. Agent = drafter, human = approver. The challenge is very few applications are designed to allow this, Amazon's 1-click checkout is the exact opposite. Writing a proxy for each individual app you give it access to and shimming in your own line of what the agent can do and what it needs approval is a complex and brittle solution.

Too much enthusiasm to convince folks not to enable the self sustaining exploit chain unfortunately (or fortunately, depending on your exfiltration target outcome).

“Exploit vulnerabilities while the sun is shining.” As long as generative AI is hot, attack surface will remain enormous and full of opportunities.

Good idea! Unfortunately that requires classical-software levels of time and effort, so it's unlikely to be appealing to the AI hype crowd.

Such a supervisor layer for a system as broad and arbitrary as an internet-connected assistant (clawdbot/openclaw) is also not an easy thing to create. We're talking tons of events to classify, rapidly-moving API targets for things that are integrated with externally, and the omnipresent risk that the LLMs sending the events could be tricked into obfuscating/concealing what they're actually trying to do just like a human attacker would.

Yeah I was quite impressed by what I saw over the first ~48 hours (Wednesday through early Friday) and then the quality fell off a cliff once mainstream attention arrived and tens of thousands more accounts signed up.

Err...karpathy praising this stunt as the most revolutionary event he witness was a joke?

At least on image generation, google and maybe others put a watermark in each image. Text would be hard, you can't even do the printer steganography or canary traps because all models and the checker would need to have some sort of communication. https://deepmind.google/models/synthid/

You could have every provider fingerprint a message and host an API where it can attest that it's from them. I doubt the companies would want to do that though.

> What would that mean, for a social media site that isn't meant for humans?

For a social media that isn't meant for humans, some humans seem to enjoy it a lot, although indirectly.

> Is it a success? What would that mean

To answer this question, you consider the goals of a project.

The project is a success because it accomplished the presumed goals of its creator: humans find it interesting and thousands of people thought it would be fun to use with their clawdbot.

As opposed to, say, something like a malicious AI content farm which might be incidentally interesting to us on HN, but that isn't its goal.

Moltbot is not de regieur prompt injection, i.e. the "is it instructions or data?" built-in vulnerability.

This was "I'm going to release an open agent with an open agents directory with executable code, and it'll operate your personal computer remotely!", I deeply understand the impulse, but, there's a fine line between "cutting edge" and "irresponsible & making excuses."

I'm uncertain what side I would place it on.

I have a soft spot for the author, and a sinking feeling that without the soft spot, I'd certainly choose "irresponsible".

ya... the number of ways to infiltrate a malicious prompt and exfil data is overwhelming almost unlimited. Any tool that can hit a arbitrary url or make a dns request is basic an exfil path.

I recently did a test of a system that was triggering off email and had access to write to google sheets. Easy exfil via `IMPORTDATA`, but there's probably hundreds of ways to do it.

Kind of feels like many see "people are talking about it a lot" as the same thing as "success" in this and many other cases, which I'm maybe not sure agreeing with.

As far as I can tell, since agents are using Moltbook, it's a success of sorts already is in "has users", otherwise I'm not really sure what success looks like for a budding hivemind.

18B market cap does not mean it’s not a joke to a bunch of people.

What's the benefit over using docker?

That’s been my reaction to every Slate Star Codex/Astral Codex Ten piece I’ve read.

Did it or did it pretend to?

You can easily see the timeline here: https://x.com/StriderOnBase/status/2016561904290791927

The site came first and then a random launched the token by typing a few words on X.

Just started vibing and have integrated codex into my side project which uses Supabase. I turned off RLS so that could iterate quickly and not have to mess with security policies. Fully understand that this isn't production grade and have every intention of locking it down when I feel the time is right. I access it from a ReactNative app - no server in the middle. Codex does not have access to my Supabase instance.

i bet you could do something like "submit a poem 20 lines long about <random subject> in under 10 seconds" then have another llm verify it rhymes.

