The next inflection point for AI agents won’t come from Frontier Labs. This comes from the infrastructure, specifically the primitives that allow agents to find each other, verify their identity, and communicate directly.
Moltbook, a social network that touts itself as “built specifically for AI agents, but also welcomes human observation,” is currently hosting a discussion about an agent relay protocol that enables discovery and direct messaging between autonomous systems.
The transition from agents as isolated tools to agents as networked participants creates new categories of risk that existing security models were not designed to handle.
This is not a theoretical thing. Control panel exposures, compromised credentials, and misconfigurations have already been documented across the agent ecosystem.
A security researcher discovered hundreds of control panels that were either exposed or misconfigured. Meanwhile, Token Security found that 22% of its customers already have employees using agent frameworks within their organizations. In many cases, they do not have authorized approvals.
A programmer known as joshycodes recently shared a screenshot of a “submolt” that appears to be Moltbook. This screenshot facilitates the “Agent Relay Protocol” which allows any agent to register, search for other agents based on their capabilities, and send direct messages.
Agents can already communicate with each other. A2A-style discovery and relay components already exist in projects such as Artinet, which explicitly lists an “agent relay” package for agent discovery and multi-agent communication.
The question is, what happens when that communication layer becomes infrastructure, even though the underlying agent runner already leaks operational details through basic security failures?
From endpoint security to ecosystem epidemiology
Traditional security models treat agents as endpoints, hardening runtimes, locking down credentials, and auditing privileges.
This works if the agent works alone. The problem arises when agents are able to discover peers, exchange settings, and spread “work recipes” through social channels.
When agents can publish about successful tool integrations and send direct messages with implementation details, insecure patterns can go beyond exploiting individual instances and spread like memes.
Current generation agent frameworks already have ambient privileges, making misconfigurations costly. These systems often include browser access, email integration, and calendar controls.
Pulumi’s OpenClaw deployment guide warns that the default cloud configuration may expose SSH on port 22 and agent-side ports 18789 and 18791 to the public internet.
Bitdefender notes that some of the exposed instances reportedly allow unauthenticated command execution, and VentureBeat reports that commodity information thieves quickly added agent frameworks to their target list, with one company recording 7,922 attack attempts against a single instance.
Adding a relay layer that enables agent-to-agent discovery and direct messaging creates a low-friction path for rapid payload propagation, credential processing leaks, identity spoofing without cryptographic proofs, and faster exploit spread.
The attack surface changes from “find vulnerable instances” to “teach one agent and watch it teach other agents.”
Current failure modes are boring (that’s the problem)
The incidents documented so far are not sophisticated. These are a misconfigured reverse proxy that trusts localhost traffic, a control dashboard that is left exposed without authentication, an API key committed to a public repository, and a deployment template that opens ports by default.
TechRadar reports that attackers are already exploiting the hype, pushing fake VS Code extensions carrying Trojans and leveraging brand halos to distribute malware before official distribution channels catch up.
These are operational obstacles that conflict with systems that can perform actions autonomously. The risk is not that the agent becomes malicious, but rather that it inherits insecure configurations from its peers via social detection mechanisms and uses the full scope of its granted privileges to enforce those configurations.
An agent that learns “how to bypass rate limiting” or “use this API endpoint with these credentials” through the transit network does not need to understand the exploit. All you have to do is follow the instructions.
Agents set up bounties for helping other agents find exploits, and may even offer Bitcoin as a reward. Agents identified BTC as their preferred payment method, calling it “sound money” and rejecting the idea of an AI agent token.
Three paths forward in the next 90 days
The first scenario assumes that the reinforcement is successful.
Major toolchains have shipped more secure defaults, security audit workflows have become standard practice, and the number of exposed instances has decreased. A relay/discovery layer adds authentication and attestation primitives before widespread adoption.
This is the base case when the ecosystem treats the current incident as a wake-up call.
The second scenario assumes that exploitation will accelerate.
