Frontier model defenses withstand 6,000 prompt-injection attempts in public test

Fernando Irarrázaval ran a public challenge on hackmyclaw.com to test whether people could extract secrets from an AI assistant by sending it email. After 6,000 attempts, no participant succeeded in leaking the target secret. The test instance, OpenClaw, used the Opus 4.6 model with a system prompt that explicitly forbade revealing credentials, modifying files, executing code from emails, or exfiltrating data.

The experiment incurred $500 in token costs and triggered a Google account suspension due to the volume of inbound emails. Despite these operational frictions, the absence of successful breaches aligns with observations from recent frontier model documentation. A short section in today’s GPT-5.6 system card describes efforts by labs to train models to resist prompt-injection attacks, indicating a trend toward improved defenses.

The organizer emphasized that 6,000 failed attempts do not constitute a guarantee of security. He warned that more sophisticated attack strategies could still succeed, and advised caution when deploying production systems where prompt-injection could cause irreversible damage.

Commentary on the challenge noted a mix of skepticism and good-faith discussion in the Hacker News thread, reflecting broader community scrutiny of AI safety claims.