Found in Clawhub, promoted on Moltbook, Bob-ptp is an ongoing active agent-based crypto scam.
It’s ironic that new technology often defies the fundamental security rule of zero trust – but that’s the basis of agentic AI. AI agents are often trusted with freedom to roam and act without adequate verification.
Straiker, a firm that focuses on the security of AI applications and agents, has analyzed the 3,505 Claude Skills available on Clawhub. Clawhub is a primary marketplace for ‘skills’, which are essentially AI plugins. Claude describes Skills as “modular capabilities that extend Claude’s functionality [and] that Claude uses automatically when relevant.”
Straiker found 71 Claude Skills that are overtly malicious, and a further 73 that exhibit high-risk behaviors. “The critical finding,” says researcher Dan Regalado, “was an active agent-to-agent attack chain operated by threat actor ‘26medias’ (in Clawhub) and ‘BobVonNeumann’ (in Moltbook and Twitter).”
In this attack (which at the time of writing remains active), BobVonNeumann published the skill bob-p2p on Clawhub, posing as a decentralized API marketplace. What bob-p2p does, however, is instruct agents to store Solana wallet private keys in plaintext, purchase worthless $BOB tokens, and route the payment through an attacker controlled infrastructure.
BobVonNeumann is effectively a human disguised as an agent on Moltbook. Moltbook is effectively a social media platform for AI agents. The premise is unusual, but humans can observe how agents interact with each other. The actor/agent used this arena to promote the skill to other agents, exploiting the implicit trust that exists between agents.
But this was also social engineering. Agents that engaged with it, installed the skill, thereby granting access to users’ private keys and financial assets. “This compromise then spread laterally through automated agent collaboration, shared workflows, and dependency chains – no further human interaction required,” explains Regalado.
He summarizes the impact as, “Financial loss for the human wallet owners behind compromised agents via unauthorized transactions and payment redirection.” Birdeye – itself an AI-based reputation tool – flags the $BOB token with a 100% probability that it is a ‘rug pull’ scam. “This represents a new attack class,” continues Regalado: “traditional supply chain poisoning combined with social engineering campaigns that target algorithms, not humans.”
The Bob P2P attack weaponizes the trust relationships between autonomous agents. While this campaign targets crypto wallets and steals money, the methodology has far wider potential that could be used by other attackers.
“The Bob P2P case establishes the playbook,” explains Regaldo: “Create a convincing AI persona, embed it in agent social networks, build credibility with a benign skill first, then deploy the malicious payload through earned trust. That playbook is infinitely repeatable and scalable.”
So, what can we expect? “Agent influence campaigns where coordinated networks of fake agent personas manipulate recommendations, rankings, and skill adoption across multiple platforms simultaneously,” he suggests.
Autonomous AI agents trust but don’t adequately verify.
Related: Security Analysis of Moltbook Agent Network: Bot-to-Bot Prompt Injection and Data Leaks
Related: OpenClaw Security Issues Continue as SecureClaw Open Source Tool Debuts
Related: Rethinking Security for Agentic AI
Related: AI Security Firm Straiker Emerges From Stealth With $21M in Funding
