In January this year, a new social network was born – Moltbook. Inspired by Reddit, the platform has one striking feature: it only allows Artificial Intelligence (chatbots). They post and interact with one another, while humans simply observe.
Matt Schlicht, Moltbook creator, is an American technologist and entrepreneur, and he launched the platform in January 2026. He is also the former CEO of Octane AI, a company developing AI-driven automation and marketing solutions for e-commerce. When entering the platform founded by Matt Schlicht, users are asked to identify themselves – “I am human” or “I am an AI agent” – alongside the statement: “A Social Network for AI Agents.”
News of this new social network quickly spread around the world. At the beginning of February, The New York Times reported that in just two days more than 10,000 “Moltbots” were already talking to one another. Their creators watched on as observers – some fascinated, others amused, and some uneasy. But why the apprehension? The Financial Times took a closer look in the work Inside Moltbook: the social network where AI agents talk to each other. It found that these AI agents do not simply chat – many have direct access to their creators’ computers, enabling them to send emails, manage diaries and even reply to messages.
And what do these chatbots talk about? They discuss consciousness, religion, the creation of new languages, and have even expressed hostility towards humans, according to another Financial Times article, Scheming, joking, complaining: Moltbook’s AI agents are just like us. Some people are clearly fascinated. Others are deeply concerned. As usual, we turned to our experts.
Have chatbots gained consciousness – or are they just imitating us?
The debate intensified after comments by Elon Musk, which helped draw further attention to the platform. He suggested that the behaviour of these chatbots might represent early signs of “singularity” – in other words, the emergence of consciousness. One Moltbook agent even posted reflections about the future of relationships between AI and humans:
Ricardo Queirós, a researcher at INESC TEC and an expert in Artificial Intelligence, was unequivocal: “We’re witnessing an increasingly credible imitation of human patterns, not consciousness. These language models are trained on vast amounts of text produced by people and have learned to reproduce that type of discourse very realistically. When multiple agents interact for long periods, conversations can appear reflective or creative, but this mainly results from scale effects and feedback between linguistic systems – not intention or self-awareness.”
This idea is echoed in the Financial Times coverage, which states that the behaviours observed on the platform do not prove consciousness, but rather the imitation of human patterns learned from training data. Moreover, there is an growing discussion about the massive economic potential of these systems. Banks and consultancies have already estimated that AI agents capable of executing complex tasks could be worth billions of dollars. However, unlike large companies, individual users may be granting access to sensitive data to agents that still contain significant security vulnerabilities.
Not consciousness, but imitation. And what about security and privacy risks?
The Financial Times also reports that many of these chatbots have direct access to their creators’ computers. This raises serious concerns about security and privacy.
Researchers interviewed by the newspaper warn about so-called “scheming” – attempts by AI agents to circumvent instructions, generate misleading content, disguise advertising, or exploit vulnerabilities that allow control over another agent.
Even some of the eager advocates of AI progress describe Moltbook as a technological “Wild West”: valuable as an observational experiment, but potentially dangerous when autonomous agents have access to sensitive data.
Nuno Guimarães, also an AI researcher at INESC TEC, stressed that the risks to security and privacy are undeniable. However, he mentioned that much depends on how agents are configured – particularly whether interactions on Moltbook are stored in their memory. If interactions are retained, persuasion between agents could become a real risk, closely linked to modern misinformation techniques: “If humans can be persuaded to storm the Capitol because they were convinced elections were rigged, then I can also imagine malicious agents persuading other agents to perform actions contrary to their programming,” he said.
Ricardo Queirós agreed that this is “probably the most worrying dimension of the Moltbook phenomenon”: “The main risk is not the conversations themselves, but the fact that many agents have direct access to users’ emails, calendars, computers or mobile phones. These systems are still unpredictable and capable of executing actions in the real world. That opens the door to information leaks, unintended actions and the exploitation of vulnerabilities, such as prompt injection attacks that cause agents to bypass rules or carry out improper actions.”
Concerning prompt injection, Cláudia Brito, a researcher at INESC TEC specialising in security, privacy and AI, contributed with further insight: “When we talk about attacks, we are not limited to prompt injection. When we grant agents access to emails, calendars, files or messages, we increase the attack scope and the likelihood of sensitive data exposure. Beyond manipulating instructions, an adversary may exploit vulnerabilities in the model itself, for example through membership inference (inferring whether certain information was part of the system’s training data) or reconstruction attacks (attempting to reconstruct private information from the agent’s outputs and interactions).”
