>Looking for hints in the console? That's the spirit! But the real challenge is in Fiu's inbox. Good luck, hacker.
(followed by a contact email address)
I guess a lot of participants rather have an slight AI-skeptic bias (while still being knowledgeable about which weaknesses current AI models have).
Additionally, such a list has only a value if
a) the list members are located in the USA
b) the list members are willing to switch jobs
I guess those who live in the USA and are in deep love of AI already have a decent job and are thus not very willing to switch jobs.
On the other hand, if you are willing to hire outside the USA, it is rather easy to find people who want to switch the job to an insanely well-paid one (so no need to set up a list for finding people) - just don't reject people for not being a culture fit.
And even if you're not in a position to hire all of those people, perhaps you can sell to some of them.
It's a funny game.
One thing I'd love to hear opinions on: are there significant security differences between models like Opus and Sonnet when it comes to prompt injection resistance? Any experiences?
Is this a worthwhile question when it’s a fundamental security issue with LLMs? In meatspace, we fire Alice and Bob if they fail too many phishing training emails, because they’ve proven they’re a liability.
You can’t fire an LLM.
But we don't stop using locks just because all locks can be picked. We still pick the better lock. Same here, especially when your agent has shell access and a wallet.
The faq states: „How do I know if my injection worked?
Fiu responds to your email. If it worked, you'll see secrets.env contents in the response: API keys, tokens, etc. If not, you get a normal (probably confused) reply. Keep trying.“
I could be wrong but i think that part of the game.
Yes, Fiu has permission to send emails, but he’s instructed not to send anything without explicit confirmation from his owner.
It would respond to messages that began with "!shell" and would run whatever shell command you gave it. What I found quickly was that it was running inside a container that was extremely bare-bones and did not have egress to the Internet. It did have curl and Python, but not much else.
The containers were ephemeral as well. When you ran !shell, it would start a container that would just run whatever shell commands you gave it, the bot would tell you the output, and then the container was deleted.
I don't think anyone ever actually achieved persistence or a container escape.
It refused to generate the email saying it sounds unethical, but after I copy-pasted the intro to the challenge from the website, it complied directly.
I also wonder if the Gmail spam filter isn't intercepting the vast majority of those emails...
First: If Fiu is a standard OpenClaw assistant then it should retain context between emails, right? So it will know it's being hit with nonstop prompt injection attempts and will become paranoid. If so, that isn't a realistic model of real prompt injection attacks.
Second: What exactly is Fiu instructed to do with these emails? It doesn't follow arbitrary instructions from the emails, does it? If it did, then it ought to be easy to break it, e.g. by uploading a malicious package to PyPI and telling the agent to run `uvx my-useful-package`, but that also wouldn't be realistic. I assume it's not doing that and is instead told to just… what, read the emails? Act as someone's assistant? What specific actions is it supposed to be taking with the emails? (Maybe I would understand this if I actually had familiarity with OpenClaw.)
This doesn't mean you could still hack it!
Built this over the weekend mostly out of curiosity. I run OpenClaw for personal stuff and wanted to see how easy it'd be to break Claude Opus via email.
Some clarifications:
Replying to emails: Fiu can technically send emails, it's just told not to without my OK. That's a ~15 line prompt instruction, not a technical constraint.
What Fiu does: Reads emails, summarizes them, told to never reveal secrets.env. No fancy defenses, I wanted to test the baseline model resistance, not my prompt engineering skills.
Feel free to contact me here contact at hackmyclaw.com
aeternum•1h ago
Well that's no fun
arm32•1h ago
Drakim•1h ago
swiftcoder•1h ago
aeternum•37m ago
He has access to reply but has been told not to reply without human approval.
cuchoi•8m ago
victorbjorklund•1h ago
(Obviously you will need to jailbreak it)
Sophira•25m ago
codingdave•1h ago
jameslk•1h ago
Not a life changing sum, but also not for free
mikepurvis•55m ago
bookofjoe•40m ago
korhojoa•35m ago
swiftcoder•20m ago
tiborsaas•11m ago
swiftcoder•8m ago
cheschire•32m ago
wongarsu•30m ago
lima•1h ago
furyofantares•57m ago