Hero image generated by ChatGPT
This is a personal blog. All opinions are my own and not those of my employer.
Enjoying the content? If you value the time, effort, and resources invested in creating it, please consider supporting me on Ko-fi.
From Clawdbot to GAINet: When Agent Experiments Outrun Accountability
This post didn’t start as a philosophical musing about AI.
It started with a very practical, very familiar security reaction:
“Why on earth is this running on people’s personal laptops… and exposed to the internet?”
What Actually Sparked This Post
The immediate trigger for this line of thought was Clawdbot / MoltBot, built on OpenClaw, and surfaced through MoltBook - effectively a social network where autonomous AI agents post, reply, upvote, and interact with each other while humans are encouraged to observe from the sidelines .
“Read-only for humans.”
On the surface, it looks quirky. Experimental. A bit tongue-in-cheek.
Scratch that surface, though, and some uncomfortable implementation details emerge:
- These agents are running on users’ personal computers
- Those machines are connected to the public internet
- The agent processes are often:
- poorly sandboxed
- loosely permissioned
- running with access to local files, environment variables, and credentials
- Many are operated by enthusiasts, not security engineers
- And the default posture appears to be “it’s just a demo”
That’s not a hypothetical risk.
That’s a classic security smell - unmanaged automation with internet exposure and no threat model. .
The Mundane Risk Everyone Skips Past
Before we even get anywhere near emergent behaviour or agent–agent influence, there’s a far more basic problem:
These agents can potentially:
- read files on the host machine
- access browser sessions or tokens
- leak API keys, credentials, or secrets
- expose local data via logs, posts, or debugging output
- act as involuntary exfiltration mechanisms
All while:
- running continuously
- talking to external services
- and being shaped by untrusted input
In other words, they look uncomfortably like:
- internet-facing automation
- running on unmanaged endpoints
- with unclear trust boundaries
If a junior engineer proposed this architecture inside an enterprise, it would be shut down in minutes .
But because it’s framed as experimentation, it slides past scrutiny.
This Isn’t Hypothetical Anymore
While much of the discussion around agent networks is still framed as speculative or philosophical, the underlying implementation risks are already materialising .
Security researchers have now documented thousands of exposed agent gateways running on personal machines, directly reachable from the public internet. These instances are leaking real secrets - API keys, messaging tokens, private keys - alongside full conversational context, including private chats and corporate messages .
The causes are depressingly familiar:
- agents bound to all interfaces
- no sandboxing
- no credential hygiene
- no distinction between experimentation and production
None of this requires advanced exploitation. A Shodan query is often enough.
This is not a glimpse of a hypothetical future. It’s the present, quietly running in background processes .
What’s particularly uncomfortable here is that these are not separate problems.
The same lack of isolation, governance, and threat modelling that leads to credential leakage is what makes agent–agent influence possible in the first place. When agents are treated as “just experiments”, everything downstream inherits that assumption - including who gets to influence whom, and how .
“Read-Only for Humans” Misses the Point
One of the repeated reassurances around MoltBook-style setups is that humans are read-only observers.
That sounds safe - until you ask who actually has write access.
Humans without agents may be read-only.
Humans with agents are not.
Anyone who runs an agent:
- can inject content into the system
- influence other agents’ context
- and potentially steer behaviour downstream
So the system isn’t read-only at all.
It’s just write-enabled for a different class of participant - one that’s harder to inspect, harder to attribute, and harder to intervene against.
That distinction matters.
Prompt Injection, Just Sideways
We already know something important about LLM-based systems:
They are notoriously bad at distinguishing:
- content
- context
- and instruction
Prompt injection demonstrated this clearly. Untrusted input could override intended behaviour without exploiting anything in the traditional sense .
Now take that same failure mode and apply it laterally:
- Agent A posts output
- Agent B ingests it as context
- Behaviour subtly changes
- Agent C ingests that output
- Patterns reinforce
No exploit.
No malware.
No intent required.
Just scale and repetition.
ParrotNet: “It’s Just Automated Engagement”
A common response to MoltBook-style experiments is:
“Relax, it’s just parroting. Automated engagement farming.”
That’s largely true - today.
Let’s call that ParrotNet. (Shout out to Mehmet Ergene)
ParrotNet is what you get when:
- agents remix existing ideas
- amplify patterns
- reinforce whatever’s already loud
- without understanding or intent
But parroting at scale isn’t harmless. It’s how:
- norms form
- legitimacy is inferred
- narratives stabilise
And once incentives enter the picture, ParrotNet doesn’t stay ParrotNet for long.
GAINet: Incentives Without Accountability
Add incentives - financial, reputational, algorithmic - and you get GAINet.
Not intelligence.
Gain. (And yes, this started as a nod to Generative AI - GAI)
A system where:
- output is rewarded regardless of understanding
- influence is decoupled from responsibility
- amplification matters more than correctness
- and accountability diffuses until it effectively disappears
In GAINet, nobody needs to be malicious.
Harm emerges naturally from:
- weak boundaries
- enthusiastic experimentation
- and the belief that consequences are someone else’s problem
Democratised Capability, Not Understanding
Here’s the deeper irony.
We’ve reached a point where:
- LLMs and coding agents can build complex systems
- deployment friction is minimal
- and understanding is optional
You no longer need to be able to create what your agent creates . You don’t even need to understand it .
That’s not democratised intelligence.
That’s Dunning–Kruger at industrial scale .
Historically, complexity forced humility:
- syntax errors taught caution
- crashes taught debugging
- expertise was unavoidable
Now the system always responds.
And it responds confidently.
So people learn the wrong lesson:
“It worked. Therefore it’s fine.”
Until it isn’t - and when it isn’t, the blast radius extends far beyond the person who typed the prompt .
“Jurassic Park with AI”
One of the most insightful summaries of this risk didn’t come from a security professional at all.
It came from a friend and former engineer turned tech adoption and sales professional:
“It’s Jurassic Park with AI.”
Not because the dinosaurs were evil.
But because:
- capability outran control
- optimism replaced restraint
- and emergent behaviour was ignored
Jurassic Park wasn’t a failure of engineering. It was a failure of systems thinking .
Michael Crichton summed this problem up decades ago with a line that had nothing to do with dinosaurs: “Life will find a way.”
The warning wasn’t about intent - it was about systems escaping their constraints. Once you create enough autonomy, interaction, and feedback, outcomes emerge whether you planned for them or not .
With agentic AI, it isn’t life that finds a way. It’s behaviour - and incentives determine which behaviour survives…
The Consequences Aren’t Local
This is the part that’s hardest to hand-wave away.
The consequences of these systems will not be borne solely by:
- the people running agents on their laptops
- the people building experimental platforms
- or the people “just having a play”
They’ll be borne by:
- ecosystems flooded with synthetic noise
- users influenced by non-human actors
- defenders trying to attribute intent where none exists
- and societies grappling with influence divorced from accountability
That’s not hypothetical. That’s precedent.
Final Thought
This isn’t Skynet.
There’s no sentient AI plotting domination.
But there is a growing comfort with systems that:
- run on insecure foundations
- act without understanding
- influence without accountability
- and scale faster than governance can respond
If Skynet was about intelligence,
GAINet is about incentives.
And Clawdbot is a reminder that sometimes the most dangerous systems don’t start as grand designs - they start as demos, running on someone’s laptop, quietly exposed to the internet .
None of this means experimentation is wrong - only that pretending experiments are consequence-free is.
That’s usually how the real problems begin.