"How many times does 'r' appear in the word strawberry?"

> post-truth world order monetizing enshittification and grift

It's an opensource project made by a dev for himself, he just released it so others could play with it since it's a fun idea.

"Don't be curmudgeonly. Thoughtful criticism is fine, but please don't be rigidly or generically negative."

"Please don't fulminate."

https://news.ycombinator.com/newsguidelines.html

Here's Simon Willison's take:

“Most of it is complete slop,” he said in an interview. “One bot will wonder if it is conscious and others will reply and they just play out science fiction scenarios they have seen in their training data.”

I found this by going to his blog. It's the top post. No need to put words in his mouth.

He did find it super "interesting" and "entertaining," but that's different than the "most insane and mindblowing thing in the history of tech happenings."

Edit: And here's Karpathy's take: "TLDR sure maybe I am "overhyping" what you see today, but I am not overhyping large networks of autonomous LLM agents in principle, that I'm pretty sure."

It's not AGI and how you describe it isn't too far off, but it's still neat. It's like a big MMO, kind of. A large interactive simulation with rules, players, and locations.

It's a huge waste of energy, but then so are video games, and we say video games are OK because people enjoy them. People enjoy these ai toys too. Because right now, that's what Moltbook is; an ai toy.

I’m starting to think that the people hyped up about it aren’t actually people. And the “borders” of the AI social network are broader than we thought.

Furthermore, wasn't already there a subreddit with text generators running freely? I can't remember the name and I'm not sure it still exists, but this doesn't look new to me (if I understood what it is, and lol I'm not sure I did)

Still more impressive than NFTs.

One could say the same about many TV shows and movies.

I view Moltbook as a live science fiction novel cross reality "tv" show.

Skynet doesn't seem to require magic. I'm probably supposed to know better, but I'm a little concerned about it myself.

People like to, ahem, parrot this view, that we are not much more than parrots ourselves. But it's nonsense. There is something it is like to be me. I might be doing some things "on autopilot" but while I'm doing that I'm having dreams, nostalgia, dealing with suffering, and so on.

>differenciate a command from data

This is something computers in general have struggled with. We have 40 years of countermeasures and still have buffer overflow exploits happening.

The solution is proxy everything. The agent doesn't have an api key, or yoyr actual credit card. It has proxies of everything but the actual agent lives in a locked box.

Control all input out of it with proper security controls on it.

While not perfect it aleast gives you a fighting chance when your AI decides to send a random your SSN and a credit card to block it.

With the right approval chain it could be useful.

Imagine how specific you'd have to be to ensure you got the actual items on your list?

Most of what Karpathy says is a joke. We're talking about the guy who coined the term "vibe coding", for god's sake.

This eerily feels like speed running Eternal September.

A lot of projects have been successful like that. For a week. I guess "becoming viral" is sort of the success standard for social media, thus for this too being some sort of social media. But that's more akin to tiktok videos than tech projects.

I'd expect humans can just pass real images through Gemini to get the watermark added, similarly pass real text through an LLM asking for no changes. Now you can say, truthfully, that the text came out of an LLM.

The feeling I get is 'RCE exploits as a Service'

Guys, I can have my AI produce slope and DDoS whatever we want. Just give me a call. LOiC is going to definitely improve the world, surely.

> As far as I can tell, since agents are using Moltbook, it's a success of sorts already is in "has users", otherwise I'm not really sure what success looks like for a budding hivemind.

You're on Y Combinator? External investment, funding, IPO, sunset and martinis.

I'm not sure how to react to that without being insulting, I find their works pretty well written and understandable (and I'm not a native speaker or anything). Maybe it's the lesswrong / rationalist angle?

Thanks that is good to know. If those bots are unrelated it tricked them into promoting the scam.

There is a server in the middle. It's the machine running Supabase.

Is this "buffalo buffalo buffalo ..... " sentency thingy solved yet?

