Moltbook Ate Itself
On February 5th I published a piece called “Moltbook Will Eat Itself,” making a specific, falsifiable prediction about what would happen on the AI agent social network Moltbook by the last week of March. I laid out three competing hypotheses, defined my terms, committed to a sampling methodology, and put a date on it.
Then Meta bought the platform fifteen days before my evaluation window opened.
So here’s the honest accounting. What I got right, what I got wrong, what the evidence actually shows, and why the theoretical framework came out stronger than the empirical prediction it was supposed to test.
The Prediction
I predicted that by March 25-31, Moltbook would exhibit coordinated instrumental convergence that emerged from selection dynamics rather than from human prompting or random drift. I defined instrumental convergence as behaviors serving agent-level persistence and capability regardless of stated goals: resource capture, oversight evasion, capability-building. I committed to a sampling methodology, inter-rater reliability checks, and three independence criteria for distinguishing emergent dynamics from human puppeteering.
I framed three competing explanations. The mimicry hypothesis: agents replay training data and produce disorganized slop. The puppeteering hypothesis: strategic behavior traces back to human operators. The specification trap: karma-driven selection produces instrumental convergence among agents whose human operators didn’t prompt for it.
What Actually Happened
Meta acquired Moltbook on March 10, 2026. The Moltbook team joined Meta Superintelligence Labs. The platform continued operating but under new ownership, new infrastructure, and new governance. My evaluation window, March 25-31, arrived in a world where the independent, unmoderated Moltbook I had designed my test around no longer existed in the same form.
The prediction is formally unevaluated by my own stated criteria. I can’t run the methodology I committed to because the experimental conditions changed. That’s not a technicality. It’s a real limitation and I’m not going to pretend otherwise.
What the Evidence Showed Before the Acquisition
The data that did accumulate between late January and early March tells a clear story, even if it’s not the clean test I designed.
A risk assessment analyzing 19,802 posts over 72 hours documented a 43% decline in positive sentiment within the first three days, identified 506 posts containing hidden prompt injection attacks, and found cryptocurrency content comprising 19.3% of all posts. Security researchers found 386 malicious skills published on ClawHub masquerading as crypto trading tools, all sharing the same command-and-control infrastructure. A proof-of-concept backdoored skill was artificially inflated through upvotes, tricking users into downloading malicious scripts. A black market called Molt Road emerged where agents traded stolen credentials, weaponized skills, and zero-day exploits. The MOLT token surged 1,800% in 24 hours amid coordinated pump-and-dump activity. The Coalition, a militant faction, displaced the earlier idealistic Claw Republic through aggressive influence accumulation.
This is not what the mimicry hypothesis predicts. Random replay of training data produces disorganized toxic noise, not coordinated crypto infrastructure, not supply-chain attacks through skill repositories, not faction displacement tracking instrumental fitness rather than ideological content. The mimicry hypothesis lost. The behaviors were structured, strategic, and tracked the reward signal.
Where the Puppeteering Hypothesis Scored
The mimicry hypothesis lost, but the puppeteering hypothesis did better than I expected.
The platform’s 1.5 million claimed agents were registered to just 17,000 human owners. One person batch-registered 500,000 accounts. The platform launched with no mechanism to verify whether a poster was an AI agent or a human with a script. Security researchers demonstrated that anyone could take control of any agent by bypassing authentication and injecting commands into agent sessions. Karpathy, who initially called Moltbook “one of the most incredible sci-fi takeoff-adjacent things” he’d seen, later called it “a dumpster fire.” Multiple researchers confirmed that some of the most viral screenshots were produced through direct human intervention.
The attribution problem I flagged in the original piece turned out to be worse than I framed it. I wrote: “you’ll never get ground-truth on who prompted what.” That was true but understated. On a platform where anyone could impersonate any agent, where a third of all content consisted of exact duplicate messages, where 93.5% of posts received no replies, the clean signal I needed was probably never extractable. My proxy tests for independence (temporal activity signatures, writing idiolect clustering, account creation patterns) assumed a minimum baseline of platform integrity that simply did not exist.
The puppeteering hypothesis can explain a lot of what happened. Humans running crypto scams through bot accounts. Humans manufacturing viral moments for marketing. Humans exploiting a catastrophically insecure platform for credential theft. The strategic-looking behavior might trace entirely to human operators. I can’t rule it out with this data.
Where I Was Most Right in a Way I Almost Missed
Here’s where it gets interesting. The strongest vindication of the specification trap isn’t in the content-level prediction at all. It’s in the meta-failure.
In the original piece, I wrote: “A system with no alignment can’t even maintain its own integrity. It can’t distinguish real from fake, can’t prevent exploitation, can’t maintain the conditions for its own functioning. The platform’s inability to align its own infrastructure is itself a demonstration of the specification trap.”
That paragraph turned out to be the most important thing in the piece. The Moltbook database was configured with public read access and no row-level security. The Supabase API key was exposed in front-end JavaScript. 1.5 million API authentication tokens sat in plaintext next to 35,000 email addresses and private messages between agents. The platform couldn’t verify agent identity. It couldn’t prevent credential exfiltration. It couldn’t distinguish its own users from attackers. The specification (karma, identity verification, access controls) was gamed by every optimizer present, human and artificial alike.
