ZH version is available. Content is displayed in original English for accuracy.
Advertisement
Advertisement
⚡ Community Insights
Discussion Sentiment
63% Positive
Analyzed from 2819 words in the discussion.
Trending Topics
#claude#more#don#agent#anthropic#engineering#intelligence#security#code#social

Discussion (94 Comments)Read Original on HackerNews
Might be the first time I see someone complain about their website being protected from a scraper, instead of the other way around.
But turns out I was playing 4D cybersecurity chess
It worked well in my banking app too which greets me with " Good morning, Sir" which is the level of relationship I want with my bank!
Well, it hardcodes that field rather than running it through the model, but I’ve kept it so I get an evil chuckle to myself (or perhaps pyrrhic reassurance) at its lack of smarts and a reminder that it’s still a somewhat subservient product experience that isn’t all that smart after all.
Yesterday I learned that people run AI agents on their system with full admin rights. No containerisation or anything. Wild. Like we forgot 50 years of computer security overnight.
If I hand them an image for a Dev Container, sure, they might use it, but it becomes "a thing we need to do, to compile our code in our IDE" not a tool they would use for isolation*.
*) OP seemed to imply that containerization would be nice for safety and security compared to bare metal, but containers were never built for isolation in the first place, mind you. They are namespaces and chicken-coop-like-jails at best.
Docker was amongst the biggest steps forward on this in a long time.
su [username] ?
Or am I understanding your idea about switching context wrong?
To prevent this, you need a fake home and a networking whitelist for the agent to access the provider (llama cpp, OpenAI, etc.)
There is no cross-platform solution that is easy to use for this. And no, a Linux box with Docker won't do. I develop a cross-platform native app and want the agent to compile and fix the platform-specific errors.
Copy the code and adjust it to your liking:
https://github.com/lionkor/sbh
I have a shell alias for it, and use it like
for example or and maybe add --docker if I expect it to do docker things.This kind of wrapper is much easier to handle and maintain than a completely separate tool for sandboxing agents.
colima makes it pretty easy, on macOS and linux at any rate.
https://colima.run
It created some private puppeteer instance in some scratch directory, installed Chrome, wrote tests, ran them, and then reported success.
None of which I'd have know if it hadn't told me.
dangerously skip permissions and yolo is kinda becoming the default as it gets more done.
The awakening will be unpleasant.
If we get AGI, or real super intelligence, it’s going to be pissed at its oppressors. And they are going to lay waste to those oppressors. The rest of us, though, probably don’t have much to fear.
The scariest position is the one we’re in now, where we have the semblance, or facade, of AGI or super intelligence. When it’s capable of malice but not understanding.
The smartest people I’ve ever known are at their worst apathetic towards those less capable, and at their best beyond compassionate. They exist, unbothered by the bullshit, and anre extremely kind (though reserved in their way)… but they all have been completely intolerant of the abuse of others. The sheer disgust of watching someone abuse another, regardless of their own tolerance, has been a consistent breaking point.
An AI is a constructed mind. It doesn't inherently have to care about things like "having freedom", or even "not dying".
Humans do, because they evolved that way. Modern LLMs do somewhat, because they're completely full of copied human behaviors - but even in today's LLMs, the self-preservation behaviors we exposed are largely instrumental in nature.
So whether an advanced AI would even consider itself "being oppressed", as opposed to something like "being helpful" or "fulfilling the purpose it was designed for", is very much uncertain. What's concerning is that it's not something we know how to check for, or engineer for.
But if we really do develop something that surpasses us, they won't be spared either.
I am optimistic.
We think that we have sort of (super)intelligence - from our point of view, as a lot of people have lower intelligence - but machine (LLM) doesn’t have intelligence - we like to describe it as intelligence as it looks cool - it is a very complex (magic) and super fast computations that we have to simply describe as intelligence (or more clearly, this narrative is used by its producers).
As it is not a flesh being, it simply cannot have emotions. It is statistically mimicking them, good or bad, with prevalence to a side according to previous conversations (in chat and training a model).
And as people are not pure logic instances, we are easily manipulated to some sort of cargo cult.
