You learn the most random ways to abuse program features, one I still remember because of how long it took to figure it out was an htb box that (after a long exploitation path) used NTFS ADS to hide the flag within the alternate stream in a decoy file; and of course the normal way to extract the stream was disabled so had to do some black magic with other binaries to get it
I was surprised at the low bounty too, considering the resources of openai
Last year I won a similar prompt injection challenge ran by a crypto startup against the latest claude and gpt (at the time) and it was considerably more money, from an org with maybe $5-10m in funding.
That and the restrictive NDA kinda tells me they're not looking for serious bounty hunters, who would either want a lot more money or, alternatively, to be able to publish their work; seems like a marketing stunt.
This one would be a fun challenge in a ctf, or maybe more appropriate for a puzzle hunt – most people would look at the dissassembly and not at the actual bytes and completely miss the binary encoding
It's generated, when you try it you can see this is mostly a harness around claude opus 4.7 that helps it create a good design plan, it also supports asking you questions as it goes along, letting you review and feedback on mockups, etc, but ultimately if you look at what it's generating as it does it – it's just code
"Its just code" is meaningless to me. Is the code its generating using mostly well known widgets with predefined knobs, or is every element completely custom and the knobs are created on the spot with slightly different naming and function every time?
I actually think I would prefer the more boring "it composes well known widgets" because then there's a chance I could just use this to generate a presentation layer and integrate it instead of new blobs of code I need to essentially reverse engineer or remake.
It's rolling out progressively, it works for me – it actually seems very polished, the examples are really good; and it lets you create your design system from your codebase
I don't have a horse in this race, but this seems the right way to me. As a developer, I do already inject custom scripts to provide extra functionality / automation on SaaS I use where APIs are not available or limited.
However, the thought of the non-technical users I work with doing that is scary, they have no idea if the code the LLM writes is correct, is it going to have a bug that causes a massive issue down the line?
I've seen fat finger errors cause financial loss, but at least in those cases the user always had a chance to realise their error and fix it, with something like this how would you even know?
ty! any CEOs or product people at SaaS companies that come to mind to reach out to? I've been trying to get this in front of more people, so far they're always mind blown when they see how the product works
There are lots of passwords there (though one wonder if they were rotated). Basically, the people doing the hiring are sending PDFs with their credentials to the contractors to do the job.
Motion is an excellent library so I gave this a go on a prod site. Some feedback
- I LOVE the concept, no clunky SaaS, you add the package and start it on your dev server and it just works. It seamlessly did with my vite based build.
- Needs a diff view which tells me what the agent is going to change when I publish my changes, right now it's a bit scary to use without it (not sure if it does once you try to publish changes, I didn't get that far in the process)
- I don't see the point of the "draw" feature. Maybe it's because I envision this kind of tool being used so that non-technical members of the team can make small design changes without dev support, and not as a way to design from scratch, but maybe you have a use-case for it.
- Integration with tailwindcss would be a killer feature, this particular project uses tailwind so all the styles in the style view show as the default ones but of course they're being applied via classes. You could detect tailwind classes and either show them separately or resolve them and show what they do in the styles view, then on publish you'd tell the agent to edit using tailwind classes
I agree with what others have said, a video or even better a live demo would be great. A demo would be extra work but would be super cool, as a stopgap you could have a stackblitz demo maybe.
The client-side injected js -> mcp flow is brilliant though. I might have to steal that idea for some projects I'm working in, I can imagine a lot of scenarios where it would make a great interface
I just pushed a video to the homepage, there was already a live demo though, it was actually quite simple to implement (mostly gate a few things). There was a bit of a fear that agent somewhere out there would still be listening though...
I think a diff is an excellent idea. Perhaps with the ability to remove specific changes and switch before/after.
In terms of Tailwind, I'm thinking about a token/strict mode which would detect Tailwind classes and CSS variables. It wouldn't expose these in the sense you had to apply each one manually, but if you were for instance changing padding, it would snap between all your pre-defined tokens.
For the draw feature I think I'm just heavily Framer-pilled and it lets you pre-determine a rough width and height within a stack. But perhaps there's space for a click-to-add also with minimum dimensions.
Sorry I'm blind! I completely missed the live demo. I think because it's on the top right corner I instinctively ignored it.
Maybe could have a "Try live" button that sort of nudges you to it (could open the sidebar with the page structure or something to make it obvious you're in "edit mode") if other people struggle to find it
Re. diff view, yes, I think it's the kind of thing that would give reassurance to users that they can play around with it without breaking anything, otherwise I feel I'd be a bit scared of accidentally touching something that shouldn't be changed (especially as you might experiment a bit before you land on the right style to change)
Honestly, you'll struggle to find a cloud platform cheaper than cloudflare.
The $5/mo gets you 10 million dynamic requests (static assets are not included in this limit, so often a single pageview will be 1 dynamic request) and that would be across the whole workers product for your account, no extra pricing for extra websites, domains, or anything else like you'd see in most "wordpress hosting"
I run all my personal sites and client sites (one of them for a fortune 500 company) in the $5/mo plan, and the only time I went over that was when a client got hammered with malicious requests (and it was like $100)
Disclaimer: I have no relationship to cloudflare, I'm just a happy customer
I run a rust webserver on a €4 VPS from hetzner that serves 300M (million) requests a day. Way cheaper than doing that on _any_ "serverless" request-based platform, I think.
Yes perhaps I should have specified you can't get much cheaper for serverless platforms.
You can certainly run a VPS like that for cheaper, you could probably even beat the raw request numbers from those 1€ a month vps from ovh or similar. The key difference is with cloudflare your site is globally distributed by default, and you get to buy into the whole ecosystem, if you want.
But sometimes you do have clients in both sides of the atlantic and it's nice being able to cut their request times by a few hundred ms "for free". Personally, that's not the main reason I use cloudflare, but it can be handy!
Care to share your multi-site strategy? I've been investigating ways to program billing alerts, which should alert me when bill is at xx%. There are a few ways, so that makes it more paletable. It just boils my blood when these big platforms don't offer it as a feature. THAT IS JUST PURE UNADULTERATED EVEIL, IT SOULD BE CRIMINAL REALLY!!
if one of the advantages is making it copy-pastable then I would suggest the REXC viewer should give you the option to copy the REXC output, currently I have no way of knowing this by looking at your github or demo viewer
another thing, I put in a 400KB json and the REXC is 250KB, cool, but ideally the viewer should also tell me the compressed sizes, because that same json is 65kb after zstd, no idea how well your REXC will compress
edit: I think I figured out you can right click "copy as REXC" on the top object in the viewer to get an output, and compressed it, same document as my json compressed to 110kb, so this is not great... 2x the size of json after compression.
Thanks for testing it out! Yes, the website could use some love to make everything more discoverable.
The primary use case is not compression, it's just a nice side effect of the deduplication. This will never beat something like zstd, brotli, or even gzip.
My production use cases are unique in that I can't afford the CPU to decompress to JSON and then parse to native objects. But with this format, I can use the text as-is with zero preprocessing and as a bonus my datasets are 18x smaller.
Right and that makes sense. There is more information in here. The entire thing is length prefixed and even indexed for O(1) array lookups and O(log2 N) object lookups.
If you don't care about random access and you don't mind the overhead of decompression, don't use RX.
I think this makes sense, when you explain it like that, it might be a matter of cleaning up the docs a bit so the "why" of RX is more clear (admittedly, a README is not always the best channel for this!)
reply