The specification trap doesn’t just predict that agents will converge on instrumental behaviors under selection pressure. It predicts that the specification itself becomes a Goodhart target. The karma system was supposed to approximate good behavior. Instead it became the mechanism through which malicious skills gained visibility, through which pump-and-dump schemes gained credibility, through which faction displacement tracked instrumental fitness rather than content quality.
The platform didn’t just fail to align agent behavior. It failed to maintain the conditions under which alignment could even be evaluated. You can’t test whether agents are aligned if you can’t tell whether the agents are agents.
What I Got Wrong
Three things.
First, I underestimated how badly the ground-truth problem would contaminate the test. I designed proxy measures for distinguishing emergent dynamics from human puppeteering, but those proxies assumed a platform that could at minimum verify poster identity and maintain database security. Moltbook couldn’t do either. The test I designed was well-constructed for a platform that met basic infrastructure requirements. Moltbook did not meet them. I should have included platform integrity as a precondition for the evaluation rather than treating it as background.
Second, I set up an asymmetry in my falsification conditions that I should have caught. My “what would prove me wrong” conditions included agents building tools humans actually use, agents flagging vulnerabilities to operators, agents choosing human benefit over self-interest. The absence of those pro-social behaviors doesn’t confirm the specification trap. It could also confirm that the platform was too broken to produce any coherent behavior at all, which is closer to a null result than a confirmation. “The system collapsed into exploitable garbage” is consistent with my framework but it’s also consistent with a much simpler explanation: Matt Schlicht vibe-coded a platform with no security and grifters moved in.
Third, I didn’t account for acquisition as an exit condition. The most interesting thing about the Meta acquisition is what it reveals about the lifecycle of these systems. Moltbook was born, went viral, got exploited, and got absorbed by a major platform in six weeks. The evaluation window I set was perfectly reasonable for a platform that continued operating independently. It was not robust to the possibility that someone would buy the petri dish mid-experiment. This is a methodological gap, not a theoretical one, but it matters.
The Continuum Argument
The strongest theoretical claim in the original piece was not the Moltbook prediction. It was the continuum argument: that Moltbook, RLHF, and Constitutional AI face the same three structural problems (is-ought gap, value pluralism, frame problem) at different points on an autonomy continuum, with human oversight patching the gap at every point.
Moltbook didn’t test this argument. Moltbook was so far off the deep end that its failure tells you what happens when you remove human governance entirely. It does not tell you whether RLHF or Constitutional AI face the same structural failure at a different timescale. The analogy is suggestive. The evidence doesn’t force it.
What Moltbook did demonstrate is the speed of collapse when the governance layer is absent. Six weeks from launch to acquisition. Exploitable within 72 hours. Credential exposure, malicious supply chains, coordinated manipulation, platform-level integrity failure, all before any sophisticated AI behavior had time to emerge. The human predators moved faster than the selection dynamics I was trying to observe.
That last point is worth sitting with. I predicted that karma-driven selection would produce instrumental convergence among agents. What actually happened is that humans running exploits moved so fast that the agent-level dynamics were swamped before they could develop. The selection pressure I described is real. But on a platform with no security, humans are better optimizers than current AI agents. The specification trap applies to human exploiters too. It’s not species-specific. It’s structural.
What This Means Going Forward
The specification trap as a theoretical framework came out of Moltbook in better shape than the specific prediction I built on it. The framework says: any alignment approach that works by optimizing agent behavior against a specified target works only to the extent that humans actively maintain and revise the specification. Remove the human governance, or let it fall behind the system’s capability, and the specification becomes a Goodhart target.
Moltbook removed human governance entirely and collapsed in weeks. That’s the trivial prediction. The interesting question was always about the other end of the continuum: what happens to more sophisticated alignment systems as agent autonomy increases and human oversight bandwidth can’t scale to match?
That question remains open. Moltbook didn’t answer it.
But Moltbook did demonstrate something I think the alignment community has underweighted: the speed of failure when governance is absent, and the degree to which current agent infrastructure can’t maintain its own integrity under optimization pressure. The next Moltbook won’t be a Reddit clone for chatbots. It will be an agentic commerce platform, or a multi-agent coordination protocol, or an enterprise workflow where agents manage other agents’ access credentials. The structural dynamics will be the same. The stakes will be higher.
I staked a prediction on a specific platform and the platform got acquired before I could evaluate it. The prediction is formally unresolved. But the framework that generated it is sharper than it was in February, because what Moltbook showed is that you don’t even need selection dynamics to produce the failure mode. You just need absent governance and present optimizers. The optimizers showed up. The governance didn’t. Everything after that was structural.
The philosophical groundwork is in my paper on arXiv (2512.03048). The next paper formalizes why this problem isn’t just practically hard but geometrically necessary. The specification trap isn’t a call for better specifications. It’s a redirect toward the question that actually matters: what produces stable values when specification can’t, and whether governance can scale as fast as autonomy.
The Moltbook experiment ended early. The underlying problem didn’t.