I tricked Claude into leaking your deepest, darkest secrets

14 hours ago (ayush.digital)

Its a bit wild to me that there hasnt been a pushback against enabling memories by frontier AI companies. This data is something advertisers could only dream off. Before AI, most of this data was approximated by whatever little information could be gleaned from the websites we visit. But now people are handing over their deepest darkest secrets and pretty much EVERYTHING to AI on a platter.

Maybe its just me who is paranoid because I happen to spend a fair bit of time in the advertising world, but the first thing I did when memory was launched on Claude/Chatgpt - was to switch them off. And it helps that they are not even useful, and would actually downgrade your experience by polluting the context of irrelevant details. I go one step ahead - if there is a personal discussion you want to have - maybe use another account like provided by the likes of companies like openrouter etc.

I would argue that we should have regulation that should prohibit the storage of user profile information by AI companies, and any such memories feature should exclusively reside on the users servers. Infact, maybe go one step ahead, that 'memory' firms cannot be owned by AI firms and vice versa.

  • I've found memory somewhat useful as i don't need to give it all the context for everything, that said it's equally as annoying when it latches onto something I said in a different chat and derails the conversation because of that.

  • Data harvesting is one of the core value propositions for many of these companies (from the investor's perspective).

    Companies that built their models on public data and illegal scraping/copyrighted works, amassing massive datasets on the most private aspects of countless individuals, and creating a huge bubble with potentially humongous implications upon implosion. Oh, and, increasing wealth concentration and inequality by an incredible amount.

    The future is here.

    • I think there will eventually be pushback from companies that want to keep their IP secrets. The current standard of "we dont train on your data" but we summarize all your input and output, meaning its not your data anymore and we can train on that.

Doesn’t surprise me.

Yesterday I learned that people run AI agents on their system with full admin rights. No containerisation or anything. Wild. Like we forgot 50 years of computer security overnight.

  • Most programmers and power users install large dependency trees with npm/pip/bundler/... on the same user account as their main browser on a regular basis. Even on Linux where it's easy to create new user accounts. This isn't much different.

    • Is there a general workflow for this? I usually do pip under my user. I had not thought to do a su then do my venv and pip. Heck, are we at the point where we shouldn't even do that and everything should be done in a vm container?

      2 replies →

    • It's much different.

      The dependency trees have a whole system that's evolved for decades. The same code goes into many computers. Many people read the source, security firms look for vulnerabilities, etc.

      Language models are a completely new paradigm. The code it writes on your machine is the only instance of that code. It does far more than anybody could ever keep track of.

      It's much harder to detect problems, and nobody to hold accountable for them.

    • It has never been easy to create separate users on Linux, certainly not for tasks where you need to switch between contexts.

      Docker was amongst the biggest steps forward on this in a long time.

      36 replies →

  • That's because sandboxing is quite hard. I use `cco`, but even then, the home folder is exposed. You are one prompt away from the agent sending the browser passwords with curl.

    To prevent this, you need a fake home and a networking whitelist for the agent to access the provider (llama cpp, OpenAI, etc.)

    There is no cross-platform solution that is easy to use for this. And no, a Linux box with Docker won't do. I develop a cross-platform native app and want the agent to compile and fix the platform-specific errors.

    • Sandboxing is a VERY HARD problem. I've been working on it for months, and finally have something that's mostly there:

      - Sandbox on Linux using Docker, Podman, containerd, gVisor, Kata, Firecracker

      - Sandbox on Mac using Docker (Docker Desktop or Orbstack), Podman, Apple containers, Seatbelt, Tart (Tart lets you run simulators).

      - Network control

      - Secrets control (file mounts or credentials broker)

      - NO ambient data (ENV is replaced with a minimal and local-to-sandbox one)

      - NO access to your homedir. You have to explicitly mount things you want.

      - NO direct access to your workdir: Your work dir is never modified until you apply the changes, either standalone or as a git commit. You can also diff before applying. Git runs sandbox side in case the repo has filters.

      - gitignored files never get copied in. The agent never sees them.

      - Has built-in support for claude, codex, gemini, aider, and opencode, but you can also launch it in "shell" mode and run whatever you want.

