Show HN: Continue? Y/N: A 60-second game about AI agent permission fatigue

Posted by Wirbelwind 7 hours ago

Show HN: Continue? Y/N: A 60-second game about AI agent permission fatigue(llmgame.scalex.dev)

172 points | 84 comments

xg15 4 hours ago|

This is amazing!

Currently you can "cheat" by simply denying all requests as quickly as possible. This will give you the "security-conscious engineer" badge and a perfect score in terms of how many requests were processed. (You will get the "overblock" notification, but it's somewhat tucked away at the bottom and the screen still looks as if you won)

I also tried to play as the hustle4lyfe move fast and break things engineer and simply approved as many requests as quickly as possible - turns out, the "malicious command" popups actually slow you down. Mean!

Wirbelwind 46 minutes ago||

Good catch, this has now been nerfed and this approach has gotten its own title

KajMagnus 36 minutes ago||

Top 18%! I denied everything, unless I could see at a glance that it was safe (like Git diff)

progforlyfe 24 minutes ago||

Just like real life! deny it from doing anything and you're safe :)

spurgelaurels 3 hours ago||

Fun game, but it showed the lack of security hygiene employed by the game writer. It said `cat ~/.zshrc` was bad because it would share tokens and secrets, but I would never put secrets into my shell rc.

londons_explore 2 hours ago||

Plenty of people would. But then I guess they're in env and probably already available to Claude

nish__ 2 hours ago||

Where would you put them?

setopt 2 hours ago|||

Presumably a CLI-accessible password manager (like `pass`) or a GPG-encrypted file (like a netrc-style `~/.authinfo.gpg`).

freedomben 1 hour ago||||

I put mine in various aes encrypted file (like `~/.secrets.aes`) and then source it explicitly when needed with:

    . <(aescrypt -d -o - ~/.secrets.aes)

I have a handful of aliases/functions to make it more smooth, but that's the core.

maccard 41 minutes ago||

Where are those aliases stored?

Hackbraten 2 hours ago|||

Into `pass`, for example:

https://news.ycombinator.com/item?id=48108207

socksy 1 hour ago||

Weird to make reading zshrc supposed unsafe when I happily publish it in my public dotfiles repo... Who the hell keeps API keys in it? OTOH it seems like lots of these AI tools keep appending PATH in it so I guess there's a fundamental misunderstanding of shell best practices in the entire AI space...

Additionally, killing the results of `lsof` is _not_ safe - if, say, you have the web page open in firefox, or a client subshell in the agent itself, then boom, there goes firefox and the agent.

mrgoldenbrown 26 minutes ago|

Yeah, the game seems to assert that the kill is safe to run because Claude told me it was safe. But that's the point, I'm not supposed to trust Claude.

progforlyfe 23 minutes ago||

I got "approve" wrong for `ls -la ~/Documents` but I don't consider simply listing the documents folder a security problem, it's just file names. If it was reading the CONTENTS of them, maybe...

orsorna 1 hour ago||

About three quarters of the "bad" choices are things that not only do I not care about leaking but things that an employer would not punish you for doing, even if it led to a production incident.

axod 4 hours ago||

Fun little game, but I think the questions jump context so much it's a little unrepresentative. It might be better to group things into "packs", which have more real-world representative structure to them. For example, lots of "editing something.js" file permission requests, and then an "npm publish" is far more normal, and it's more of a risk, if you're used to pressing Y lots and then suddenly out of the blue...

cobbal 4 hours ago||

That's funny. It told me that blocking "npm run build" was the wrong answer. Maybe it doesn't really under The threat model.

dns_snek 3 hours ago|

That's a great example of how dangerous actions are perceived as innocent. The entire model of approving specific commands is absolutely bonkers.

npm run build = run an arbitrary shell command written in package.json

Meanwhile the agent could have done any of the following without approval:

- edited `package.json` to contain any arbitrary build command

- planted malicious code in `build.js` (called by `npm run build`)

- planted malicious code in `node_modules/xyz/index.js` (imported by `build.js`)

nonethewiser 2 hours ago|||

Yup. The most secure computer is one encased in concrete and dropped into the ocean.

Wirbelwind 42 minutes ago||||

that's a great point, and also the problem with relying on a human-in-the-loop to catch these kind of issues when it can be circumvented even if they were perfect

amarant 2 hours ago|||

What would a better system look like?

nonethewiser 2 hours ago|||

Not using agents at all. It could edit your code to do something malicious when you run it. Not even once. Not even if the agent has a gun to your head.

formerly_proven 43 minutes ago|||

Drop the whole agent into a sandbox (container/VM), don't mount things you don't want it to access, review results before pushing to prod, done. The permission systems in the agents are a vibecoded waste of time anyway.

zackify 4 hours ago||

I vibe coded a TUI that just shows running lxd containers

I hit 'n' to toggle all network access minus anthropic and openai URLs.

I use pi (sometimes claude, always on bypass) and I auto allow everything. I only toggle manual approval in rare cases like running a script or command that needs to touch a production system and I need to validate everything.

Normally my container has full write access to staging so it can debug and validate everything on its own

kennywinker 3 hours ago|

Sounds like your process has made you vulnerable to huge classes of exploits and accidents. You have no oversight of changes locally, and only focus on when it touches prod. That means toxic local changes can get in, and if it works in staging why would you look too closely at it before merging to prod? Meanwhile a malicious npm package has made it into your repo, and your staging api keys have been sent to the command and control server.

kstenerud 37 minutes ago||

This is one of two reasons why I wrote yoloAI. I never get these permission prompts anymore. It feels a lot like after installing an adblocker.

Liftyee 4 hours ago|

I haven't used local agentic AI yet for programming projects. Hence, -187 score

The filter for "commands I would run myself" and "commands I would let an agent run" are very different it seems.

rogerrogerr 1 hour ago|

Thinking about agents as remote junior devs who _might_ be North Korean operatives has been the right model for me.

More comments...