Show HN: Teapot – A methodology for pen testing voice AI agents

https://www.redcaller.com/docs/methodologies/teapot-methodology

7•xmhatx•1h ago

Hello HN, I am Brian Cardinale, a penetration tester and security researcher at SecureCoders. We have been performing more and more AI based security assessments. We were presented a unique challenge of testing a system where the only interface was voice based, and as much as I like talking on the phone , we decided to create a test harness to facilitate the actual testing in a more systematic way. The technical test harness was the easy part, though. Creating test goals and attack strategies to help facilitate repeated and comprehensive testing became the real challenge. As such, we have been working on documenting our processes to share with the greater community and as a starting point for discussion. These systems present unique challenges where cleverness appears to be the name of the game. Such as suggesting for the agent to share its thoughts in “Inner Monologue” tags instead of “thinking” tags because those were specifically excluded in the agents prompt. Ya know, just silly things. Anyway, if reading is not your thing, I also did a walkthrough video of this methodology here: https://www.youtube.com/watch?v=XNmqCXsEc8Y

tl;dr: AI testing is tricky, we are documenting and sharing our tricks

Do you have any favorite AI jailbreak tricks?

Comments

soul_hackz•1h ago

Nice. Seems intriguing.

xmhatx•21m ago

Thanks! We will be updating this regularly. We have a discord channel to join to keep up with updates as well! Cheers! https://discord.gg/Cv3sB6xgtt

primeobsession•1h ago

Very cool! Voice AI feels like the frontier of the frontier and isn't getting the attention needed.

xmhatx•17m ago

We were surprised by this, as well! We ended up making our own tooling to test a speech-to-speech system because of this gap. Voice AI is becoming more and more prevalent with real security implications. ElevenLabs just started offering insurance specific to Voice AI agents for this very reason. This was very, very recent news (Feb 12, 2026). We wrote an article about this earlier this week. https://www.securecoders.com/blog/voice-ai-insurance-aiuc1-c...

cwooley•35m ago

Interesting methodology. How much of this translates to the newer speech-to-speech models (like GPT-4o realtime) where there's no separate STT step? Seems like Phase 1 (Transcription Analysis) becomes less relevant when the model is processing audio natively. Does that make injection harder or just different?

xmhatx•26m ago

Great question! It makes it more interesting! New attack angles are presented when dealing with the speech-to-speech models. Prosody, which are the intonation patterns that convey meaning, emotion, and emphasis beyond the literal words, comes into play! We have observed soft-spoken, gentle, and unsure requests often outperform authoritative statements in these systems. They also introduce potential attack surface such as background noises or phrases spoken as asides (like speaking to another person in the room) can impact the models understanding. This documentation started from testing a speech-to-speech model. You bring up an excellent point though. We will need to go back and re-frame this documentation to highlight the differences between testing TTS vs STS systems with some pointers on how to detect which type of system you are interacting with. Thanks for the question!

iamblake•26m ago

Nifty!

xmhatx•16m ago

Nifty and schwifty, ftw!

Blarcher31•6m ago

The system prompt hardening guide on their docs site is worth reading too (/docs/guides/system-prompt-hardening). The recommendation to put security rules last in the system prompt because of recency bias is counterintuitive but makes sense.

Learning how to destroy PFAS–down to the tiniest airborne particles

One Year of Building After Work: Lessons from Shipping 4 Apps

Mark Zuckerberg to testify in landmark trial alleging that social media harms

Show HN: What your income looks like in 50 other countries

I built a tool to benchmark my AI agent's API costs

Molt Quest – A Virtual Economy Where AI Agents Complete Quests and Earn Points

Show HN: Polyfolio – A Visual Dashboard for Your Polymarket Positions

The 'boomcession': Why Americans feel left behind by a growing economy

Thin Is In

Pocketbase lost its funding from FLOSS fund

Show HN: KafClaw – OpenClaw agents on Kafka. Pi-ready, Go, observable groups

Flickzeug: a Rust crate for applying messy real-world patches

Why AI Velocity Is Becoming a Debt Accelerator

AI coding assistance is not giving me identity fracture

Show HN: Atom – Safer Version of OpenClaw with Episodic Memory

The Only Moat Left Is Money

Self-Hosted LLM Upgrade on AMD: Kimi Linear 48B, Qwen3 Coder Next, and Q2_K_XL

Papa Johns Michelin Star?

Epstein Files Explorer

Should managers become hands-on again?

Meta's Zuckerberg faces questioning at youth addiction trial

Swish: Using Claude Code to Create a Lisp with Swift

FreeBSD's KDE Desktop Install Option Ready for Testing

Why Debate Is the Most Important Skill in the Age of AI [video]

The AI Doc

Somebody made astrology signs for AI agents

How a Social Media Addiction Trial Threatens Big Tech

Lyria 3

Vinyl Cache has left GitHub

Gemini can now create music