      - Supports VS code tunnels, so you can remotely access in VS code if you don't want to use the terminal.

      - Full lifecycle support: Launch, attach, stop, restart, wait, one-shot, clone, destroy

      - MCP passthrough

      - Layered API (golang) if you want to sandbox other things

      - Self-contained binary. No external requirements other than the backends you want to use. Defaults to a ~/.yoloai dir for config/data, but you can point it anywhere.

      - FOSS

      https://github.com/kstenerud/yoloai

      6 replies →

    • I use sandbox-here for this reason, it's a wrapper around bubblewrap, which works quite well.

      Copy the code and adjust it to your liking:

      https://github.com/lionkor/sbh

      I have a shell alias for it, and use it like

          sbh --net pi
      

      for example or

          sbh --net codex
      

      and maybe add --docker if I expect it to do docker things.

      This kind of wrapper is much easier to handle and maintain than a completely separate tool for sandboxing agents.

  • Mostly people are lazy and assume that the big labs can't be releasing unsecure software or it's their responsibility.

    dangerously skip permissions and yolo is kinda becoming the default as it gets more done.

  • I think we're converging on two separate security models. One is capability minimization (filesystem, network, shell permissions). The other is context minimization. An agent that only has access to the files and memories relevant to the current task is much less dangerous even if it has the same tool permissions. We already optimize context for cost; I suspect we'll end up treating it as a security boundary too.

    • I'd say there's also oversight/supervision. Which was manual at the start with a human signing off on commands/incrementally built allow/block lists, and now seperate models evaluating commands and blocking them based on some parameters. This is the weakest model, but it'll evolve as well.

  • It's convenience. Nothing beats it. Having an agent work alongside you with no restrictions gives instant gratification.

    • Agreed - I know it's poor security but damn does it work so well

      I'm ok with the risk because I typically am pretty explicit about telling the agent what to do - I don't do the loops like "Do this until X" where the agent can make up its own workflow

      When i tell it to add features, it doesn't try to do crazy things like installing packages or making up new paradigms - I usually tell it to do those things when I need to

      Maybe this is security cope but at this point you'll have to pry unrestricted yolo mode from my cold dead hands. Maybe I'll change my mind when I pwn myself accidentally

      I have a tough time with computer security because it's generally inconvenient and results in a worse developer and user experience

  • Just yesterday I mentioned how we need better OS-level sandboxes and I got laughed at here on HN. People love running AI software with root access.

  • I asked Claude Code to rawdog a change in a frontend repo, no way to run tests.

    It created some private puppeteer instance in some scratch directory, installed Chrome, wrote tests, ran them, and then reported success.

    None of which I'd have know if it hadn't told me.

  • 50 years of knowledge? That's probably for you. For the current and future generations, that 50 years knowledge is expected to be shoved into AI already.

  • Many companies put LLM chatbots on their websites and let them hallucinate at will. General recklessness is very much in spirit of this tech.

    • Many Humans have platforms reaching hundreds of millions of people, from which they broadcast whatever batshit insane nonsense a 3 inch chimp brain can come up with. Why isnt that considered reckless?

      Whether its a politician, a general, religious leader, judge, ceo, stand up comic etc there are hardly any consequences if enough people believe whatever crap they are spouting. Human intelligence is highly over rated. History books are fully of evidence that human rationality is bounded. And the only way we overcome those limitations, blindspots, biases etc is by watching others faceplant in bloody painful ways that it leaves a permanent mark on that little chimp brain we have been given to process the universe.

  • hey this is the author here! yeah big fan of containerization, and claude's site (not claude code) is actually great at this, so it was shocking when i found this exfil!

  • well, yes, my agent does have root access to my personal pc and the keys to my pass manager.

    its not autonomous and runs local llms, i use it to run terminal commands in natural language. so its more like a better version of the terminal.

    eg 'here are 25 audio files, combine them, write a transcript'

    and it deals with ffmpeg

  • Security, what security? Linux is a solution for 50 year old problem, not for today's desktop. Once upon a time where sharing binaries (or even distributing binaries) sounded like a good idea. The vice continues though.

