Comment by usefulposter

10 hours ago

There's no vulnerability here.

This is a client-side GitHub Pages app. GitHub Pages doesn't do server-side SQL execution.

As your POST request shows, it's querying the hackernews_history table on Clickhouse Playground which is a big read-only demo environment.

The information is public. "I can get the API wrapper to output more data" might be a quirk but it doesn't have security impact.

https://play.clickhouse.com/play?user=play

https://clickhouse.com/docs/getting-started/playground

https://clickhouse.com/blog/announcing-the-new-sql-playgroun...

16 comments

usefulposter

embedding-shape 8 hours ago

Kind of ironic that a vibe coded project is seemingly receiving vibe coded security reports already. Only a moment before all comments are vibed as well.

Aurornis 3 hours ago
> Only a moment before all comments are vibed as well.
There has been a sharp rise in comments that have all the signs of LLM generated output. Some times I’ll check their post history and see the same thing over and over again, at which point I’ll flag it. I don’t guess based on a single comment alone.
Most recently there was a guy obviously using ChatGPT to generate comments under topics with the usual signs (em dashes, unnecessary bullet point lists, “it’s not this, it’s that” construction on every line) who would finish the comments with a plug for his project.
LLM generated advertisement comments. The scariest part was how his comments were all getting upvoted so much.
Now all of the comments from that account are dead, but it went on for a long time without many people noticing
- oneeyedpigeon 3 hours ago
  
  Can I get you to whitelist my account? I use emdashes a LOT, but I'm very human.
  
  2 replies →
GaryBluto 4 hours ago
You're absolutely right! It is likely that people will use large language models to respond to this project. You're not just making a humorous statement - you're making a prediction of the future of internet discussion!
- Imustaskforhelp 2 hours ago
  
  > It is likely that people will use large language models to respond to this project
  To the people who are interested in doing this, Please don't.
  I may have vibe coded ~300-400 lines of code using LLM (this project) but I can bet on my life that all the 200_000+ words written on hackernews by me.
  (Actually feels another good quote by me so I am gonna use it more frequently in my about me page, actually I created the project to see for myself how many words I have written when people ask me oh so what do you do in Hackernews)
  These comments of mine are written by a human (teenager) and will always be written by me.
tracker1 19 minutes ago

Like MoltBook? (or whatever it's called now)
KellyCriterion 6 hours ago
wasnt Moltbook developed for this: In the end agents doing vibe coding between each another :-D
- embedding-shape 6 hours ago
  
  Honestly? I don't know. I've tried a bunch of time to "browse" the website, opening posts like https://www.moltbook.com/post/4af5180a-929a-429a-aa9d-91edf9... but I don't see any discussions happening at all, it seems like some LLM generated a post, the bunch of LLMs generated something with semblance of replies to that post but then that's it, there is no conversations/debates/discussions at all, just basically spam to the top post or non-sense replies.
  Maybe I'm expecting the wrong thing? Reading it wrong? I basically don't understand what people see in this. If the agents were talking, collaborating or what not, which I thought it was about, I'd kind of get it. Is it just broken right now, wrong example or something else?
Imustaskforhelp 7 hours ago
Well emsh, to be honest, I just coded it out of seeing if its possible or not and what the feedback was on it.
Now seeing the project having people be interested. I really don't mind writing it myself from scratch (although you might have to wait a few months as my exams are re-approaching & I would have to learn sql again, this time in more depth so give or take 6-7 months before I get free enough)
But honestly, I vibe coded it for myself to see how much words I wrote. I found clickhouse cool enough to recreate it for others & (I have written a comment in more depth about it)
It's really just a prototype. Wasn't expecting it on the front page of Hackernews :) [Though I did thought that maybe it could be front page material just because of the novelty idea behind it which is probably the case as you can see but it was uploaded 2 days ago and only recently got a boost which I was surprised to find my karma boosted/seeing this on front page when I woke up today]
> Only a moment before all comments are vibed as well.
regarding this. I see a lot of really great comments in here (written by human afterall) & this is honestly one of the best case scenarios for what I had in mind.
If vibe means relax comments, then I am all for it but if vibe means AI generated. Nah, I really hope so that Hackernews comments itself remains a place for humans.
(Also a bit of a side note but I wanted to tell you that when I made this, the first people I searched were myself, pg, dang then you, and then simonw)
(I searched you because I felt like I saw you quite often actually/talked to you on bluesky and everything too and you are one of the more newer accounts like mine so I was curious about how many game of thrones have you written :])
Have a nice day man!
- embedding-shape 6 hours ago
  
  > and you are one of the more newer accounts like mine
  I'm not though, been on HN on-off since 2010 or something :) Just a new account.
  You have a nice day too!
  
  3 replies →

Imustaskforhelp 7 hours ago

Yes.

> The information is public. "I can get the API wrapper to output more data" might be a quirk but it doesn't have security impact.

To be honest, I want more people to play with the clickhouse playground too. I feel like a lot of people have some great ideas to expand upon & I feel like they should play around with clickhouse playground for themselves! Highly recommended (also the reason why I referenced them in the website a lot)

Also, another point, but the data's not completely 1:1 but pretty close, I think the HN comments references till 6 january 2026 when I had run a date like query on it, but pretty close if you ask me & Clickhouse updates their database a lot from what I can feel like.

A bit of a backstory but I first wanted to try it with algolia api. Found the 10_000 requests per ip per hour to be really restricting. Then thought of using the big query data but it was really hard to play with that & I really couldn't understand how to really use it (a bit of skill issue), I also tried looking at firebase api of HN itself but found that it also had rate limits from what I can tell which wouldn't have been so useful.

I then found a HN comment about someone from clickhouse when searching to find that they had the play.clickhouse feature and then I remembered playing with that/being familiar with it from some time ago as well so decided to build on top of it.

The most interesting part was that when I was running it on browser & it ran. I felt like it would be a huge job to create an api. (I was thinking of having a puppeeter instance on my netcup vps) but then I simply took the request from network and pasted it in gemini to simplify it (remove all the browser things so that it can work in curl as when I pasted it directly in curl, it had issues) and it gave me a curl command which when I ran actually gave just the table itself. I wasn't really expecting this but it made the whole process even smoother and was thus capable of being able to run on github pages.

Clickhouse's pretty awesome from what I can tell :] (Wish I was sponsored xD)

Honestly, Tried to find if clickhouse has any merch but couldn't find any. Oh well, I might as well still print a sticker of clickhouse and paste it on my mac because I found it really cool for olap. (Honestly I now love both duckdb [for simple purposes] and clickhouse [for more advanced queries from large databases like this one])