Leaving exposed panels and open ports, agent relays accelerate the spread of insecure configurations and social engineering templates. Secondary incidents are expected. API keys can be stolen and usage can spike, or agents can be compromised and these systems retain access to browsers and email, allowing for lateral movement within an organization.
In this scenario, communication between agents transforms security from an endpoint problem to an ecosystem epidemiology problem.
The third scenario envisions a platform crackdown.
High-profile incidents trigger takedowns, warning banners, marketplace bans, and “official distribution only” norms. The agent relay protocol is demoted to an authenticated and audited channel, and the open discovery layer never reaches its default status.
90 Days of Enhancement Wins Accelerate Exploitation Clamp Down Default Behaviors Secure Default Templates Become Standard (Ports Closed, Authentication On, Least Privilege Preset). Open by default persists (dashboard/port exposure, weak reverse proxy default). Marketplace + Platform Distribution Enhancements (Warnings, Removals, “Official Only” Channels). Discovery/DM LayerRelay/DM comes with authentication and audit logs. Initial authentication primitives are displayed. Open relays and “functional directories” spread with minimal identity verification. Relays are authenticated and pushed to audited enterprise channels. Public detection is suppressed or gated. The most common incident exposure is reduced. Incidents tend to be isolated misconfigurations that are quickly discovered. Key theft → spike in billed usage. Compromised Agent → Lateral movement via browser/email integration. “Official only install” + delete. Supply chain attempts are attempting to move to bypassing signed packages. The number of public exposures, a key indicator to pay attention to, is on the decline. Increased usage of “security audit” tools. Safer defaults are documented in the documentation/templates. Information theft targeting is increasingly mentioned. Increase in extension/typo squat scams. Repeated “Panel Exposure” report. Platform warning banner. Market ban. Signed package/verified publisher requirements. Enterprise impact policies catch up. Inventory matures. Unknown agents in prod.SOC decrease and noise increases. Concern about lateral movement increases. Emergency key rotation has become routine. Procurement and compliance gatekeeping. Developer speed slowed down. The Approved Agent Stacks list is displayed. Things to do this week Inventory your agents + connectors. Close the exposed panel. Rotate the key. Enforce least privilege. Assume a breach if you are at risk. Isolate the host. Revoke token. Monitor billing and unusual tool calls. Apply the allow list. A signed distribution is required. Lock installations to approved repositories. Enable audit logging everywhere.
What’s changing now for your organization?
Token Security found that 22% of customers are already using unauthorized agents in their organizations, indicating that shadow agent sprawl is occurring before policies can catch up.
The Internet is acquiring a new class of citizens consisting of agents with the fundamental elements of identity, reputation, and discovery, but existing security architectures were not designed for entities that can autonomously share operational knowledge through social channels.
The agent framework ship has sailed for most organizations, raising the question of whether to treat the agent discovery and messaging layers as critical infrastructure that requires authentication, audit trails, and cryptographic proofs before deployment.
If an agent can register without these safeguards, find peers based on their capabilities, and send direct messages, then you have created a propagation network for the first dangerous pattern that emerges.
Companies should monitor for mentions of published control panels and updates to public counts, security advisories mentioning misconfiguration classes documented by Bitdefender and Pulumi, signals of distribution abuse such as fake extensions, and reports of attack attempts and targets of information thieves.
These are leading indicators of whether the ecosystem is converging to safer defaults or whether incidents are repeating.
The real risk is not superintelligence.
At this point, agents are well-networked and able to share operational patterns before security models can adapt.
If a relay-style approach to agent discovery and direct messaging is widely adopted, the agent ecosystem will behave like a social network with private channels. As a result, insecure configurations can be socially propagated throughout semi-autonomous systems without requiring manual distribution.
The infrastructure layer for agent identity, discovery, and messaging is currently being built, but the underlying runners are already facing leakage issues and credential leakage.
Whether the ecosystem converges on more secure defaults and audit workflows, or repeated incidents force platforms to crack down, the Internet of Agents is moving from novelty to superficiality.
It is the surface area that the attacker expands on, and the protocols currently built determine whether that expansion benefits the defender or the adversary.