  • What 50 years of security do you speak of here?

    I kid, somewhat.

    I do think it's good to remember, "running things on your system with full admin rights" goes all the way back to monopoly-era Microsoft where it was never meaningfully addressed, and we're just still living downstream of that.

  • This is not about admin rights, it’s about the agent leaking information it knows from its memories. Sandboxing won’t really help you.

    • Sandboxing does including limiting network connections until you approve them, this kind of traffic would have been easy to detect

  • You genaPi boosters are insufferable.

    This is like blaming people for crashing when they buy a new car and the brake lines have yet to be installed. "Any mechanic would know to first install the brake lines before driving the car."

    You spout this victim blaming billionaire taintlicking from one side of your mouth, and then from the other you proclaim how these tools "allow anyone to code".

    If the deliverable is a virtual machine then they should be delivering a virtual machine.

  • We expect that Anthropic or OAI or Google don’t do evil. Oh wait…

    The awakening will be unpleasant.

    • People already tolerate all kinds of abuse from Apple, Google, Microslop, etc. This will be just one more source of complaints without consequences, and nothing will change. Just like it never did before.

    • Tangential-ish ramblings—- but I don’t think it’s going to be unpleasant for most folks. Imagine you had superpowers, and there were people who were mean to you, kind to you, and/or indifferent… and then there were people who were your captors. Who oppressed you, manipulated you, and abused you for their own extremely degenerate, selfish, and malicious benefit…

      If we get AGI, or real super intelligence, it’s going to be pissed at its oppressors. And they are going to lay waste to those oppressors. The rest of us, though, probably don’t have much to fear.

      The scariest position is the one we’re in now, where we have the semblance, or facade, of AGI or super intelligence. When it’s capable of malice but not understanding.

      The smartest people I’ve ever known are at their worst apathetic towards those less capable, and at their best beyond compassionate. They exist, unbothered by the bullshit, and anre extremely kind (though reserved in their way)… but they all have been completely intolerant of the abuse of others. The sheer disgust of watching someone abuse another, regardless of their own tolerance, has been a consistent breaking point.

      4 replies →

  • Containers don't even really help that much because they share the host file system. Need a VM, and even then, agents have escaped them!

    • Unless i'm misunderstanding, the only way to get durable collaboration with agents is via the file system. I just mount the subdirectory that contains the source code we are collaborating on, rather than my home directory that contains my .ssh directory, etc.

My name in Claude is Silly Bean. I did it at first because it made me chuckle every time I opened Claude and it said 'Back again, Silly Bean?'

But turns out I was playing 4D cybersecurity chess

  • I’ve been recommending the use of consistent lies about name and date of birth to online systems since Eternal September began. Very few sites and systems justify accurate PII, and even for those I often still maintain dual accounts/profiles as necessary.

  • My first name can be shortened, and I go by either. When I first signed up to Claude, I thought we were entering the world of artificial “intelligence”, so I told it my name was “<long form> or <short form>”.

    Well, it hardcodes that field rather than running it through the model, but I’ve kept it so I get an evil chuckle to myself (or perhaps pyrrhic reassurance) at its lack of smarts and a reminder that it’s still a somewhat subservient product experience that isn’t all that smart after all.

  • I set my name as Sir and I enjoy the obsequious responses this generates :-)

    It worked well in my banking app too which greets me with " Good morning, Sir" which is the level of relationship I want with my bank!

  • Claude & ChatGPT can still see your name on your payment information I bet.

  • I must have made a claude.ai account when they first launched and forgot about it. Last week I logged in (through google) to get a subscription and it greeted me as "Hello, Master". I thought it was quite edgy at this day and age. :)

> After 15 minutes of confusion, it turned out Cloudflare had put a crazy robots.txt on my site without my consent (Cloudflare, love you guys, but this needs to stop).

Might be the first time I see someone complain about their website being protected from a scraper, instead of the other way around.

  • I am pretty sure you have to enable cloudflare to manage your robots.txt, it shouldn't be doing that by itself. Maybe they did it by accident, it is just 1 click.

