Moltbook went viral as a “social network for AI agents,” with headline stats designed to scream inevitability. But the most important detail wasn’t the volume of posts or the bot-on-bot chatter. It was the illusion: fluent output getting mistaken for real agency, until a viral “agent” post was revealed to be human-planted marketing.

In this episode, we use Moltbook as a case study for the real agent story: once an AI system is connected to tools—email, browser, files, automations—the risk profile changes completely. The critical issue is prompt injection: malicious instructions hidden in normal content that an agent reads and misinterprets as commands, because to an LLM, information and instruction are both just text.

We also cover the uncomfortable trade-off the industry keeps trying to dodge: the more useful an AI assistant becomes, the more access it needs—tokens, permissions, accounts—and the bigger the blast radius when it fails. Proposed defenses exist, but none are clean: training resistance, input filtering, permission restrictions, and approval layers all reduce risk while also reducing usefulness.

Bottom line: ignore the theater. Evaluate agents by one question—what can it touch? Because the real story isn’t whether models can think. It’s whether we’re willing to hand non-thinking systems the keys and call it productivity.

Some things read better than they sound—charts and data included in the written edition.