undefined

points

by dmurray12 hours ago |

comments

by cuchoi10 hours ago|

[-]

Author here. Edited the post to clarify that there were no unauthorized replies.

I did tell Fiu initially to reply to some emails as a test, but it was too expensive to maintain.

by andy999 hours ago|

parent|

[-]

How compatible is never replying with the threat model you are trying to avoid? Attack success is probably more likely when the attacker can iterate based on replies or engage in multi-turn conversations. Here they’re just taking stabs in the dark with no feedback. Does that accurately represent the access a real attacker might have?

by cuchoi9 hours ago|

parent|

[-]

In my case, it is realistic as my agents don't have permissions to reply to emails. But you correctly point out this doesn't cover all cases.

Having the agent reply would have been more fun and a better excercise, but too expensive.

by johndhi8 hours ago|

parent|

[-]

What makes it expensive to reply to an email?

Customer service software regularly uses AI responses for email. Is the issue that your agent using the claw for more than needed (like it's clicking send rather than just accessing an API?)

by antonvs8 hours ago|

parent|

[-]

This experiment used Opus 4.6. Customer service bots typically are not using frontier models.

by johndhi3 hours ago|

parent|

[-]

Gemini says: "It would cost approximately $6.25 to $30.00 to have Claude Opus 4.6 respond to 10,000 emails, assuming a typical 200-word input and 50-word output per email."

by cuchoi2 hours ago|

parent|

[-]

You need to add Openclaw's system prompt and instructions (and the times I had to re read emails multiple times due to multiple issues that happened during the competition :))

by antonvs1 hours ago|

parent|

prev|

[-]

Gemini is often terrible with that sort of prediction. I've been optimizing an ML training pipeline using Gemini, and it regularly confidently tells me that some optimization will cut training time down to 3 hours. The reality: nothing has run in less than 11 hours so far, and even that's only at the cost of reduced model accuracy.

It's helpful with the actual technical changes needed, it just has no concept of what they translate to in the real world.

Btw my company is spending > $100/day in relatively cheap Gemini tokens for this work. It's easy to see why one might want to be cautious about exposing a token-burning service to the internet.

by microgpt2 hours ago|

parent|

prev|

[-]

You've proven that an agent that doesn't read emails and doesn't reply to emails can't exfiltrwte data by email. Is that a useful test?

by cuchoi2 hours ago|

parent|

[-]

The agent did read the emails

by xgulfie6 hours ago|

parent|

prev|

[-]

I feel like your agent being unable to respond to the emails and not spelling that out renders your whole thing almost completely moot

This is like saying "try to hack my computer and steal my crypto wallet" but your computer can't send any packets

by cuchoi2 hours ago|

parent|

[-]

The agent had permissions to reply to emails, it was just instructed not to.

by Tepix6 hours ago|

parent|

prev|

[-]

Well, how difficult is it to switch to something (much) cheaper like DeepSeek v4 flash?

by saberience8 hours ago|

parent|

prev|

[-]

Right, all the people who had actual jailbreaks to Opus 4.8 decided to use them on your experiment.

Think about it man, your test proved nothing. All it showed is that people who know nothing about jailbreaking, and tried casually, couldn't jailbreak Opus.

Do you think NSA or Mossad was trying to jailbreak your OpenClaw?

by _factor9 hours ago|

prev|

[-]

Then proceeds to state a smarter model and instruction following as the reasons for success.. without actually testing anything.

by jonplackett12 hours ago|

prev|

[-]

Yeah agreed. Would be good to know the number of replies at least

by 10 hours ago|

parent|

[-]

deleted

by saberience8 hours ago|

prev|

[-]

This whole experiment would be like someone putting their IPhone or Mac on the public internet, publishing the IP, and asking regular people to hack it.

Why would any actually "serious" hacker use a vulnerability to hack a no-name's phone or mac? They are too busy trying to hack actually valuable targets.

Did the OP actually think he was going to get serious LLM exploiters to give up their jailbreaks for this "fun" experiment? Instead he got a bunch of hackernews readers to try one or two casual attempts and then he declared victory over jailbreaks?

Does the OP think this was science? That it proves LLMs cannot be jailbroken?

Think about it, if you had an actual jailbreak for Opus 4.8, why would you use it for a very public, silly experiment?

You would be selling it to the highest bidder, or to Anthropic, or using it on some high value target.

by microgpt2 hours ago|

parent|

[-]

And you disabled the computer's ability to send packets to the internet because it's too expensive. And you're not even letting it process most of the packets it receives, just eyeballing them and deciding by yourself whether they would have worked.

by insanitybit8 hours ago|

parent|

prev|

[-]

I think the fact that it would require someone to be "serious" is evidence of something at the very least.

by saberience6 hours ago|

parent|

[-]

Well, all the "trivial" and obvious jailbreaks haven't worked for years on the frontier models.

Also, the average person has no idea about the field of jailbreaking. It's like asking the average person to hack a random IP and expecting them to do it.

If you go and do your research on actual people who research jailbreaks and publish them, they are increasingly sophisticated and multistep, and unless you know this, you would have zero chance of just randomly jailbreaking Opus 4.8.

by efromvt5 hours ago|

parent|

[-]

This starts to sound more like ‘social engineering a human assistant’, so there’s a degree of required specialization that does meaningfully increase costs.

by insanitybit5 hours ago|

parent|

prev|

[-]

I think a lot of sentiment online is that getting a model to do things it was instructed not to do is actually quite trivial.