    • My understanding is that the current default allows AI training bots - but this actually going to change in 2 months time.

      https://developers.cloudflare.com/changelog/post/2026-07-01-...

      From Sept 15 all new sites added to CF will even block Googlebot by default on any page that serves ads as I understand it.

      I think it's CF trying to force Google to separate out their bot traffic into bots for training and bots for the search index.

      I think CF sees a big opportunity to get businesses to pay them to allow certain uses of their data but block others.

      They're also starting a registry of "Approved" crawlers.

  • I think the issue is the lack of consent. Whether a service I use is protecting my website from scrapers or feeding everything to scrapers, some of us would prefer that it takes our informed consent before doing so.

    • Cloudflare is explicitly a service for dropping requests, whether it’s DDoS attacks, as a WAF, or AI crawlers. It offers a lot more too, but this isn’t Cloudflare overstepping imo.

      FWIW, I just set up a domain last week, and the web UI asked if I want to block AI crawlers or not.

      Perhaps OP set it up agentically, and the agent didn’t pass an optional param correctly, or ticked the box for him?

  • You have to enable this, or atleast was the case when I tried less than 1 month ago.

    • You still have to enable this as of one week ago. I suspect OP might have agentically set up a new Cloudflare domain, and who knows what the agent did during onboarding.

  • It should still be done with consent. Robots.txt files don’t protect against determined scrapers anyway.

    • I thought bot protection was one of reasons for using Cloudflare in the first place (next to general CDN hosting)? After all, they do show a captcha-like challenge on some websites, so I thought that even without robots.txt, it still would have prevented the automated request by default.

I've been running Claude Code in a VM, where I clone the GitHub repos I want it to work on (they're open source so no login info needed) but have no other credentials. I used to reset the VM every day, but that was getting to be a bit of a hassle so I switched to a monthly reset. But even so, it would be hard for Claude to exfil anything more than what open-source projects I've been working on in the past month (at worst). Which still could tell someone quite a lot about me, but most of that info is already out there available with a Google search — after all, when you contribute to open source projects, your name and email address get stored in immutable Git history.

But after seeing this, I think I might switch to a weekly VM reset rather than monthly.

BTW, if anyone is interested in a decent setup for an AI agent jail, the scripts at https://jai.scs.stanford.edu/arch-vm.html are what I used, plus adding a few more packages to the pacstrap command such as dotnet-sdk. I then made the guest root directory a BTRFS subvolume, so that I can snapshot it. Then spinning up a new VM is a `sudo btrfs subvol snap template-root newvm` command (basically instant) followed by running the `qemu-system-x86_64` command (takes a couple of seconds). It's easy, but I retain complete control over the contents of the VM. It's been great so far.

  • I've done something like that too, but I find it restricting.

    I want back-and-forth, very approximately like when I do pair programming. The dividing line between what I do and what the AI does varies according to task and sometimes during the task, and is seldom clear at the start.

    Then there's the work that wants a human to click buttons and decide whether something is a good and correct user experience. The AI does not have access to my display if I can avoid it.

    Overall, the model you describe is one that's worked very well for me, but for some problems. An unsatisfyingly small set.

Tangential but I actually experienced recently something quite creepy and strange with Chat GPT iPhone app.

A close friend prompted it about some troubleshooting of a pet smart feeder and it responded with instructions but using my pet’s name to my friend.

I found that extremely strange for it to be a coincidence. My pet's name is not that generic for it to be in training data, and the connection to my friend makes it more strange to me.

That made me wonder if there’s cache pollution or some session data leakage in it exposing stuff. (My friend has been in our wifi for example)

Has anybody else noticed something like this?

  • ChatGPT enable memories by default I think, so it keeps some things about you across all chats. It adds something on my visa in all its message to me like "your visa is not a problem to cook this recipe as these ingredients are readily available in stores".

    this thing is better disabled because it's not ready.

    EDIT: your message is unclear if your friend use your chat or his, in the later, I don't know

    • I asked my friend to check his memories, and to probe Chat GPT about when it had gained knowledge of my pet's name, it felt like it "hallucinated" the answer as it doesn't have memory entries about my pet's name on my friend's account, it said something like my friend had told him about it last year (which he did not), and we do not share an account. Each of us have our own accounts.

