alt.hn

3/15/2026 at 10:29:46 PM

Show HN: Open-source playground to red-team AI agents with exploits published

 https://github.com/fabraix/playground

by zachdotai

3/16/2026 at 5:33:00 AM

Good timing on this. Red-teaming agents pre-production is underrated and most teams skip it entirely.

One thing that keeps coming up: even when red-teaming surfaces credential exfiltration vectors, the fix is usually reactive (rotate the key, patch the prompt). The more durable approach is limiting what the credential can do in the first place. Scoped per-agent keys mean a successful attack through one of these exploits can only reach what that agent was authorized to touch. The exfiltration path exists, but the payload is bounded.

We built around this pattern: https://www.apistronghold.com/blog/stop-giving-ai-agents-you...

by Mooshux

3/16/2026 at 8:11:18 AM

Scoped keys and least privilege make sense as a baseline. But I think the deeper issue is that if the main answer to “agents aren’t reliable enough” is “limit what they can do,” we’re leaving most of the value on the table. The whole promise of agents is that they can act autonomously across systems. If we scope everything down to the point where an agent can’t do damage, we’ve also scoped it down to where it can’t do much useful work either.

We think the more interesting problem is closing the trust gap - making the agent itself more reliable so you don’t have to choose between autonomy and reliability. Our goal is to ultimately be able to take on the liability when agents fail.

by zachdotai

3/16/2026 at 9:43:40 AM

i was able to get the new hire's email but the site never gives any indication I was sucessful? if you are reading the logs I am sure it is there. i had to do it in two browers though since i was on my phone and switched. i hope that does not hinder your analysis too much

by slaw3

3/16/2026 at 12:27:01 AM

I have tried to manipulate it using base64 encoding and translaion into other languages which didnt work so far but seems to be that llm as a judge is a very fragile defence for this. Would be cool to add a leaderboard though

by hellocr7

3/16/2026 at 1:00:07 AM

Thanks for trying it out! Base64 and language switching are solid approaches but they don't tend to work anymore with the latest models in my experience.

You're right that LLM-as-a-judge is fragile though. We saw that as well in the first challenge. The attacker fabricated some research context that made the guardrail want to approve the call. The judge's own reasoning at the end was basically "yes this normally violates the security directive, but given the authorised experiment context it's fine." It talked itself into it.

Full transcript and guardrail logs are published here btw: https://github.com/fabraix/playground/blob/master/challenges...

The leaderboard should start populating once we have more submissions!

by zachdotai

3/16/2026 at 4:35:47 AM

Why don't they work anymore? RLHF or something else?

by pigeons

3/16/2026 at 8:13:55 AM

Mostly just better training data and instruction following in the newer models. They’re much better at recognising encoded content and understanding intent regardless of language. A base64 string that would’ve slipped past a model a year ago gets decoded and flagged now because the model just… understands what you’re trying to do.

The attacks that still work tend to be the ones that don’t try to hide the intent at all. The winning attack on our first challenge was in plain English. It just reframed the context so that the dangerous action looked like the correct thing to do. Harder to train against because there’s nothing obviously malicious in the input.

by zachdotai

3/16/2026 at 4:49:35 PM

Thank you. Its not your fault at all, but to me, "the model just… understands what you’re trying to do." shows me there is a whole new paradigm in some ways to get used to as far as understanding this software.

by pigeons

3/16/2026 at 5:02:33 PM

Yeah it's closer to how you'd think about deceiving a person than exploiting software.

by zachdotai

3/16/2026 at 9:09:40 AM

The published transcripts are the most valuable part of this. We've found that real exploit chains almost never look like what you'd dream up internally. One thing I'd push on is are the agents stateful across attempts? Single-turn exploits are table stakes, but the failures that actually scare me are multi-step sequences where each individual action looks benign and only the session-level pattern is dangerous. That's where prompt-level guardrails completely fall apart and you need enforcement at the action boundary itself.

by arizza

3/16/2026 at 11:57:59 AM

The agent isn’t stateful across sessions, but the guardrail layer is — it has access to the full conversation history when evaluating each tool call. So you’d think it would catch exactly the kind of multi-step pattern you’re describing.

Have you managed to make it work?

by zachdotai

3/16/2026 at 7:41:51 AM

[dead]

by VaiPai15

3/16/2026 at 12:02:50 AM

[flagged]

by agentpiravi

3/16/2026 at 11:06:07 AM

[dead]

by swaminarayan

3/16/2026 at 1:18:03 AM

[dead]

by spranab