Clawdbot’s popularity has been meteoric, racking up more than 140,000 stars and 20,000 forks on its Github repository.

However, its renaming to Moltbot suggested significant security issues, such as the trifecta of access to private data, exposure to untrusted content and external communication capabilities.

One issue behind AI agents like this being insecure by design is because LLMs are unable to distinguish between different contexts.

For instance, LLMs without guardrails cannot distinguish between a legitimate public webpage and one that serves as a precursor to an indirect prompt injection attack. Given the statistical nature of LLMs, it is possible for an indirect prompt injection to work even with the best-designed guardrails.

But the trifecta itself has already been present in agentic AI pre-Moltbot. What Moltbot changes is the introduction of persistent memory.

Attackers can attempt to compromise a Moltbot-based agentic architecture through time-delayed attacks, as attack strings can persist in memory, resulting in memory poisoning.

However, memory poisoning attacks aim to target the agent’s long-term memory store and are designed to persist in the agentic AI system without detection. This typically involves the embedding of malicious data bit by bit, through means such as multi-shot prompting to introduce false premises to modify its operational context.

Due to the agents trusting their own memory, there exists no additional validation in executing actions from a now-corrupted operational context.

The main issue is that the model and memory could be poisoned through an indirect prompt injection attack that gets detected only much later when the model produces outputs that significantly deviate from its intended use. Only then will the model owners discover their model has been poisoned, but with no means to identify the extent of poisoning due to its persistence in memory.

Security Struggles to Catch Up with Generative AI and Agentic AI

Given the evolution speed of AI technologies, it is unsurprising that security professionals are concerned they are not ready to face risks associated with GenAI solutions. In ISACA’s 2026 Tech Trends and Priorities survey, only 13% of professionals say that they are well-prepared to face GenAI risks despite how 62% of respondents identify AI and machine learning as top technological priorities for 2026.

The rise of GenAI and agentic AI has also led to capabilities such as rapid prototyping and instant usable feedback being placed in the hands of laypersons for the first time. Before the rise of GenAI, most AI and ML research was confined in back-end systems, which did not drastically increase the attack surface the way GenAI and agentic AI did.

It was thus notable that threat modeling frameworks such as MAESTRO, originally written by Ken Huang as a Cloud Security Alliance blog post in 2025, has quickly become popularized, being quoted by an institutional guide such as OWASP just two months later in April 2025.

This is an important development because the relevance of AI security is contingent on its speed to catch up with AI capabilities, which is unheard of in the cyber GRC space. Even governments have had to come up with guidance deviating from the usual norm of a “wait and see” approach, with Singapore announcing the world’s first framework to deploy agentic AI responsibly at the World Economic Forum in January. 

MoltBot is Not Just an Application

Perhaps the biggest factor in why AI security is struggling to catch up is how agentic AI tools such as Moltbot introduce new levels of abstraction not seen in traditional digital infrastructure.

From a threat modeling perspective, new frameworks such as MAESTRO allow us to appreciate how agentic AI tools create their own ecosystems and autonomy within the Moltbot ecosystem itself.

For instance, Moltbot contains multiple interactions across agents that could be poisoned to adversarial behavior to result in a harmful outcome. Yet, for agents to perform work that humans desire them to do, agents require permissions for which there is currently no means to granularize.

How Agentic AI Ecosystems Rehash Traditional Security Issues

From a GRC perspective, viewing Moltbot as an application would then result in the security recommendation that Moltbot is not fit for enterprise purpose because the security risks associated with it simply cannot be mitigated, even without considering GenAI risks.

The real issue is that such agentic AI ecosystems have resulted in a desire by business to shift what was ordinarily the role of several humans into a set of agents, without the necessary security infrastructure or capability to enforce well-reasoned, well-practiced security fundamentals.

Much can be discussed about how security aims to claw back on the current imbalance between feature release and security advisory. Such tensions are not new but have significantly scaled. But security cannot solely rely on the goodwill of Samaritans like Ken Huang in creating frameworks quickly enough to secure AI systems. For even good Samaritans may be out-sped or outwilled.