On one hand, cool demo, on the other, this is horrifying in more ways than I can begin to describe. You're literally one prompt injection away from someone having unlimited access to all of your everything.

▲

mh- 13 hours ago | parent | next [-]

Not the person you're replying to, but: I just use a separate, dedicated Chrome profile that isn't logged into anything except what I'm working on. Then I keep the persistence, but without commingling in a way that dramatically increases the risk.

edit: upon rereading, I now realize the (different) prompt injection risk you were calling out re: the handoff to yt-dlp. Separate profiles won't save you from that, though there are other approaches.

▲

bartek_gdn 10 hours ago | parent | next [-]

That's also my approach, built quickly a cli for this with lightweight session management

https://news.ycombinator.com/item?id=47207790

▲

sofixa 12 hours ago | parent | prev [-]

Even without the bash escape risk (which can be mitigated with the various ways of only allowing yt-dlp to be executed), YT Music is a paid service gated behind a Google account, with associated payment method. Even just stealing the auth cookie is pretty serious in terms of damage it could do.

▲

mh- 12 hours ago | parent [-]

Agreed. I wouldn't cut loose an agent that's at risk of prompt injection w/ unscoped access to my primary Google account.

But if I understood the original commenter's use case, they're just searching YT Music to get the URL to a given song. This appears[0] to work fine without being logged in. So you could parameterize or wrap the call to yt-dlp and only have your cookie jar usable there.

[0]: https://music.youtube.com/search?q=sandstorm

[1]: https://music.youtube.com/watch?v=XjvkxXblpz8

	▲	sofixa 12 hours ago \| parent [-]
		Oh, that's true, even allows you to play without an account. I can swear that at some point it flat out refused any use unless you're logged in with an account that has YT Music (I remember having to go to regular YouTube to get the same song to send it to someone who didn't have it).

▲

aadishv 13 hours ago | parent | prev | next [-]

Of course I still watch it and have my finger on the escape key at all times :)

▲

glenpierce 12 hours ago | parent | next [-]

I am in awe of the confidence you have in your reflexes.

	▲	aadishv 11 hours ago \| parent [-]
		You get used to it :) And especially once you get used to the YOLO lifestyle, you end up realizing that practically any form of security is entirely worthless when you're dealing with a 200 IQ brainwashed robot hacker. I think using the Pi coding agent really got me used to this way of thinking: https://mariozechner.at/posts/2025-11-30-pi-coding-agent/#to...

▲

bergheim 12 hours ago | parent | prev [-]

For now you are. All these things fall with time, of course. You will stop caring once you start feeling safe, we all do.

Also. AAarrgh, my new thing to be annoyed at is AI drivel written slop.

"No browser automation framework, no separate browser instance, no re-login."

Oh really, nice. No separate computer either? No separate power station, no house, no star wars? No something else we didn't ask for? Just one a toggle and you go? Whoaaaaaa.

Edit: lol even the skill itself is vibe coded:

Lightweight Chrome DevTools Protocol CLI. Connects directly via WebSocket — no Puppeteer, works with 100+ tabs, instant connection.

I feel like there's nothing fucking left on the internet anymore that is not some mean of whatever the LLM is trained to talk like now.

▲

tacitusarc 12 hours ago | parent [-]

What can you do? I mentioned the use of AI on another thread, asking essentially the same question. The comment was flagged, presumably as off topic. Fair enough, I guess. But about 80% (maybe more) of posted blogs etc that I see on HN now have very obvious signs of AI. Comments do too. I hate it. If I want to see what Claude thinks I can ask it.

HN is becoming close to unusable, and this isn’t like the previous times where people say it’s like reddit or something. It is inundated with bot spam, it just happens the bot spam is sufficiently engaging and well-written that it is really hard to address.

	▲	brabel an hour ago \| parent \| next [-]
		Could you just be paranoid about it and seeing things where they aren’t? I can’t imagine someone using AI to comment on HN!
	▲	bergheim 11 hours ago \| parent \| prev [-]
		I hear you and I agree. I don't know. Gated communities?

▲

sheepscreek 12 hours ago | parent | prev [-]

As long as it’s gated and not turned on by default, it’s all good. They could also add a warning/sanity check similar to “allow pasting” in the console.

	▲	hrmtst93837 11 hours ago \| parent [-]
		Relying on warnings or opt-ins for something with this blast radius is security theater more than protection. The cleverest malware barely waits for you to click OK before making itself at home, so that checkbox is a speed bump on a highway. Chrome's 'allow pasting' gets ignored reflexively by most users anyway. If this agent can touch DevTools the attack surface expands far faster than most people realize or will ever audit.