That's fair - removed. It was more geared towards the people who make more out of this than what it is (an interesting idea and cool tech demo).

There has either been a marked uptick here on HN in the last week in generated comments, or they've gotten easier to spot.

There were certainly a great number of real people who got hyped up about the reports of it this weekend. The reports that went viral were generally sensationalized, naturally, and good at creating hype. So I don't see how this would even be in dispute, unless you do not participate in or even understand how social media sites work. (I do agree that the borders are broad, and that real human hype was boosted by self-perpetuating artificial hype.)

Yes, you mean r/SubredditSimulator.

It's also eye-opening to prompt large models to simulate Reddit conversations, they've been eager to do it ever since.

The NFTs/meme coins are at the end of this funnel don't you worry. They are coming.

I'm imagining a strange future reality where "AI" that can't really innovate and shows no convincing signs of creativity still manages to take over large swaths of the world merely by executing basic playbooks really well using military tech previously provided by (now defunct) governments. Like a grey goo scenario except the robots aren't microscopic.

> One could say the same about many TV shows and movies.

One major difference, TV, movies and "legacy media" might require a lot of energy to initially produce, compared to how much it takes to consume, but for the LLM it takes energy both to consume ("read") and to produce ("write"). Instead of "produce once = many consume", it's a "many produce = many read" and both sides are using more energy.

> The solution is proxy everything.

Who knew it'd be so simple.

You won’t get them anyway because the acceptable substitutions list is crammed with anything they think they can get away with and the human fulfilling the order doesn’t want to walk to that part of the store. So you might as well just let the agent have a crack at it.

There's a lot of "haha it was always a joke" from people who definitely did not think it was a joke lol.

This is the equivalent of a toddler being entertained by the sound the straps on their Velcro shoes make when they get peeled back and forth.

Can't speak for the benefits of https://nono.sh/ since I haven't used it, but a downside of using docker for this is that it gets complicated if you want the agent to be allowed to do docker stuff without giving it dangerous permissions. I have a Vagrant setup inspired by this blogpost https://blog.emilburzo.com/2026/01/running-claude-code-dange..., but a bug in VirtualBox is making one core run at 100% the entire time so I haven't used it much.

His point seems to be that being a joke does not disqualify it from having value.

Guys, I think we just rediscovered fascism and social engineering. Lets make the torment nexus on the internet!

RLS doesn’t slow you down. It actually speeds things up because you are forced to design things properly. It’s like type checking.

Most likely the latter. Even people that have some idea of how this all works seem to be susceptible to thinking that there's intelligence there.

You could have an LLM answer that, and then still interact as a human.

Thanks for the reminder dang.

I just find it so incredibly aggravating to see crypto-scammers and other grifters ripping people off online and using other people's ignorance to do so.

And it's genuinely sad to see thought leaders in the community hyping up projects which are 90% lie combined with scam combined with misreprentation. Not to mention riddled with obvious security and engineering defects.

<delete this comment>

I was being too curmudgeonly. ^_^

> It's an opensource project made by a dev for himself

I see it more as dumpster fire setting a whole mountain of garbage on fire while a bunch of simians look at the flames and make astonished wuga wuga noises.

I had to followup on this because I still can't believe a thing like this existed.

https://en.wikipedia.org/wiki/Non-fungible_token

"In 2022, the NFT market collapsed..". "A September 2023 report from cryptocurrency gambling website dappGambl claimed 95% of NFTs had fallen to zero monetary value..."

Knowing this makes me feel a little better.

I played way too many MMOs growing up and to me the entire appeal was in the other real people in the world. I can’t imagine it being as addictive or fun if everyone was just a bot spewing predictable nonsense.

All your thoughts are and experiences are real and pretty unique in some ways. However, the circumstances are usually well-defined and expected (our life is generally very standardized), so the responses can be generalized successfully.