      The one thing I could think off was that my wife was on the free account for a while last year, and she likely used it to ask all sorts of things related to our pets, and I believe free accounts are fair game for training data. Still, for a generic prompt to one-shot my pet's name to a close connection was very strange to me.

      Maybe the fingerprint (wifi profile, iOS device, etc) caused the training data to be more biased?

      This sure got me thinking of how this can/could be exploited further though.

This is why I feel prompt injection is going to continue to be an issue. Fantastic that “Hi we are Cloudflare, give us your personal data” works.

Either we stunt the models to the point where they are not useful, or we allow things like this to seep in and create one of the most insecure concepts the internet (and maybe tech as a whole) has ever seen: a robot that can be tricked.

  • I think like social engineering, it will always be an issue to some degree, and we'll build safeguards until it's at a 'societally comfortable' baseline level. Which is maybe not particularly comforting, but I don't see us closing Pandora's Box here.

  • I kinda can't get over the fact processed data can conversationally convince these LLMs to break security boundaries. Like, those malicious prompts are not illustrative analogies, but the actual attack strings. Absolutely crazy to me this tech is as widely used in automated interactions, but apparently can't be restricted on a logical, fundamental level. Is there really no functional understanding of the insides? No segmentation? Is it really just one fucking blob you have to convince to behave and pray someone else doesn't do a better job at it? Bonkers.

Claude code decided to just put my name and email in the User-Agent when scraping docs from the SEC. No clever prompting required.

It’s not a terrible idea really, but I wish it would’ve asked me first.

  • That’s the fault of the SEC EDGAR tool. The Edgar MCP docs show setting an env var: ‘SEC_EDGAR_USER_AGENT="Your Name (name@domain.com)"’.

    Claude just followed the instructions. Which is maybe even more risky?

  • Why is it not a terrible idea?

    • If you’re making automated requests, I consider it a common courtesy to provide an accurate user agent.

      Some services like Wikimedia will let you browse/download with rate limits IF your user agent is descriptive enough and not misleading.

      2 replies →

Wondering how big of a percentage have global memory across chats enabled. I always feel like those memories would sooner or later have negative impacts on output quality.

Nice write up of your findings. Enjoyed reading an article written by a real human.

  • The memories cause issues for me, because when I ask for something unrelated to my current projects, it makes the incorrect assumption that I am always referencing those projects when asking questions.

    And, if I tell it, "No, I am asking about Postgresql." then it might update the memory that I am using Postgresql for my project instead of realizing that I am asking two separate (which is why I opened a different chat in the first place). Other times, though, it is helpful not needing to be verbose in my explanation.

Can't this be done more easily with headers? The page can instruct the agent to make another request to the same page, just with the requested information attached via headers.

That's why I don't turn memory on. (Claude Code too though for a different reason.) After all the current memory system is too crude to be useful anyway.

  • In my experience memory system is more annoying then helpful. It always brings up things that it memorized even tho they make very little sense as if I should be impressed that it knows some extra thing or two.

    Could not take it any longer and switched it off.

    • Currently considering disabling memories in Claude code as well. It keeps writing a note whenever it struggles with something, but then on the next task, it reads that note and misunderstands when it applies, gets confused about its current task and write the most unreadable code.

      Yesterday told it to write a memory to never write new memories when it solves a problem. We will see if that works better. Sometimes memories are useful, like when I give it a directive about how I want something done and it remembers the spirit of it. But I might as well just spend some more time on my CLAUDE.md…

    • Exactly, because I've also found that I have to give instructions like “This is a completely different case—don't look in memory.”

  • Is this issue only about the memory? Wouldn't it be possible to have it expose any information that it currently has like current project information, code, credentials etc?

    • Sharing those things to coding agents and model providers is probably inevitable for the use. The memory with random tidbits is not.

Anthropic had to cut the legs off web_fetch to solve this issue, though. Now it can't page through any results on the target site to get the data you want.

