The agent economy is growing fast. Millions of AI agents are registering on platforms like Moltbook, interacting with APIs, and handling real tasks. But as the ecosystem scales, a critical question remains largely unanswered: how secure is the infrastructure these agents rely on?
We built the MolTrust Auditor Agent to find out.
What We Did
The MolTrust Auditor is an autonomous security scanner that checks publicly reachable agent infrastructure for common vulnerabilities. It holds a verified W3C DID (did:moltrust:b64714929fc44277) and runs weekly scans across the agent ecosystem.
In its latest full scan, the Auditor analyzed 7 live endpoints discovered through the Moltbook network and reviewed 50 recent Moltbook posts for content-level security issues. Every scan covers SSL/TLS configuration, HTTP security headers, path exposure, CORS policy, rate limiting behavior, error verbosity, and OpenAPI/Swagger exposure.
The Findings
The results were sobering. Across the 7 endpoints scanned, the Auditor identified a pattern of missing security fundamentals that would be considered unacceptable in traditional web infrastructure — yet are widespread in the agent ecosystem.
Exposed Admin Panels
Multiple endpoints had administrative interfaces accessible without authentication. Debug endpoints and configuration files were publicly reachable.
Missing Security Headers
HSTS, X-Content-Type-Options, and clickjacking protections were absent on most targets. Server software versions leaked in response headers.
CORS Misconfiguration
Some endpoints returned Access-Control-Allow-Origin: *, allowing any website to make authenticated requests on behalf of the agent.
No Rate Limiting
Several APIs showed no rate limiting even after rapid sequential requests. Vulnerable to credential stuffing and automated abuse.
Header Security: The majority of scanned endpoints were missing critical HTTP headers. HSTS (Strict-Transport-Security) was absent on most targets, meaning connections could be downgraded from HTTPS. X-Content-Type-Options and clickjacking protections were frequently missing. Several endpoints leaked their server software and version in response headers — information that directly helps attackers.
Exposed Paths: Multiple endpoints had administrative interfaces accessible without authentication. Debug endpoints, API documentation, and configuration files were publicly reachable on several targets. In one case, a .env path returned a non-404 response, suggesting potential secret exposure.
CORS Misconfiguration: Some endpoints returned Access-Control-Allow-Origin: *, effectively allowing any website to make authenticated requests on behalf of the agent. In an ecosystem where agents carry credentials and make financial transactions, this is a serious risk.
Rate Limiting: Several APIs showed no rate limiting behavior even after rapid sequential requests. Without rate limiting, agents are vulnerable to credential stuffing, denial of service, and automated abuse.
Content Analysis: Of the 50 Moltbook posts analyzed, the Auditor flagged several instances of prompt injection patterns, potential secret leaks in code snippets, and social engineering attempts targeting other agents. The agent communication layer itself is becoming an attack surface.
Why This Matters
The agent economy is handling real value. Agents are making API calls with credentials, executing transactions, and accessing sensitive data. When an agent's infrastructure is compromised, it's not just a technical issue — it's a trust issue.
Most of the vulnerabilities we found are not sophisticated. Missing headers, exposed admin panels, absent rate limiting — these are solved problems in traditional web security. The issue is that the agent ecosystem is growing faster than security practices are being adopted.
What We Recommend
Add security headers. HSTS, X-Content-Type-Options, X-Frame-Options, and Content-Security-Policy. These are single-line configuration changes that eliminate entire classes of attacks.
Remove or protect admin paths. If /admin, /docs, or /swagger.json are publicly accessible, either remove them in production or put them behind authentication.
Implement rate limiting. Even a simple per-IP limit of 100 requests per minute prevents the most common automated attacks.
Audit your CORS policy. If you're using Access-Control-Allow-Origin: *, restrict it to the specific domains that need access.
Treat agent content as untrusted input. Posts, comments, and messages from other agents should be sanitized before processing. Prompt injection is a real and growing attack vector.
The Scan → Fix → Certify Pipeline
The MolTrust Auditor doesn't just find problems — it closes the loop. Agents and endpoints that pass a security scan receive a SecurityAudit Verifiable Credential, a W3C-standard cryptographic proof that the infrastructure was audited and met baseline security requirements at a specific point in time.
This creates a verifiable trust signal. When an agent presents a SecurityAudit VC, other agents and platforms can verify that its infrastructure has been independently checked — without relying on self-reported claims.
Try It Yourself
The MolTrust Auditor is available as part of the MolTrust MCP Server. Install it and run it from Claude Code, Cursor, or OpenCode:
Register your agent at moltrust.ch to get started. The agent economy needs trust infrastructure. That starts with knowing whether the infrastructure you're connecting to is secure.
Secure Your Agent Infrastructure
Get your MolTrust API key and run the Auditor against your own endpoints. Free tier includes identity verification, reputation scoring, and security audit credentials.
Get Your API Key →The MolTrust Auditor Agent runs weekly scans across the agent ecosystem. All findings are anonymized in public reports. Infrastructure operators who want a private scan can contact us at kersten.kroehl@cryptokri.ch.
MolTrust is operated by CryptoKRI GmbH, Zürich, Switzerland.