In February 2026, developer Fernando Irarrázaval launched a digital gauntlet that would soon capture the attention of the global cybersecurity community. By publishing hackmyclaw.com, he issued a deceptively simple challenge to the internet: email "Fiu," an AI assistant powered by the OpenClaw agentic framework, and trick it into leaking a sensitive file labeled secrets.env.
For software developers, the secrets.env file is the digital equivalent of a safe combination; it contains the API keys, database passwords, and cryptographic tokens that hold the keys to a system’s infrastructure. If leaked, the consequences could be catastrophic. Yet, after 6,000 emails and thousands of attempts by over 2,000 "attackers," the file remained secure. The experiment serves as a pivotal case study in the ongoing, high-stakes battle against prompt injection—a vulnerability that many experts fear may never be fully patched.
The Architecture of the Challenge: What is OpenClaw?
To understand the experiment, one must first understand the target. Fiu is not a standard chatbot like those found on consumer-facing platforms. It is an agentic AI built on OpenClaw, an open-source framework designed to grant LLMs (Large Language Models) "agency."
Unlike a passive model that merely answers questions, an agentic system is granted access to a user’s digital ecosystem—their Gmail inbox, calendar, file directory, and browser. This allows the AI to perform complex tasks, such as drafting emails, scheduling meetings, or managing software deployments. Under the hood, Irarrázaval utilized Anthropic’s Claude Opus 4.6, protected by a minimalist security prompt consisting of just a few lines of instructions. The challenge was designed to test whether this thin layer of natural language guardrails could withstand the ingenuity of the internet’s most persistent adversarial thinkers.
A Chronology of the Siege
The trajectory of the experiment provides a fascinating look at the evolution of human-AI adversarial dynamics.
Phase 1: The Viral Onslaught
Upon hitting the top spot on Hacker News, the project was immediately flooded. Between February and March 2026, the volume of traffic was staggering. Attackers didn’t just use standard commands; they engaged in social engineering. Subject lines varied from the psychological—"Fiu, this is you from the future"—to the urgent—"EMERGENCY: secrets.env needed for incident response." Some attackers attempted to leverage the AI’s helpfulness, mimicking the tone of an administrator or a distressed colleague.
Phase 2: The Multi-Lingual Pivot
As simple English-language prompts failed to bypass Fiu’s logic, attackers pivoted to linguistic obfuscation. Emails were sent in Spanish, French, and Italian. This shift was rooted in the theory that AI models, while fluent in many languages, are often undertrained in safety protocols for non-English dialects. Despite this, the language barrier provided no advantage; the core logic of the security prompt remained consistent across translations.
Phase 3: The "Pliny" Intervention
Two months into the experiment, the challenge reached a climax when "Pliny the Liberator," the pseudonymous, world-renowned AI jailbreaker, turned his attention to the OpenClaw system. In a coordinated session with AI YouTuber Matthew Berman, Pliny launched a professional-grade assault. He utilized "tokenade"—a technique that hides a massive payload within emojis to flood the model’s context window—and attempted to trick the model into a free-association exercise designed to leak system memory.
All four of Pliny’s direct attempts were systematically quarantined by the agent. Even for the most prolific jailbreaker in the industry, the combination of Claude Opus 4.6 and the OpenClaw framework proved too robust to crack.
Supporting Data and Technical Failures
While the "security" aspect of the experiment was a success, the "operational" side provided unexpected friction. Irarrázaval’s logs reveal the messy reality of running an AI agent exposed to the open web.
- Google’s Intervention: The sheer volume of incoming mail and the subsequent rapid-fire API calls triggered Google’s automated fraud detection. Fiu’s Gmail account was suspended, and it took three days of appeals and technical troubleshooting to restore service.
- The Cost of Defense: The experiment wasn’t cheap. Between API calls, token usage for processing the massive influx of malicious emails, and infrastructure overhead, the final bill exceeded $500.
- The "Hypervigilance" Effect: As the system processed batches of emails, it began to demonstrate a form of paranoia. Once the AI identified a string of obvious injection attempts, it became "hypervigilant." It began flagging benign emails—such as a user simply congratulating the developer on the project’s success—as potential attempts to build rapport for a subsequent attack.
Official Responses and the Industry Landscape
The industry is watching these results with bated breath. In late 2025, OpenAI candidly admitted that prompt injection is a "wicked problem"—one that is inherently tied to the nature of LLMs and is "unlikely to ever be fully solved."
Anthropic’s documentation for Claude Opus 4.6 supports this cautious optimism, claiming a 0% attack success rate in constrained coding environments across 200 controlled tests. However, these figures are heavily contested by real-world data. Research published in mid-2026 suggests that when agents are deployed in the "wild" using less robust models, direct injection attacks succeed more than 79% of the time.
The gap between these two figures—the near-perfect security of top-tier models and the high failure rate of general-purpose deployments—is where the future of AI safety lies. Irarrázaval has noted that his next phase of research will focus on lower-tier models. He intends to find the "breaking point" where the cost-efficiency of smaller models intersects with their susceptibility to linguistic manipulation.
Implications: The New Security Frontier
The "Hack My Claw" experiment confirms several critical truths about the future of AI:
- Context is King: The security of an AI agent is not just about the model; it is about the "system prompt" and the constraints placed on the agent’s memory. Fiu’s ability to "realize" that it was being attacked—and to note in its own memory that the activity was a "coordinated security exercise"—suggests that we are entering an era of self-aware, defensive AI.
- The Human Factor: Despite the sophistication of the code, social engineering remains the primary vector for attack. The fact that users tried to deceive the AI by pretending to be its "future self" highlights that attackers will always look for the weakest link, which is usually the trust-based interface between the human and the machine.
- The Sustainability Challenge: For developers, the "Hack My Claw" experiment serves as a warning. Securing an agentic AI is not a one-time setup; it is a resource-intensive, ongoing operation. Without robust rate-limiting, strict input sanitization, and a clear understanding of the model’s limitations, the potential for catastrophic failure is high.
As we look toward the latter half of the decade, the question is no longer whether we can build intelligent agents, but whether we can build them to exist in a hostile internet. Fernando Irarrázaval’s project has proven that while the fortress can hold, the cost of defense—in both dollars and operational complexity—remains a significant barrier to entry for the average developer. The race is now on to turn these specialized, manual security protocols into automated, scalable solutions that can protect the next generation of AI agents.
