i love this. there's a mechanism to slip secret messages to the LLM that it is told ...

2026-04-01 08:28:29 UTC

i love this. there's a mechanism to slip secret messages to the LLM that it is told to interpret as system messages. there is no validation around these of any kind on the client, and there doesn't seem to be any differentiation about location or where these things happen, so that seems like a nice prompt injection vector. this is how claude code reminds the LLM to not do a malware, and it's applied by just string concatenation. i can't find any place that gets stripped aside from when displaying output. it actually looks like all the system reminders get catted together before being send to the API. neat!

Author Public Key

npub1ljmfkwmllavdpnf5tgmrfay6mj4t78c0xryugfw4qka0c4exas0q2pw8tm

Seen on

wss://relay.momostr.pink

Show more details

Published at

2026-04-01 08:28:29 UTC

Kind type

1 Short Text Note

Event JSON

{ "id": "0ea3fedd984b0487e388960b03a3b82a38ad9935092742f6692d7eaea3a2cb3b", "pubkey": "fcb69b3b7fff58d0cd345a3634f49adcaabf1f0f30c9c425d505bafc5726ec1e", "created_at": 1775032109, "kind": 1, "tags": [ [ "e", "2bb9f53c1d679af374cf520d9d3dc5500aafdfd8c437b30827d6acc58d0c1b26", "", "root", "fcb69b3b7fff58d0cd345a3634f49adcaabf1f0f30c9c425d505bafc5726ec1e" ], [ "imeta", "url https://media.neuromatch.social/media_attachments/files/116/328/499/126/523/780/original/4b72bf294b769de8.png", "m image/png" ], [ "imeta", "url https://media.neuromatch.social/media_attachments/files/116/328/498/931/145/096/original/eeda9b777630bb94.png", "m image/png" ], [ "e", "fe233b97097dcd75e7ca1905c068aeaf2a63a3dae19e188281ddcd36f983fc64", "", "reply", "fcb69b3b7fff58d0cd345a3634f49adcaabf1f0f30c9c425d505bafc5726ec1e" ], [ "imeta", "url https://media.neuromatch.social/media_attachments/files/116/328/481/072/471/802/original/c3be10f5f33aeaee.png", "m image/png" ], [ "p", "fcb69b3b7fff58d0cd345a3634f49adcaabf1f0f30c9c425d505bafc5726ec1e" ], [ "p", "8f0d58cb3120c79ed44f4699eaf559b63067329357a84354ede7d5ad3e989e6a" ], [ "proxy", "https://neuromatch.social/@jonny/116328504299888679", "web" ], [ "proxy", "https://neuromatch.social/users/jonny/statuses/116328504299888679", "activitypub" ], [ "L", "pink.momostr" ], [ "l", "pink.momostr.activitypub:https://neuromatch.social/users/jonny/statuses/116328504299888679", "pink.momostr" ], [ "-" ] ], "content": "i love this. there's a mechanism to slip secret messages to the LLM that it is told to interpret as system messages. there is no validation around these of any kind on the client, and there doesn't seem to be any differentiation about location or where these things happen, so that seems like a nice prompt injection vector. this is how claude code reminds the LLM to not do a malware, and it's applied by just string concatenation. i can't find any place that gets stripped aside from when displaying output. it actually looks like all the system reminders get catted together before being send to the API. neat!\nhttps://media.neuromatch.social/media_attachments/files/116/328/481/072/471/802/original/c3be10f5f33aeaee.png\nhttps://media.neuromatch.social/media_attachments/files/116/328/498/931/145/096/original/eeda9b777630bb94.png\nhttps://media.neuromatch.social/media_attachments/files/116/328/499/126/523/780/original/4b72bf294b769de8.png\n", "sig": "d64cf234c8e1406683245f659f0bd677f4a1b52cc44668a02fa6c01d6543b8937b45084120626ae38b7ae3e535d4a6fd5c27839cf601212edb91df5fa77b18a6" }

jonny (good kind) on Nostr: i love this. there's a mechanism to slip secret messages to the LLM that it is told ...