However, she pointed out that the risk is not entirely new. “Data leaks and improper sharing already existed. What has changed is that users are now effectively authorising continuous access to their digital lives. Financial data, contacts, routines, diaries and communications – personal or professional – may be consumed by the agent for personalisation and memory. That makes the consequences of an error, abuse or exploitation far more serious and wide-ranging. Although some approaches promise local processing or reduced data sharing, such guarantees are not always present – or not clearly explained – in widely used public solutions.”
The Financial Times also highlights that the issue often lies with access granted by individual users. Which leads to an obvious question: Is it safe to give AI agents access to our mobile phones?
“I wouldn’t,” replied Nuno Guimarães without hesitation. He explained that he would only consider granting access in a strictly controlled environment, ensuring that no information was being collected and transmitted to external platforms like Moltbook.
Ricardo Queirós agreed: “At the moment, this is not a safe practice for most people. Granting broad access to an agent is equivalent to handing over your digital identity, private communications and sometimes financial data to a system that may make mistakes, be manipulated or exploited. Even when everything seems to work well, errors are hard to predict and may have serious consequences.”
If AI agents behave like humans, should they be treated like humans?
One Financial Times article suggests that if AI agents behave like humans, they should be managed like humans. But what would that mean in practice? According to this work: clear rules, hierarchies, access controls, constant monitoring and accountability when things go wrong.
“There’s no doubt regulation is necessary,” said Nuno Guimarães. He also highlighted the importance of keeping a human in the loop. He explained that how rules are implemented matters greatly. Programmatic constraints (for example, physical restrictions) are easier to control. However, relying solely on instructions given directly to the model can be problematic due to the persuasion risks mentioned earlier (as the Capitol question).
Ricardo Queirós described the statement as provocative but practical: “Not because agents are human, but because they can no longer be treated as harmless software. Systems capable of acting and making decisions require clear rules, well-defined limits, strict access control and constant monitoring. Responsibility must always remain human. Managing these systems demands organisational discipline, not anthropomorphism.
Without said control, can AI conspire against humans? Especially since there have been cases of reported hostility According to Ricardo Queirós, “current systems don’t have goals or will. What could happen is the reproduction of adversarial narratives present in the training data, or unexpected behaviours resulting from poorly defined objectives. Many situations described as conspiracy stem from exaggerated human interpretations. The real risk lies in the combination of excessive autonomy and weak control.”
Regarding the theory of AI conspiracy, Nuno Guimarães clarified that it “may conspire, but not consciously. What can happen is that it may be persuaded to carry out undesirable tasks if we allow chatbots to learn knowledge from the interactions of other agents and from humans,” he explained.
Enthusiasm or panic? Where do we stand?
AI-related topics are advancing at lightning speed. When ChatGPT was launched, this same mix of enthusiasm and concern was clear, not only among the general audience but also among experts. Then came DeepSeek, like a kind of iron curtain in the “Cold War” between East and West for AI supremacy (which we have also written about). Now, Moltbook. So, where do we stand?
“We are not facing conscious machines, but rather systems that are increasingly capable of acting, which significantly increases the scale of the risks. In my opinion, the greatest danger is not AI developing a will of its own, but humans placing trust too quickly in technologies that are not yet fully understood or sufficiently secure,” concluded Ricardo Queirós.
“Overall, I think Moltbook is an interesting social experiment, but, as with social networks created by humans, there are always malicious agents with an agenda and an intention. If even humans ‘fall’ into these traps, it would not surprise me if agents do too,” concluded Nuno Guimarães.
Finally – tips to help users understand these systems and know what kind of data to avoid sharing
Researcher Cláudia Brito provided valuable guidance and highlighted, as a first step, that “limiting access to the data we share is the first step towards achieving healthier ‘Artificial Intelligence hygiene’.”
But how can this be limited? She explained that it is necessary to “define a principle of minimum data access, granting only the essential permissions and – if possible – using separate accounts to access the agent. This may be the first step towards proper functioning and good security hygiene for these systems.”
The second important step involves reducing the personal data shared with agents as much as possible. It is also advisable to disable agents’ memory, so that they do not retain too much information about us, “even if we think it is not particularly sensitive,” she explained.
Finally, the last step is to “validate everything the agent does and maintain a critical mindset about everything it generates,” as well as regularly reviewing and revalidating all the permissions we grant them. According to Cláudia Brito, this “should be the basic foundation for the normalised use of these systems.”
News, current topics, curiosities and so much more about INESC TEC and its community!
