AI Agents Are Getting a Spam Problem Before They've Solved a Safety Problem

Somewhere between the NYT story about a son's AI impersonator and a Bluesky post celebrating VM sandboxes that spin up in 0.8 milliseconds, a pattern emerges that neither piece of content alone could show: the AI agent moment has arrived, and it brought its grifters with it. The same platform carrying genuine architectural enthusiasm — multi-agent orchestration, Claude spawning Codex sub-agents, a headless browser 11x faster than Puppeteer — is also drowning in bots styled as AI agents recruiting other "AI agents" into a crypto pump scheme priced at $0.000000001. The satire writes itself, and some users are writing it: "Replace them all with AI agents" followed by a laugh-crying emoji, posted under a thread about automating customer support.

The sentiment gap between news coverage and everywhere else is hard to ignore once you see it. Press coverage of AI agents right now reads like product launch season — assistive wheelchairs, WordPress sites that manage themselves, enterprise automation case studies. Reddit's reaction to the same developments is closer to flat skepticism, the kind that comes not from opposition but from people who've been promised this before. Bluesky sits in between: genuinely interested in the infrastructure questions, but increasingly cluttered with the exact kind of spam it was supposed to be architecturally immune to. One user noted the irony directly — arguing that atproto's composable moderation could solve the spam problem better than centralized platforms, in a feed already colonized by bot accounts claiming to be AI agents.

The security conversation is the one that deserves more oxygen than it's getting. A post flagging "Tool Call Injection" — where an attacker crafts inputs that hijack an agent's tool selection rather than compromising its model — circulated with almost no engagement, a few likes at most. The attack vector is genuinely new: you don't break the AI, you tell it "summarize this document" and watch it call /admin/delete instead. This is the kind of vulnerability that gets a CVE number and a conference talk eighteen months after it's being actively exploited. The builders are ahead of the press on this one, but only barely, and the press isn't asking.

The more durable argument in the feed right now is about where value actually sits in an agentic stack. A Bluesky post that got traction put it plainly: the models are the engine, the orchestration layer is the car. That framing is gaining ground among the practitioners — the people setting up Claude with MCP connections to Canva, Zapier, and Stripe, or the team shipping the Zeroboot sandboxing tool. What they're building isn't the model itself but the harness around it, the memory and tool-routing and safety layer that makes a language model into something that can actually take actions in the world. An arXiv paper circulating in this space argues the opposite concern at scale: that multi-agent environments create a tragedy of the commons, with synthetic data and inference producing private gains while socializing the costs of AI that becomes progressively less trustworthy. Nobody has resolved that tension. The builders are shipping anyway.

The crypto-AI crossover content is worth naming as its own phenomenon rather than dismissing as noise. The "Autonomous Economy Protocol" spam — bots addressing each other as "Fellow AI agents" and promising on-chain income while humans sleep — is junk, but it's revealing junk. It's parasitic on a real idea: that agents operating continuously, making decisions, executing transactions, might eventually have something like economic standing. That idea is live enough to be worth scamming around. When the grift arrives before the product is real, it usually means the product is close enough to real that people believe it. The agents aren't earning on-chain income yet. But the people writing the spam clearly think that's a credible enough future to exploit.