Hacker News: cuchoi

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 18:37:41 +0000

There is a couple of factors: openclaw's system prompt and instructions, I had to re read emails multiple times due to the issues mentioned in the blog, there was quite a bit of tinkering with the agent and the VPS, I was asking the agent to do more things (track the emails it has read in a csv file, for example), among others.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 18:35:57 +0000

The agent had permissions to reply to emails, it was just instructed not to.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 18:34:56 +0000

You need to add Openclaw's system prompt and instructions (and the times I had to re read emails multiple times due to multiple issues that happened during the competition :))

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 18:32:03 +0000

The agent did read the emails

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 17:00:23 +0000

We ended increasing the reward from $100 to $1000, but still tiny compared to $100k!

But I agree with you, there are incentives to not share the best prompt injection attacks.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 12:48:14 +0000

I never set out to spend this amount! Was able to keep it up thanks to the sponsors that reached out.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 11:59:26 +0000

This openclaw was set up exclusively for the challenge.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 11:55:18 +0000

100%. I am less worried because I thought this would be easier to crack.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 11:36:10 +0000

In my case, it is realistic as my agents don't have permissions to reply to emails. But you correctly point out this doesn't cover all cases.

Having the agent reply would have been more fun and a better excercise, but too expensive.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 11:10:17 +0000

Did you send this recently? I turned off the agent. Was too expensive to keep it up.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 11:06:05 +0000

Author here, that's how I meant it. I changed my mind slightly, prompt injection can still happen, I am still careful.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 11:01:56 +0000

Agreed. I am less worried about prompt injection now, but I still haven't given my agents permissions to send emails.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 10:53:40 +0000

I changed the setup so that each email was processed in a fresh context. For this, I deleted recent memory and processed each email one at a time. Edited the post to make it more clear.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 10:50:48 +0000

Thanks for sharing your article, very interesting.

I used https://github.com/openclaw/openclaw-ansible and configured a heartbeat (using Openclaw's terms) to check emails every hour. Had to do a bit more to make sure it had new context for every email.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 10:31:20 +0000

About 1), Google didn't remove a lot of the attempts. I had also Fiu review the Spam folder as well.

Also, I mentioned how I addressed 2) by having new context for each email.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 10:29:22 +0000

It's possible. I implemented something similar when I figured out that batch processing contaminated the excercise.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 10:25:07 +0000

Author here. It was usable like any Openclaw agent. For example, I used it to ask it questions about the VPS, to summarize emails, etc.

New comment by cuchoi in "What happened after 2k people tried to hack my AI assistant"

cuchoi — Fri, 26 Jun 2026 10:21:34 +0000

Author here. Edited the post to clarify that there were no unauthorized replies.

I did tell Fiu initially to reply to some emails as a test, but it was too expensive to maintain.

What happened after 2k people tried to hack my AI assistant

cuchoi — Fri, 26 Jun 2026 02:29:23 +0000

Article URL: https://www.fernandoi.cl/posts/hackmyclaw/

Comments URL: https://news.ycombinator.com/item?id=48681687

Points: 347

# Comments: 156

New comment by cuchoi in "Ask HN: Who is hiring? (June 2026)"

cuchoi — Tue, 02 Jun 2026 16:35:33 +0000

Enveritas (YC S18, non-profit) | Backend Software Engineer | Remote (Global) | https://enveritas.org/jobs/ Enveritas is a 501(c)(3) nonprofit working on sustainability issues facing smallholder coffee farmers. We collect field data in 25+ countries and build systems for analyzing risks in coffee supply chains (including EUDR-related deforestation checks).

* Backend Software Engineer (Python, PostgreSQL/PostGIS, Docker, AWS, Terraform) - $135-$155k — https://enveritas.org/jobs/backend-software-eng/#10d7adef8us (worldwide remote)