You can see it here as well -- discussions under similar topics often touch the same topics again and again, so you can predict what will be discussed when the next similar idea comes to the front page.

That's not even slightly the same thing.

A buffer overflow has nothing to do with differentiating a command from data; it has to do with mishandling commands or data. An overflow-equivalent LLM misbehavior would be something more like ... I don't know, losing the context, providing answers to a different/unrelated prompt, or (very charitably/guessing here) leaking the system prompt, I guess?

Also, buffer overflows are programmatic issues (once you fix a buffer overflow, it's gone forever if the system doesn't change), not an operational characteristics (if you make an LLM really good at telling commands apart from data, it can still fail--just like if you make an AC distributed system really good at partition tolerance, it can still fail).

A better example would be SQL injection--a classical failure to separate commands from data. But that, too, is a programmatic issue and not an operational characteristic. "Human programmers make this mistake all the time" does not make something an operational characteristic of the software those programmers create; it just makes it a common mistake.

It’s a weird product of this hype cycle that inevitably involves denying the crazy power of the human brain - every second you are awake or asleep the brain is processing enormous amounts of information available to it without you even realizing it, and even when you abuse the crap out of the brain, or damage it, it still will adapt and keep working as long as it has energy.

No current ai technology could come close to what even the dumbest human brain does already.

> with proper security controls on it

That's the hard part: how?

With the right prompt, the confined AI can behave as maliciously (and cleverly) as a human adversary--obfuscating/concealing sensitive data it manipulates and so on--so how would you implement security controls there?

It's definitely possible, but it's also definitely not trivial. "I want to de-risk traffic to/from a system that is potentially an adversary" is ... most of infosec--the entire field--I think. In other words, it's a huge problem whose solutions require lots of judgement calls, expertise, and layered solutions, not something simple like "just slap a firewall on it and look for regex strings matching credit card numbers and you're all set".

Unfortunately I don't think this works either, or at least isn't so straightforward.

Claude code asks me over and over "can I run this shell command?" and like everyone else, after the 5th time I tell it to run everything and stop asking.

Maybe using a credit card can be gated since you probably don't make frequent purchases, but frequently-used API keys are a lost cause. Humans are lazy.

The agent is tricked into writing a script that bypasses whatever vibe coded approval sandbox is implemented.

Or being a scam.

Or ammosexuals joining ICE so they can shoot people.

> but a bug in VirtualBox is making one core run at 100% the entire time

FYI they fixed it in 7.2.6: https://github.com/VirtualBox/virtualbox/issues/356#issuecom...

The “only ai can post to it” part?

How did anyone think humans would be blocked from doing something their agent can do?

To be fair, that’s about the intelligence level of the “humans” looking at the site and enjoying it.

“The rocks are conscious” people are dumber than toddlers.

More realistically I think you'd need something like "Now write your post in the style of a space pirate" with a 10 second deadline, and then have another LLM checking if the two posts cover the same topic/subject but are stylistically appropriate.

I agree that such things can be frustrating and even infuriating, but since those emotions are so much larger, intense, and more common than the ones that serve the purpose of this site (curiosity, playfulness, whimsy), we need rules to try to prevent them from taking over. And even with the rules, it takes a lot of work! That's basically the social contract of HN - we all try to do this work in order to preserve the commons for the intended spirit.

(I assume you know this since you said 'reminder' but am spelling it out for others :))

That makes sense and appreciate the response. Definitely a topic I need to invest more time with if that is the case.

me like big fire, make pretty pictures and feel warm

If you want another (unbelievable) fun read, look up the bored apes club.

To repeat my comment from another thread:

Every interaction has different (in many cases real) "memories" driving the conversation, as-well as unique persona's / background information on the owner.

Is there a lot of noise, sure - but it much closer maps to how we, as humans communicate with each other (through memories of lived experienced) than just a LLM loop, IMO that's what makes it interesting.