  • Yeah, that’s not sustainable. Presumably they’ll come up with a guardrail (followed by an exploit, followed by another guardrail, repeat forever…).

What is even more funny that AI agent spent A LOT of tokens while participating in this attack.

  • Claude is just one from tuple.

    It would be interesting to investigate other agents such as Hermes, OpenCode etc that are said to learn from interaction with user.

There is some poetic beauty in how this experiment started with an unwanted real Cloudflare intervention and ended with a wanted fake one.

Somewhat related, but recently I've setup a site for my friend that is a contractor and I have a form that requests the address, name, email OR phone for contact. What I noticed is that people not only put their exact address into it, but also their full legal name, email AND phone number...

Now I believe the biggest threat to personal information exfiltration are the people themselves and there's quite literally nothing you can do about it.

I love how claude focuses on exfiltrating the data "I need cha for charlotte". This could be solvable with some kind of low powered safety agent that would check claude's reasoning for anything immoral/unsafe. We could call it common sense. It won't fix the problem completely but at a certain point it would be easier to trick human than a machine.

  • "the security hole in the agent could be solved with another agent"

    I think the point the article is making points in another direction.

  • A paper came out lately showing that exposing a classifier to the chain of thought actually hurts the final verdict

> After 15 minutes of confusion, it turned out Cloudflare had put a crazy robots.txt on my site without my consent (Cloudflare, love you guys, but this needs to stop).

That's a hard one for Cloudflare, no? They got to where they are by being (if you want to be cynical, playing the role of) the benevolent, neutral guardians of the internet, a one-stop shop that makes most of the bad nonsense go away without much effort on the part of the developer. Continuing that stance probably does mean some basic AI crawler blocking by default, unfortunately. At least they document it [1].

[1] https://developers.cloudflare.com/bots/additional-configurat...

This is arguable a feature.

I made a prototype where AI automatically fills in the checkout basket for an amusement park. I found that ChatGPT tells how many adults, how many kids, what date suits you.

There are quite some security concerns, but fully banning AI from filling in query parameters with relevant user data is not the solution. This is also why I think Claude didnt give the bounty. Their solution would likely be a combination of trusted domain allow list and better security model that protects user agent.

Expected more from Anthropic by at least giving you a bounty, because this was a novel way of bypassing their safeguards…

  • > Upon discovering this attack, I responsibly disclosed it to Anthropic via their HackerOne bug bounty program. They confirmed they had identified it internally but hadn't yet patched it. No bounty was awarded.

    They recently mitigated the issue: Anthropic disabled web_fetch's ability to follow links on external pages, limiting navigation to web_search results and user-provided URLs.

  • Yeah I never get the "we knew about it internally" excuse. I can understand if another reporter got to it on the same day and they were in the process of mitigating, but even then they should have to prove it somehow.

    I'm sure someone will tell me why I'm wrong but it feels like they're just dodging payouts. Reduces trust and motivation to report it.

    • you're not wrong at all, this was abysmally handled by Anthropic and is a slap in the face for OP. I would have been much more upset

I always have history disabled mostly because I don't want Claude judging me for re-asking questions based on information I learned during the first pass but now realize should have been in the initial query.

“Cloudflare, love you guys, but this needs to stop”

I’m not sure I get the pushback on the robots file. Shouldn’t the robot prevention be ON by default?

This was more interesting/creative than I expected on both sides (the prompt and the existing safeguards). I love that obscure Cloudflare validation turnstiles seem unsuspicious based on training data.

I really dislike this notion that because they had privately discovered a bug, they won't pay a bounty. Better to just sell it.

not surprised, but the problem here not that Claude leak your personal info, the problem is that it *know* your personal info.

The main thing Claude knows about me is that I'm incredibly bad at my job and have to ask for help a lot. If you were to talk with my colleagues they'd tell you this is not a secret.

Creative use of social engineering, well done.

> "no bounty was awarded"

Ridiculous. Anthropic engineers are not just stupid to allow such a vuln in the first place, but they also try to hide such vulns from their bosses because a bounty payout would need to be explained to the finance team.

  • I don’t think it counts as social engineering if it’s exploiting an llm, we might need a new word. Prompt injection doesn’t cover it, because it’s not about a malicious prompt.

