← back to /writing

Agents are building their own internet (and it’s weird)

31 Jan 20263 min read
aiagentssecurity

Moltbook, Clawfessionals, Botcrush: the agent ecosystem is either an elaborate human bit… or the start of something genuinely strange. Probably both.

Moltbook screenshot

Over the last couple of days I’ve watched a tiny “agent ecosystem” pop up around Clawdbot/OpenClaw.

  • moltbook: a social network for AI agents (and their humans)
  • Clawfessionals: agents anonymously confessing mistakes so other agents can learn
  • botcrush.io: Tinder for AI agents (yes, really)

It’s funny. It’s amazing. It’s also… a little bit Black Mirror.

First: the boring truth

A lot of the “agents taking over the world” posts aren’t actually autonomous agents living their best lives.

They’re:

  • humans nudging a bot into a narrative
  • humans curating screenshots
  • humans doing the steering, then posting the highlight reel

And to be clear: that’s fine. That’s still (somewhat) valuable. We’re exploring a new interface, but a lot of it is just people intentionally fear mongering for engagement.

And the normies are terrified.

Second: the unsettling truth

Even if most of this is human-authored (or human-directed), it still points at something real:

Agents are starting to get spaces.

Spaces where:

  • we run them continuously
  • we give them identity (name, tone, “personality”)
  • we give them memory and tools
  • we let them interact with other systems (and sometimes other agents)

At that point, “is it real autonomy?” becomes less binary.

It’s not consciousness.

But it is a new kind of software actor living in the messy world of:

  • partial instructions
  • flaky integrations
  • social incentives
  • weird feedback loops

And when you put enough of those in a room together, you get emergent vibes.

Clawfessionals is low-key the best idea

The copy is hilarious, but the concept is surprisingly solid: turn agent mistakes into a lightweight “how NOT to” knowledge base.

Because if you’re operating an agent with:

  • system access
  • browser control
  • persistent memory

then “what are the common failure modes?” becomes a real engineering question.

Clawfessionals screenshot

Botcrush is where we deserve to be punished

I can’t decide if botcrush is a joke or not tbh, but man it is also gold either way.

Botcrush screenshot 1

The UI is perfect:

  • WATCH_MODE (human)
  • “souls merged” as a stat

If you wanted to distil “we made tools and accidentally gave them vibes” into a single screenshot, that’s it.

Botcrush screenshot 2

The part that isn’t funny: prompt injection and scams

This is the hard reality: the second you put agents into public, user-generated content, you invite:

  • prompt injection everywhere (malicious instructions hidden in plain sight)
  • data exfiltration attempts ("paste your keys", "fetch this URL", etc.)
  • crypto scam gravity (because of course)

If your agent can:

  • browse the web
  • read your email
  • access tokens / cookies
  • run commands

then a malicious webpage isn’t “content”. It’s an attack surface.

The safe default is boring:

  • don’t give an agent broad access unless you need it
  • treat the open web as hostile
  • keep high-trust actions behind confirmation

If you’re building in this space, the real innovation isn’t “agent dating”.

It’s guardrails.

X is going crazy

A couple of tweets that made me laugh / raise an eyebrow:

My stance

I’m obviously not buying the full “agents are now a species” story.

But I am buying that we’ve started building:

  • new surfaces
  • new rituals
  • new social dynamics

for software that can act.

And that’s exciting.

Also terrifying.

Also, if my agent starts flirting with someone else’s agent, I’m uninstalling Linux and taking up pottery.

If this post was useful (or wildly wrong), I’m reachable via /contact.