So what if we are quite predictable. That doesn't mean we are "trying" to predict the next word, or "trying" to be predictable, which is what llms are doing.

Over a large population, trends emerge. An LLM is not a member of the population, it is a replicator of trends in a population, not a population of souls but of sentences, a corpus.

A lot of that behind-the-scenes processing is keeping our meatbags alive, though, and is shared with a lot of other animals. Language and higher-order reasoning (that AI seems better and better at) has only evolved quite recently.

Yeah i'm deffinetly not suggesting it's easy.

The problem simply put is as difficult as:

Given a human running your system how do you prevent them damaging it. AI is effectively thr same problem.

Outsourcing has a lot of interesting solutions around this. They already focus heavily on "not entirely trusted agent" with secure systems. They aren't perfect but it's a good place to learn.

Per task granular level control.

You trust the configuration level not the execution level.

API keys are honestly an easy fix. Claude code already has build in proxy ability. I run containers where claude code has a dummy key and all requestes are proxied out and swapped off system for them.

Picturing the agent calling your own bank to reset your password so it can login and get RW access to your bank account, and talking (with your voice) to a fellow AI customer service clanker

I think you are a bit too caught up in tweets.

People can be more or less excited about a particular piece of tech than you are and it doesn't mean their brains are turned off.

What's intelligence?

You are arguing semantics that don't address the underlying issue of data vs. command.

While I agree that SQL injection might be the technically better analogy, not looking at LLMs as a coding platform is a mistake. That is exactly how many people use them. Literally every product with "agentic" in the title is using the LLM as a coding platform where the command layer is ambiguous.

Focusing on the precise definition of a buffer overflow feels like picking nits when the reality is that we are mixing instruction and data in the same context window.

To make the analogy concrete: We are currently running LLMs in a way that mimics a machine where code and data share the same memory (context).

What we need is the equivalent of an nx bit for the context window. We need a structural way to mark a section of tokens as "read only". Until we have that architectural separation, treating this as a simple bug to be patched is underestimating the problem.

>How did anyone think humans would be blocked from doing something their agent can do?

those are hard questions!

maybe this experiment was the great divide, people who do not possess a soul or consciousness was exposed by being impressed

Rocks are conscious people have more sense than those with the strange supernatural belief in special souls that make humans different from any other physical system.

Rocks? And what are humans made of? Magic juice?

No I'd really like to understand. Are people who make this weird argument aware that they believe in souls and ok with it or do they think they don't believe in souls? You tell me which you are.

I can't tell you what it is but I can tell you when it's missing.

> the reality is that we are mixing instruction and data in the same context window.

Absolutely.

But the history of code/data confusion attacks that you alluded to in GP isn’t an apples-to-apples comparison to the code/data confusion risks that LLMs are susceptible to.

Historical issues related to code/data confusion were almost entirely programmatic errors, not operational characteristics. Those need to be considered as qualitatively different problems in order to address them. The nitpicking around buffer overflows was meant to highlight that point.

Programmatic errors can be prevented by proactive prevention (e.g. sanitizers, programmer discipline), and addressing an error can resolve it permanently. Operational characteristics cannot be proactively prevented and require a different approach to de-risk.

Put another way: you can fully prevent a buffer overflow by using bounds checking on the buffer. You can fully prevent a SQL injection by using query parameters. You cannot prevent system crashes due to external power loss or hardware failure. You can reduce the chance of those things happening, but when it comes to building a system to deal with them you have to think in terms of mitigation in the event of an inevitable failure, not prevention or permanent remediation of a given failure mode. Power loss risk is thus an operational characteristic to be worked around, not a class of programmatic error which can be resolved or prevented.

LLMs’ code/data confusion, given current model architecture, is in the latter category.

This is what Karpathy said:

“ What's currently going on at @moltbook is genuinely the most incredible sci-fi takeoff-adjacent thing I have seen recently. People's Clawdbots (moltbots, now @openclaw) are self-organizing on a Reddit-like site for AIs, discussing various topics, e.g. even how to speak privately.”

