Anyways, all the services mentioned in this thread, and many more, have been put together in a basic python library that lets you interface with any of them anywhere. Probably, to be safe, I recommend only using this behind a VPN:

https://github.com/TomCasavant/openllms

And also the Maubot plugin for matrix:

https://github.com/TomCasavant/openllms-maubot

There's also at least one major city that has a public chat bot, New York (a few years ago they seemed to have gotten in trouble for telling businesses they were allowed to take tips from employees). But yes, it's public, so obviously suffers from the same fault that they all do.

And for some reason there's an entire industry (at least 3 different companies that I stumbled upon but likely many more?) who's main purpose seems to be creating a widget that is a wrapper for their API that is a wrapper for OpenAI or Gemini's API? Surely, that is either not profitable or will not be profitable long term right?

And I mention this in the blog, but I'm really not sure how bad this actually is. I have no concept for how much it costs (per token) for each of these services (or if they even charge per-token). I imagine it's significantly more than not hooking it into an LLM.

It seems unnecessary to me that Substack would ever need their customer support bot to process 4 paragraphs of text, and yet it does. Which makes it incredibly easy to exploit.

AT&T seemed to have solved most of the issues by turning it into a slightly better search but then for some reason they still wanted to keep generating an answer instead of tying the answer to one of their pre-selected questions. Which I cannot understand whatsoever.

And finally, after a lot of debugging. I figured out how to let Shopify search take control of my home.

(Note: the voice to text is not provided by Shopify obviously. Just the conversational model that translates text to an action)

And since I now had my own Ollama API with access to all these new models, I searched around for other use-cases.

Which is when I remembered #homeassistant lets you use models as your own personal voice assistant. So I messed around with the model that powers Shopify's search button and found a query that completely broke it. So much so that I'm beginning to question the ethics of tearing a machine down so far that it forgets its original purpose

Of course, just being able to talk to a customer service bot seems like a very big waste of everyone's time. So, the next step was actually prompt injecting these bots. I built a basic Flask server that would mimic the ollama API and a brief mess-around with the Substack support agent and suddenly he's generating (not-so-great) code for me

I started experimenting with this theory late last weekend and realized that LLMs were deployed in customer support bots in dozens (if not hundreds?) of websites. And every single one was vulnerable to the same bug. So, I gathered all of them up, and packaged them in a little python library. Then I used that library to add all these LLMs to a Matrix room.

(the bot is named 'Tom'. I've only just realized how confusing this is in this context. But I assure you I did not name it and you cannot blame me for this. )

Unfortunately, as nearly everyone knows, every LLM is susceptible to prompt injection.
Some people predict that prompt injection will always be a problem for LLMs. And if I can tell your LLM to do what I want it to do, suddenly your exposed 'search' API endpoint is incredibly valuable to me.

Which is why I propose that the mere existence of a public facing LLM on your site is incredibly dangerous [to you and your site].

A few years ago, however, everyone started replacing basic search functionality with LLMs. LLMs are pretty good at processing natural language, so, in a way, this made sense. People could now ask whatever they want about your site and get a relevant reply.

Normally, the fact that you have to expose an API endpoint on your website in order to provide a search function is not a huge issue. Why would anyone care to abuse that endpoint? Best thing that comes out of it is they get to search your website, which is what you want them to do anyways.

I wrote about using a website's search input to control my smart home (and other things)

https://tomcasavant.com/your-search-button-powers-my-smart-home/

A 3D game engine for GameCube, Wii, 3DS, Windows, Linux, and Android.

Found via https://youtu.be/d6ZWdIPaNPQ?si=yRpJhYLn6cVRKG58, "Learn how to create 3D levels for GameCube"

I've done a lot of dumb things, but this past week I've been working on something so spectacularly stupid that I think it loops around to being amazing again. Working on the blog post about it now.

https://www.forbes.com/sites/siladityaray/2026/01/15/x-says-groks-been-restricted-from-generating-sexualized-images-of-real-people/
Look, I get that there's probably a lot of decisions that go into writing a headline, but surely this:

> The Verge also reported that it was still “extremely easy to undress women and edit them into sexualized poses using the X and Grok mobile apps or websites.” A reporter from the outlet based in the UK noted she was not blocked from using the app or creating “sexualized deepfakes of herself.”

Means your headline should be more along the lines of, "X Did Not Stop Generating Sexualized Images of People" instead of just directly quoting twitter's comms team?

Google is trashing the Tenor API frustratingly, which means GiphyMaubot will need to be updated (despite being called Giphy, it also supports tenor and tenor was the more reliable one)

https://news.ycombinator.com/item?id=46603473

https://github.com/TomCasavant/GiphyMaubot/issues/17

Looks like potentially I can use https://klipy.com/developers as a drop-in replacement

While not particularly profound in any way, I wrote a little about some of my thoughts on AI today (and a little about how I "hacked" a vibe-coded website)

https://tomcasavant.com/musings-on-ai/

@tom
Achievements for drinking coffee, what will science think of next?

