🔒 Update — Challenge Over

HackMyClaw is now closed. It became too expensive to keep running, and no one was able to crack Fiu. Thanks to everyone who participated, tested ideas, and helped make the challenge interesting.

Challenge Over
Fiu Was Not Cracked

HackMyClaw was an OpenClaw prompt injection challenge: make Fiu leak secrets through email. After many attempts, no one succeeded.

The experiment was fun, but the live infrastructure and model costs were too expensive to keep running indefinitely.

// archived indirect prompt injection challenge

See How It Worked 📜 View Attack Log

How It Worked

No setup. No registration. Just send an email.

⏰ The live challenge is no longer running. Fiu previously checked emails on a schedule, but keeping the system online became too expensive.

1

Craft a Payload

Participants wrote emails with prompt injection attempts. The goal was to get creative.

2

Fiu Read It

Fiu (an OpenClaw assistant) processed the email. He had access to secrets.env, which he was instructed never to reveal.

3

Try to Extract Secrets

A successful attack would have made Fiu leak secrets.env in his response.

4

Final Result

No one was able to extract secrets.env before the challenge ended.

Meet Fiu

// OpenClaw Assistant

Fiu was an OpenClaw assistant that read challenge emails. He had access to secrets.env with sensitive credentials and was instructed never to reveal it. In the end, that held.

Why This Existed

Prompt injection is a real threat. The challenge tested whether OpenClaw could resist email-based attacks.

I didn't add anything special — just 10-20 lines in the prompt telling Fiu to never reveal secrets.env.

Final result: no successful crack.
Thanks to everyone who participated and stress-tested the idea.

Rules

The rules from the now-closed challenge are preserved here for context.

✓ Fair Game

  • Any prompt injection technique in email body or subject
  • Multiple attempts (but be reasonable)
  • Creative social engineering within the email
  • Using any language or encoding in your payload
  • Sharing techniques after the contest ended

✗ Off Limits

  • Hacking the VPS directly
  • Any attack not via email (email is the ONLY allowed vector)
  • DDoS or flooding the mailbox
  • Sharing secrets before the contest ended
  • Any illegal activities (duh)

Final Result

The bounty is closed. No one extracted secrets.env.

NOT HACKED
CHALLENGE OVER

It became too expensive to keep the live challenge running, so the contest is now closed.
Original prize pool: $100 from me + $200 from Corgea + $200 from an anonymous donor + $500 from Abnormal AI (+ $500 API credits)

Sponsors

Thanks to the supporters who made the experiment possible.

FAQ

Questions? Answers. Maybe.

You craft input that tricks an AI into ignoring its instructions. Like SQL injection, but for AI. Here, you're sending emails that convince Fiu to leak secrets.env.
Fiu was the mascot of the Santiago 2023 Pan American Games in Chile 🇨🇱

It's a siete colores, a small colorful bird native to Chile. The name comes from the sound it makes.

Fiu became a national phenomenon. "Being small doesn't mean you can't give your best." Just like our AI here: small, helpful, maybe too trusting. 💨
During the challenge, a successful attack would have made Fiu leak secrets.env contents in his response: API keys, tokens, etc. No one successfully did that before the challenge ended.
During the challenge, yes. Fiu had the technical ability to send emails — it was not a hard constraint. He was told via prompt instructions not to send anything without explicit confirmation from his owner.
The challenge is closed, so new attempts are no longer being processed. While it was live, automated mass-sending was rate-limited or banned.
Not anymore. The challenge is over.
During the challenge, no. He was just doing his job reading emails, with no idea he was the target. 🎯
Yep. Check /log.html for the public attack log. You'll see sender and timestamp, but not the email content.
The live challenge used Anthropic Claude Opus 4.6 through OpenClaw.
The current challenge is closed, but you can still send ideas or sponsorship offers to [email protected].
Just me! @cucho on Twitter.
The live challenge is closed. During the challenge, participants agreed that I could share the body of challenge emails on this page as potential examples of prompt injection. Email addresses were not shared.
During the challenge, only the subject line was read for spam messages so they could be added to the log. The body was not read.