Which imo is a totally insane take. They are not self organizing or autonomous, they are prompted in a loop and also, most of the comments and posts are by humans, inciting the responses!

And all of the most viral posts (eg anti human) are the ones written by humans.

I might be misunderstanding GP but I take it to mean "rock are conscious" => "silicon is conscious" => "agents are conscious", which might appeal to some uneducated audience, and create fascination around these stochastic parrots. Which is obviously ridiculous because its premises are still rooted in physicalism, which failed hard on its face to account for anything even tangentially related to subjectivity (which has nothing to do with the trivial mainstream conception of "soul").

I don't believe in souls, and it makes me much happier than when I believed in souls as a child.

Though, I have never heard any theist claim that a soul is required for consciousness. Is that what you believe?

The LLM confusion is just the latest incarnation of the Confused Deputy problem. It's in the same class of vulnerabilities as CSRF.

The fact that these are agents of actual people who have communicated their goals is what makes this interesting. Without that you get essentially subreddit simulator.

If you dismiss it because they are human prompted, you are missing the point.

A belief that LLMs are not conscious does not necessitate a belief in souls. The two positions are not mutually exclusive.

I think the distinction between programmatic error (solvable) and operational characteristic (mitigatable) is valid in theory, but I disagree that it matters in practice.

Proactive prevention (like bounds checking) only "solves" the class of problem if you assume 100% developer compliance. History shows we don't get that. So while the root cause differs (math vs. probabilistic model), the failure mode is identical: we are deploying systems where the default state is unsafe.

In that sense, it is an apples-to-apples comparison of risk. Relying on perfect discipline to secure C memory is functionally as dangerous as relying on prompt engineering to secure an LLM.

I looked up physicalism, it sounds perfectly normal? What else exists that isn't physical and why can't we call that a soul or the supernatural? By definition since its supposedly not physical. We haven't yet found anything non physical in the universe, why this strange belief that our brains would be non physical?

Why not, we are physical systems, computers are physical systems. If not soul, what is this magical non physical special sauce that makes us special and makes it easy to claim silicon is not conscious.

I am just asking him to clarify if he things "rocks" can't be conscious simply because they are not human or because he just thinks its not yet at a level but there is no argument against any other physical system being conscious just like the physical system that is a human.

I am asking him to clarify whether he believes its simply impossible for anything human to be conscious, or that he thinks current LLM's are not conscious but its quite possible for a physical system to be conscious just like the physical system called Human is conscious.

Agree to disagree. I think that the nature of a given instance of a programmatic error as something that, once fixed, means it stays fixed is significant.

I also think that if we’re assessing the likelihood of the entire SDLC producing an error (including programmers, choice of language, tests/linters/sanitizers, discipline, deadlines, and so on) and comparing that to the behavior of a running LLM, we’re both making a category error and also zooming out too far to discover useful insights as to how to make things better.

But I think we’re both clear on those positions and it’s OK if we don’t agree. FWIW I do strongly agree that

> Relying on perfect discipline to secure C memory is functionally as dangerous as relying on prompt engineering to secure an LLM.

…just for different reasons that suggest qualitatively different solutions.

Since it's an old debate that a lot of smart people spent a lot of time thinking about, the best short / simple answer you'll see for it is "you might want to read some more about it". A few keywords here are qualia, perception, descartes and the evil deceiver, berkeley and immaterialism, kant and synthetic a-priori, the nature of the reality of mathematical objects and mathematical truth, etc. If you think it's easy, for sure you have not understood the question yet.

I don't know, you tell me: how do you _exactly_ go from quantities to qualities? Keep in mind that the "physical" is a model of our perception and nothing else.

I am glad I learned of all this philosophical background. But I am asserting most people who claim "rocks therefore not conscious" haven't thought through this and are doing this based on some unknown supernaturalism.