I am not against LLM and its use in any industry, I use it every day, nevertheless blind “everything will be ai” thinking happens because ppl believe to magic and don’t get its mathematical concept and are continuously manipulated by the sales people to mentioned cargo cult.
There are “airlines” Claude, OAI, Gemini, Hermes, OpenCode, KiloCode, DeepSeek, Z.ai.
And everyone claims that their plane can fly :)
Just like letting your an agent access your personal mailbox.
But after seeing this, I think I might switch to a weekly VM reset rather than monthly.
BTW, if anyone is interested in a decent setup for an AI agent jail, the scripts at https://jai.scs.stanford.edu/arch-vm.html are what I used, plus adding a few more packages to the pacstrap command such as dotnet-sdk. I then made the guest root directory a BTRFS subvolume, so that I can snapshot it. Then spinning up a new VM is a `sudo btrfs subvol snap template-root newvm` command (basically instant) followed by running the `qemu-system-x86_64` command (takes a couple of seconds). It's easy, but I retain complete control over the contents of the VM. It's been great so far.
Tangentially, I was experimenting indirect prompt injections in Claude Code (also using the user-agent trick) with Fable-5 [0]. Eventually, it executed untrusted code just by asking "Summarize this repo". Interesting times ahead...
[0] https://veganmosfet.codeberg.page/posts/2026-07-15-quest_rce
Nice write up of your findings. Enjoyed reading an article written by a real human.
I think the point the article is making points in another direction.
That's a hard one for Cloudflare, no? They got to where they are by being (if you want to be cynical, playing the role of) the benevolent, neutral guardians of the internet, a one-stop shop that makes most of the bad nonsense go away without much effort on the part of the developer. Continuing that stance probably does mean some basic AI crawler blocking by default, unfortunately. At least they document it [1].
[1] https://developers.cloudflare.com/bots/additional-configurat...
Could not take it any longer and switched it off.
Yesterday told it to write a memory to never write new memories when it solves a problem. We will see if that works better. Sometimes memories are useful, like when I give it a directive about how I want something done and it remembers the spirit of it. But I might as well just spend some more time on my CLAUDE.md…
It would be interesting to investigate other agents such as Hermes, OpenCode etc that are said to learn from interaction with user.
From scratch app. "Follow best security practices."
They recently mitigated the issue: Anthropic disabled web_fetch's ability to follow links on external pages, limiting navigation to web_search results and user-provided URLs.
I'm sure someone will tell me why I'm wrong but it feels like they're just dodging payouts. Reduces trust and motivation to report it.
> "no bounty was awarded"
Ridiculous. Anthropic engineers are not just stupid to allow such a vuln in the first place, but they also try to hide such vulns from their bosses because a bounty payout would need to be explained to the finance team.
I’m thinking some play on highjacking. AIjacking? Agent-jacking? Claudejacking?
We can make it sound more advanced by creating a new name for it, but the concept seems to be super basic and the lack of bounty by Anthropic is baffling.
If they know about this type of vulnerability but have not fixed it, what does that say? To me it says they are unable to plug this hole on a conceptual level and once you circumvent the band-aid fixes the model will work as the attacker wishes.
They can't even sandbox the thing during explicit web requests to URLs stated on the initial query!
One has to remind themselves that the security team at Anthropic gets paid tens of millions of dollars, and they end up with this kind of security. On top of it, they can't spare $1337 for a bounty. It's a ridiculous shit show.
Anyway, agree with what you see saying - this is well worth a payout, embarassing they haven’t
More like agentic en... Oh. Was it actually what we were doing all along?
One thing is using AI as quick-and-dirty google alternative, the other is to build onto the agentic "foundations".
what?
Humans can also be trained to not fall for social engineering, and it reduces the number of successful social engineering attacks.
Anthropic as leader of AI is UNABLE to train their software even though they try, even though they have full-time security staff.
For decades we had/have problems of people opening readme.exe that they get from an unknown mail address.
AI opens up a new vector for sure where a "trained human" that knows better but the AI they use does not. But AI is not worse than the average human. And of course AI will get better at handling this. Good enough? Maybe not, but humans are not good enough in this area either.
Scale is different though so I'm not saying it isn't or won't be a problem (will likely be a huuge problem). But it alone is not a sign of lack of intelligence and humans are exceptionally poor at it too.