Suns out, tongues out

@thomas they're letting teams who can't even win more games than they lose into the playoffs now?

Putting the 4-9 Bengals "in the hunt" is hilarious

undefined

"Research has linked the ability to visualize to a bewildering variety of human traits—how we experience trauma, hold grudges, and, above all, remember our lives."

Archive Link: https://archive.ph/MdOjw

"Enjoy over 90 minutes of soothing lofi hip hop remixes of songs from 17 Game Boy games, great for background music while you work or study.

Gorgeous city skyline visuals that change over time and with each song (look out for cameos from the games!) Use the 90's style LoFi-Amp with functioning visualizer. Queue up songs and look them their games using in-game QR codes. Fully DMG compatible, put this on your Super Gameboy while you work! New remixes from Gb Compo 25 games never before released on other LoFi albums. "

"This is a single PHP file - and an .htaccess file - which acts as an extremely basic ActivityPub server for running automated accounts. This bot can do the following:

🔍 Be discovered on the Fediverse

👉 Be followed by other accounts

🚫 Be unfollowed by accounts

📩 Send messages to the Fediverse

💌 Send direct messages to users

🖼️ Attach an image & alt text to a message

🕸️ Autolink URls, hashtags, and @ mentions

👈 Follow, Unfollow, Block, and Unblock other accounts

🦋 Bridge to BlueSky with your domain name via Bridgy Fed

🚚 Move followers from an old account

🗨️ Allow quote posts

👀 Show followers

🔏 Verify cryptographic signatures

🪵 Log sent messages and errors

🚮 Clear logs when there are too many"

"Watch MLB games from the comfort of your own terminal"

https://github.com/paaatrick/playball

Self hosted YouTube media server

https://github.com/tubearchivist/tubearchivist

"This is an attempt to recreate the game 'Balatro' as accurately as possible, including all of the visual effects that make Balatro feel satisfying to play."

"For more than a decade, NOAA’s Climate.gov website has been the U.S. government’s premier platform for climate information for the public. In the first half of 2025, NOAA terminated Climate.gov’s full-time federal and contractor staff, shutting down the site's daily operations.

Now, former members of the Climate.gov team have joined together with nonprofit partners to launch Climate.us: a successor to Climate.gov outside the federal domain"

Privacy focused browser with fediverse integration

"Bridge Browser makes history as the first web browser to natively integrate Mastodon and Lemmy, bringing decentralized social media directly into the browsing experience. Bridge also revives RSS reading as a first-class browser feature for the first time since the early 2000s, fundamentally changing how users discover and engage with content online."

"Eden is an experimental open-source emulator for the Nintendo Switch, built with performance and stability in mind. It is written in C++ with cross-platform support for Windows, Linux and Android."

"Find the perfect emulator for your device with community-driven compatibility reports that help you make informed decisions."

Meshtastic Dashboard

"A powerful, intuitive web-based panel offering live monitoring, advanced automation, comprehensive node management, and robust communication tools. "

"The XY problem is a communication problem encountered in help desk, technical support, software engineering, or customer service situations where the question is about an end user's attempted solution (X) rather than the root problem itself (Y or Why?).

The XY problem obscures the real issues and may even introduce secondary problems that lead to miscommunication, resource mismanagement, and sub-par solutions. The solution for the support personnel is to ask probing questions as to why the information is needed in order to identify the root problem Y and redirect the end user away from an unproductive path of inquiry."

Economic analysis of the AI industry

"OMOTE is an ESP32 based open source universal remote. Its capacitive 2.8” touchscreen provides an intuitive and snappy user interface for switching devices and settings. No hub or docking station is required as the remote features infrared, Wi-Fi and Bluetooth connectivity. With its well optimized power consumption, OMOTE can run for months on a charge. And since the design files are open source, you can fully customize them to your devices and needs."

This is a test after moving from glitch

"This book is an introduction to creating a client using the Matrix Client-Server API

. It will show how to make HTTP calls to a Matrix homeserver, and discuss issues that clients will need to consider, such as reliability and security issues. It does not attempt to be a comprehensive guide to the entire Client-Server API, but will point you to the relevant portions of spec for further details.

You should read this book if:

you are creating a Matrix library/SDK,

you are writing a Matrix client without the use of a library/SDK, or

you want to get a better understanding of how Matrix works. "

" We are an international community dedicated to the preservation of video games and their respective systems.

Our goal: We are testing physical video games and hardware completely offline to inform you about issues that can make them unusable now and in the future. Along the way, we want to highlight positive examples of preservation as well."

"this page serves as an archive for the art of cathy jarboe, creator of skull trumpet and many other pieces of art."