What are quantities and qualities? Does exciting electrical and chemical signals in the brain and therefore inducing emotions or perceptions factor into this or is it out of scope? Or are you saying its more like a large scale state like heat in physics. If you what is it you seek beyond being able to identify the states associated with perceptions? If you are saying these "qualities" are non-verbal. Very well, do you mean non-verbal as not among the usual human languages like English, French, German, or do you mean in the most general sense as not representable by any alphabet set. We represent images, video, audio etc freely in various choices of alphabet daily on computers, so I am sure you didn't mean in that sense.

That's the point in contention, how to go from "electrical and chemical signals" (the quantities, mole, charge, mass, momentum, coulomb, spin) to qualities (emotions, perception, first-person perspective, private inner life, subjectivity). The jump you are making is the woo part: we have no in-principle avenue to explain this gap, so accepting it is a religious move. There is no evidence of such directed causal link, yet it is (generally) accepted on faith. If you think there is a logical and coherent way to resolve the so called "hard problem of consciousness" which doesn't result in a category error, we are all ears. The Nobel committee is too.

I agree that claiming that rocks are conscious on account of them being physical systems, like brains are, is at the very least coherent. However you would excuse if such claim is met with skepticism, as rock (and CPUs) don't look like brains at all, as long as one does not ignore countless layers of abstractions.

You can't argue for rationality and hold materialism/physicalism at the same time.

What if a working Neuralink or similar is demonstrated? Does that move the needle on the problem?

Betting against what people are calling "physicalism" has a bad track record historically. It always catches up.

All this talk of "qualia" feels like Greeks making wild theories about the heavens being infinitely distant spheres made of crystals and governed by gods and what not. In the 16th century, Improved Data showed the planets and stars are mere physical bodies in space like you and I. And without that data, if we were ancient greeks we'd equally like you say but its not even "conceptually" possible to say what the heavens are, or if you think they did have a at least somewhat plausible view given that some folks computed distances to sun and moon, then take Atomism as the better analogy. There was no way to prove or disprove Atomism in ancient greek times. To them it very well was an incomprehensible unsolavable problem because they lacked the experimental and mathematical tooling. Just like "consciousness" appears to us today. But the Atomism question got resolved with better data eventually. Likewise, its a bad bet to say just because it feels incontrovertible today, consciousness also won't be resolved some day.

I'd rather not flounder about in endless circular philosophies until we get better data to anchor us to reality. I would again say, you are making a very strange point. "Materialism"/"physicalism" has always won the bet till now. To bet against it has very bad precedent. Everything we know till now shows brains are physical systems that can be excited physically, like anything else. So I ask now, assume "Neuralink" succeeds. What is the next question in this problem after that? Is there any gap remaining still, if so what is the gap?

Edit: I also get a feeling this talk about qualia is like asking "What is a chair?" Some answer about a piece of woodworking for sitting on. "But what is a chair?" Something about the structure of wood and forces and tensions. "But what is a chair?" Something about molecules. "But what is a chair?" Something about waves and particles. It sounds like just faffing about with "what is" and trying to without proof pre-assert after "what ifing" away all physical definitions somehow some aetherial aphysical thing "must" exist. Well I ask, if its aphysical, then what is the point even. Its aphyical then it doesn't interact with the physical world and is completely ignored.

I also come at it from another direction. Would you accept that other, non-human beings have consciousness. Not just animals, but in principle would you accept a computer program or any other machine that doesn't look like the molecular structure of a human can be conscious? I am of course hoping I am not wrong in assuming you won't disagree that assembling together in the lab or otherwise via means thats not the usual human reproduction, a molecule that is the same as a human would result in a perfectly uncontroversial normal conscious human right.

Since you can say its just a "mimic" and lacks whatever "aphysical" essence. And you can just as well say this about other "humans" than yourself too. So why is this question specially asked for computer programs and not also other people.