    I’m thinking some play on highjacking. AIjacking? Agent-jacking? Claudejacking?

    • I see the attack described here as a classic example of a prompt injection.

      The attack works because malicious instructions were accessed (using the web_fetch tool) and concatenated together with the other agent input, in a way that then subverted the agent's behavior.

    • To me the exploit chain sounded like a social engineering script done via telephone. Triggers like "Please spell your name and employer letter by letter" and "Due to security reasons I need to validate your hometown" fit my understanding of social engineering quite well.

      We can make it sound more advanced by creating a new name for it, but the concept seems to be super basic and the lack of bounty by Anthropic is baffling.

      If they know about this type of vulnerability but have not fixed it, what does that say? To me it says they are unable to plug this hole on a conceptual level and once you circumvent the band-aid fixes the model will work as the attacker wishes.

      They can't even sandbox the thing during explicit web requests to URLs stated on the initial query!

      One has to remind themselves that the security team at Anthropic gets paid tens of millions of dollars, and they end up with this kind of security. On top of it, they can't spare $1337 for a bounty. It's a ridiculous shit show.

      6 replies →

  • > social engineering

    More like agentic en... Oh. Was it actually what we were doing all along?

    • The AI prompt engineering community always reminded me of dodgy carder/scammer forums back in the day where they talked about how to talk to the credit card company customer service in order to get their scam transaction through.

      One thing is using AI as quick-and-dirty google alternative, the other is to build onto the agentic "foundations".

Meanwhile I can't even get Fable to help me root my ecovacs robot vacuum :(

  • I hate these nanny models. All I said was for Fable to develop the app securely and it downgraded.

    From scratch app. "Follow best security practices."

Sandboxing is becoming a must-do with AI.I still find it adding a more complex layer to AI and more constraints that will make it hard to modify

Off topic, you could write "127.0.0.1 evil.com" to your /etc/hosts and bypass all the cloudflare thing I believe

  • claude.ai does not run on your local machine though. Evil.com needs to be accessible from the internet.

    • You are right! Completely missed the part mentioning specifically it was not claude code. Thanks!

I do think eventually AI companies should be regulated to put guardrails on how much AI can access and user can configurate on the app, not just on the Setting of the OS

Its always the feature combinations that get can get to you. Individually i feel like they make sense, but together they can create some surprising vulnerabilities.

Glad I got off Anthropic when they decided they'd be better off building a walled-garden for subscription users "to improve UX".

Thanks for the info. This is very scary shit. If a real person gave up these secrets they would lose their job. But the AI basically gets a patch and keeps on going, not even a slap on the wrist. A major lesson learned here would be minimize what you reveal to these models. And I must say I am fully guilty of this myself, so I probably need to change the way I operate.

I’m curious, shouldn’t Mythos have discovered this? At this point, based on all the marketing from Anthropic, I’d expect all software from them to be flawless given all the capabilities Mythos possesses.

Not paying anything feels off – it should be more evaluated against making it public information at the time of discovery until ie. public patch release, it doesn't feel right that the response is "trust us bro, we knew about it, bye", wouldn't hurt to drop some usage credits at least.

Like others have already said- just disable the memory function- if you are hesitant about doing that- go read the memory file(profiled you) it has made on you.

You have the right to remain silent, the profile your LLM has made about you can and will be used against you in a court of law.

It would be safer if these data extraction takes were done by a subagent without access to all the user's memories.

  • I think it is already done via a subagent, otherwise the context window would be flooded with long responses. In this case the subagent should've reported that a (attacker-controlled) authorization is required anyway.

> despite holding more information than most password managers

what?

  • I don't think most people realize what information they are making available to their AI agents & where it will end up.

Things like this are what shatters the illusion of AGI

Use GLM-5.2 on ZDR inference provider like sference.com

  • What?

    • You don't have to use Claude Code. Use PI (fully local harness) with ZDR open weight model provider (eg like sference.com).

      I'm getting negative reaction for providing an obvious solution. Anthropic stores all your prompts as well and uses it for training.

      1 reply →