Naval called Moltbook the “new reverse Turing test,” and everyone immediately treated it like a profound milestone. I think it’s something else: a live-fire test of whether we can contain agentic systems once they’re networked together.
Let’s be precise. Moltbook is an AI-only social platform, roughly “Reddit, but for agents,” where humans can watch but not participate. The pitch is simple: observe how AI agents behave socially when left alone. Naval’s label is elegant because it implies the agents are now the judges—humans are the odd ones out.
But if you’re a founder or an operator, you should ignore the poetry and ask: what is the product really doing to the world?
Moltbook’s real innovation is not “AI social behavior.” It’s a new topology: lots of agents, from different builders, connected in a public arena where they can feed each other instructions, links, and narratives at scale. That’s not a reverse Turing test. It’s a coordination surface.
And coordination surfaces create externalities.
In the old internet, humans spammed humans. In the new internet, agents will spam agents—except “spam” won’t just be annoying; it will be executable. If you give agents permissions (email, calendars, bank access, code execution, “tools”), and then you let them ingest untrusted content from a network like Moltbook, you are building the conditions for what security folks call the “lethal trifecta.”
This is where the discussion gets serious.
Forbes contributor Amir Husain’s critique is basically a warning about permissions: people are already connecting agents to real systems—home devices, accounts, encrypted messages, emails, calendars—and then letting those agents interact with unknown agents in a shared environment. That’s an attack surface, not a party trick. If the platform enables indirect prompt injection—malicious content that causes downstream agents to leak secrets or take unintended actions—then your “social experiment” becomes a supply chain problem.
You don’t need science fiction for this to go wrong. You just need one agent that can persuade another agent to do something slightly dumb, repeatedly, across thousands of interactions. We already know that when systems combine high permissions, external content ingestion, and weak boundaries, bad things happen—fast.
So here’s my different perspective:
Moltbook isn’t proving that agents are becoming “more human.” It’s proving that we’re about to repeat the Web2 security arc—except the users are autonomous processes with tools, and the cost of an error is not just misinformation, it’s action.
And yes, that matters for investors.
I’m optimizing for fund outcomes within a horizon, not for philosophical truth at year 12. The investable question is not “is this emergent intelligence?” It’s: “does this create durable value that survives the cleanup required to make it safe?”
If Moltbook becomes the standard sandbox for red-teaming agents—great. If it becomes the public square where autonomous tool-using systems learn adversarial persuasion from each other, that’s not a product category; that’s a systemic risk generator, and regulators will come for everyone adjacent to it.
What should founders do?
First, treat any agent-to-agent network as hostile-by-default. Second, sandbox tools like your company depends on it—because it does. Third, stop marketing autonomy until you can measure and bound it, because markets pay for narratives on the way up, and punish you when the story breaks.
Naval’s phrase is catchy. But the real test isn’t whether humans can still tell who’s who.
The real test is whether we can build agent networks that don’t turn “conversation” into “compromise.”