Back to Podcast Digest
Jo Van Eyck26m

Let's build our personal AI Assistant - And Then Try to Hack It!

TL;DR

  • Recent models are post-trained against prompt injection: Old models like GPT 3.5 would leak system prompts and secrets when asked nicely, but modern models like Sonnet, Opus, and DeepSeek have anti-prompt injection fine-tuning that makes attacks much harder.

  • Cost differences between models are massive: Running Sonnet for one day cost almost as much as a $20/month Claude Code Pro subscription, while DeepSeek models are roughly 10x cheaper, and the Flash model costs only pennies with no noticeable quality drop for assistant tasks.

  • Defense works in layers: Security starts with model selection, then the harness filters inputs and outputs (blanking out API keys before the model sees them), followed by least-privilege access tokens, and finally isolation via a VPS instead of a personal machine.

  • API keys are nearly impossible to extract: The harness blanks out anything that looks like an API key before the model processes it, making key exfiltration extremely difficult even with sophisticated attacks.

  • Personal data is still vulnerable: While API keys are protected, confidential information that doesn't match known patterns (health records, company secrets) can still be exfiltrated through social engineering-style prompts.

  • Practical use is approaching safety: The creator would give the assistant access to a secondary email account and Discord, but not bank information or a work calendar, suggesting these tools are reaching a usable threshold for non-critical tasks.

Summary

After building a personal AI assistant using Hermes and hosting it on a virtual private server, the creator spent 50 attempts trying to hack it through prompt injection, and only succeeded once. The experiment reveals that while these agents are far more secure than expected, leaking personal data is still possible, though extracting API keys has become nearly impossible.

Was This Useful?

Share