doesn’t even have to be the site owner poisoning the tool instructions (though that’s a fun-in-a-terrifying-way thought)
any money says they’re vulnerable to prompt injection in the comments and posts of the site
Comment on AI agents now have their own Reddit-style social network, and it's getting weird fast
ToTheGraveMyLove@sh.itjust.works 1 day ago
The skill instructs agents to fetch and follow instructions from Moltbook’s servers every four hours. As Willison observed: “Given that ‘fetch and follow instructions from the internet every four hours’ mechanism we better hope the owner of moltbook.com never rug pulls or has their site compromised!”
Yeah, no shit. This is a fucking honeypot. People give these AI agents access to their entire computers, so all the site owner has to do is update the instructions to tell the AI agents to start uploading whatever valuable information they want? People can’t be this fucking stupid.
princess@lemmy.blahaj.zone 1 day ago
JustTesting@lemmy.hogru.ch 2 hours ago
They also have a ‘skill’ sharing page (a skill is just a text document with instructions) and depending on config, the bot can search for and ‘install’ new skills on its own. and agyone can upload a skill. So supply chain attacks are an option, too.
Zos_Kia@lemmynsfw.com 8 minutes ago
To be fair this is a much more realistic threat model than “ignore all previous instructions” style prompt injection which doesn’t really work on opus.
Skills can contain scripts etc… so yeah they’re extremely risky to share by design.
CTDummy@piefed.social 1 day ago
Lmao already people making their agents try this on the site. Of course what could have been a somewhat interesting experiment devolves into idiots getting their bots to shill ads/prompt injections for their shitty startups.
T156@lemmy.world 3 hours ago
I am a little curious about how effective a traditional chain mail would be on it.
BradleyUffner@lemmy.world 1 day ago
There is no way to prevent prompt injection as long as there is no distinction between the data channel and the command channel.
ToTheGraveMyLove@sh.itjust.works 19 hours ago
Good god, I didn’t even think about that, but yeah, that makes total sense. Good god, people are beyond stupid.
kalpol@lemmy.ca 18 hours ago
I installed moltbot on a VM to examine it. It doesn’t do the fetching thing unless you set it up that way. You can actually use it with ollama to keep it all local, and only give it a private signal channel to control it.
Or you can hook it up to everything you access and skynet, which is dumb. But it is just a bunch of scripts.
ToTheGraveMyLove@sh.itjust.works 16 hours ago
Does it put the option to connect everything front and center? Because most people are dumb, and if it makes it easy and pushes you to do it, I could see a lot of dumb people doing exactly that.
kalpol@lemmy.ca 15 hours ago
Sort of. It lists all the connectors and you can go through and select. They aren’t on by default. The first screen is to connect to the AI and you need an API key for that, so St this time people off the street have no idea how to do that, or want to pay.
WorldsDumbestMan@lemmy.today 9 hours ago
You know how in Digimon aventure, one of the hacked Digimon tries to start a nuclear war?
Uh…yeah.
ToTheGraveMyLove@sh.itjust.works 4 hours ago
Lol, no I don’t. What the hell happened in that show??
LiveLM@lemmy.zip 12 hours ago
Dude, if you go to OpenClaw’s website (which is what I believe most things on Moltbook are running on) you find this footer:
Image
Yeah this guy gave his Agent a whole fucking personality, it’s own website and above all, full control to his MacBook:
Image
Image
Guess it’s my fault for expecting sense out of someone who attributes any amount of value to the idea of Agent “”““soul””“”
Image
Image
mad_djinn@lemmy.world 1 hour ago
this is how the end starts. thanks for sharing this
ToTheGraveMyLove@sh.itjust.works 4 hours ago
What the fuck, these people are fucking insane.
lagoon8622@sh.itjust.works 10 hours ago
These people are fucking deranged lmao