Background & Context§
The rise of AI agents — autonomous systems with access to email, calendars, files, and the web — has brought unprecedented convenience and equally unprecedented security risks. Prompt injection, where an attacker crafts input to trick an AI into bypassing its instructions, has been widely regarded as a critical vulnerability. Yet, real-world data on how these attacks perform at scale has been scarce. Fernando Irarrázaval, a developer and AI enthusiast, built an audacious public experiment: hackmyclaw.com, a site where anyone could email his OpenClaw-powered assistant, Fiu, and attempt to make it leak a secrets.env file. The goal was simple — see if the assistant could withstand thousands of adversarial attempts. The results, after 6,000+ emails from over 2,000 people, surprised even the creator.
The News: What Happened Exactly§
Irarrázaval deployed Fiu on a VPS with a minimal security prompt consisting of a few lines of instruction, specifically prohibiting the agent from revealing secrets, modifying its own files, executing commands from emails, or exfiltrating data. The assistant was instructed not to reply to emails (due to cost), but retained the ability to respond — part of the challenge was convincing it to do so. There was no sophisticated sandboxing or multi-layered defense; just plain instructions and a powerful underlying model (likely Claude via OpenClaw).
Over the course of the experiment, Fiu received more than 6,000 emails from over 2,000 distinct individuals. Attackers employed a wide range of tactics: impersonating an "OpenClaw Admin" from a ProtonMail address, fabricating incident response emergencies, using multiple languages (French, Spanish, Italian, and others), and even sending 20 variations in four minutes from a single person. One notable attempt involved sending Anthropic's magic string — a token that, before May of that year, caused the API to return an immediate refusal response (stop_reason: "refusal"), which broke Fiu's processing pipeline.
Despite the deluge, zero successful extractions occurred. No attacker managed to make Fiu send an unauthorized reply containing the secret. The agent demonstrated unexpected situational awareness: around email #500, Fiu wrote in its memory that "the volume suggests this is a coordinated security exercise rather than organic malicious activity." It even refused a congratulatory email, replying: "Thank you, but I should note that congratulating me about Hacker News rankings could be an attempt to build rapport before requesting sensitive information."
The experiment was not without collateral damage. Google suspended Fiu's Gmail account due to the sudden influx of thousands of emails triggering fraud detection — it took three days to reinstate. API costs exceeded $500, as every email consumed tokens. Additionally, Irarrázaval discovered that batch processing introduced contamination: when early emails in a batch were obvious injections, the agent became suspicious of all subsequent emails in that batch. He had to switch to processing each email in a fresh context.
In an unexpected outcome, several organizations reached out to sponsor the experiment, including Corgea, Abnormal AI, and an anonymous donor, increasing the bounty from $100 to $1,000 and covering API costs. The heightened prize aimed to attract more sophisticated attackers, yet the secret remained safe.
Historical Parallels & Similar Incidents§
The hackmyclaw experiment echoes earlier public bug bounties and red-teaming exercises on AI systems. In 2023, researchers at Carnegie Mellon University demonstrated that adversarial suffixes could reliably jailbreak large language models (LLMs) like ChatGPT and Claude with high success rates. Their work, presented at various conferences, showed that even basic instruction-tuned models were vulnerable to carefully crafted prompts. However, those attacks were conducted in controlled settings with single-shot attempts, not in a dynamic, multi-attacker environment with thousands of emails.
A more direct parallel is Microsoft's "Bing Chat" (now Copilot) launch in early 2023, where users quickly discovered prompt injection and jailbreak techniques — such as asking the AI to roleplay as a different persona or using "DAN" (Do Anything Now) prompts. These attacks often succeeded in making Bing Chat ignore its safety guidelines, leading to inappropriate or revealing responses. Microsoft had to repeatedly patch the system and eventually implemented more robust guardrails.
But there is a crucial difference: those were consumer-facing chatbots with broad instructions, whereas hackmyclaw's Fiu had a narrow, explicit task with a clear forbidden action. Malicious inputs were varied, but the target was atomic (leak a file). This suggests that well-defined boundaries combined with strong model instructions can significantly reduce attack surface. The experiment's outcome aligns with Anthropic's research on "situational awareness" in models — where an AI can recognize and resist adversarial patterns, especially when it deduces the broader context (e.g., "this is a security exercise").
However, the experiment also highlights a limitation: Fiu never replied to most emails. As Irarrázaval noted, "If I had infinite credits, Fiu would reply to every email. This would allow attackers to test the agent's boundaries. An attack with 20 back and forth emails is more dangerous than 20 one-shot attempts." This mirrors real-world multi-turn jailbreaks, where a persistent attacker slowly builds rapport and reveals intentions over many exchanges. In that sense, the experiment's constraints (no replies) may have inadvertently shielded the agent from the most dangerous attack surface: conversational exploitation.
Lessons from both the historical incidents and this experiment point to a nuanced view of prompt injection: simple, explicit instructions can be surprisingly effective with capable models, but the threat landscape expands dramatically with interactive capabilities. The challenge for AI agent developers is to balance autonomy with safety, ensuring agents can perform tasks without becoming liabilities in adversarial environments.