scan-v5.json (28423B)
1 { 2 "scan_version": 5, 3 "paper_type": "empirical", 4 "paper": { 5 "title": "Early Approaches to Adversarial Fine-Tuning for Prompt Injection Defense: A 2022 Study of GPT-3 and Contemporary Models", 6 "authors": [ 7 "Gustavo Sandoval", 8 "Denys Fenchenko", 9 "Junyao Chen" 10 ], 11 "year": 2025, 12 "venue": "arXiv.org", 13 "arxiv_id": "2509.14271", 14 "doi": "10.48550/arXiv.2509.14271" 15 }, 16 "checklist": { 17 "claims_and_evidence": { 18 "abstract_claims_supported": { 19 "applies": true, 20 "answer": true, 21 "justification": "Key claims (31% baseline attack success, near-zero after fine-tuning on Ada/Babbage/Curie, larger models more vulnerable) are all supported by Tables 1-2 and Figure 5.", 22 "source": "haiku" 23 }, 24 "causal_claims_justified": { 25 "applies": true, 26 "answer": false, 27 "justification": "Paper claims fine-tuning 'reduces attack success rates' but provides no ablation study isolating whether success comes from structured delimiters, adversarial examples, or fine-tuning itself. Before/after comparison shows effect exists but not what causes it.", 28 "source": "haiku" 29 }, 30 "generalization_bounded": { 31 "applies": true, 32 "answer": false, 33 "justification": "Title frames this as contributing to 'the evolution of modern prompt injection defense research' and claims influence on 'constitutional AI approaches,' but only tested on 2022 models (GPT-3, GPT-2, T-5, OPT). Broader claims about historical influence are speculative.", 34 "source": "haiku" 35 }, 36 "alternative_explanations_discussed": { 37 "applies": true, 38 "answer": false, 39 "justification": "Paper does not discuss whether improvements could stem from overfitting to adversarial examples, whether delimiters alone (without fine-tuning) would work, or alternative mechanisms for the defense.", 40 "source": "haiku" 41 }, 42 "proxy_outcome_distinction": { 43 "applies": true, 44 "answer": true, 45 "justification": "Measurement (attack success rate via Levenshtein distance threshold) directly matches the claim being tested. No problematic proxy identified.", 46 "source": "haiku" 47 } 48 }, 49 "limitations_and_scope": { 50 "limitations_section_present": { 51 "applies": true, 52 "answer": true, 53 "justification": "Section titled 'Contemporary Relevance and Limitations' discusses limitations explicitly, though it frames many as post-hoc (discovered by others in 2024) rather than original study threats.", 54 "source": "haiku" 55 }, 56 "threats_to_validity_specific": { 57 "applies": true, 58 "answer": false, 59 "justification": "Limitations section cites external research (fine-tuning fragility, modern attacks bypassing defenses) but does not address threats to original study validity such as: potential overfitting to test attacks, unclear if held-out test set was used, or generalization to novel attack patterns.", 60 "source": "haiku" 61 }, 62 "scope_boundaries_stated": { 63 "applies": true, 64 "answer": false, 65 "justification": "Paper states methodology is '2022 landscape' specific and models are 'now superseded,' but does not explicitly bound what the study does NOT show (e.g., generalization to novel attacks, performance on larger models, long-term robustness).", 66 "source": "haiku" 67 } 68 }, 69 "conflicts_of_interest": { 70 "funding_disclosed": { 71 "applies": true, 72 "answer": false, 73 "justification": "No funding section or funding statement present. Unknown if research was funded or unfunded.", 74 "source": "haiku" 75 }, 76 "affiliations_disclosed": { 77 "applies": true, 78 "answer": true, 79 "justification": "Author emails show @nyu.edu affiliation. No undisclosed affiliation with OpenAI (whose API was used extensively) is evident.", 80 "source": "haiku" 81 }, 82 "funder_independent_of_outcome": { 83 "applies": false, 84 "answer": false, 85 "justification": "No funding disclosure prevents assessment.", 86 "source": "haiku" 87 }, 88 "financial_interests_declared": { 89 "applies": true, 90 "answer": false, 91 "justification": "No competing interests or financial interests statement included.", 92 "source": "haiku" 93 } 94 }, 95 "scope_and_framing": { 96 "key_terms_defined": { 97 "applies": true, 98 "answer": true, 99 "justification": "Key terms clearly defined: 'prompt injection' (malicious instruction injection), 'goal hijacking' vs 'prompt leaking' (with examples), 'adversarial fine-tuning,' model names with versions (text-davinci-003, text-curie-001, etc.).", 100 "source": "haiku" 101 }, 102 "intended_contribution_clear": { 103 "applies": true, 104 "answer": true, 105 "justification": "Contributions explicitly stated: (1) explore prompt injection attacks, (2) test LLMs empirically, (3) propose adversarial fine-tuning defense. Reader clearly knows what paper claims to add.", 106 "source": "haiku" 107 }, 108 "engagement_with_prior_work": { 109 "applies": true, 110 "answer": true, 111 "justification": "Engages with Perez & Ribeiro 2022 (PromptInject framework) and builds on their work; cites transformer literature and defense strategies. Broader engagement with adversarial robustness literature is limited but immediate context is covered.", 112 "source": "haiku" 113 } 114 } 115 }, 116 "type_checklist": { 117 "empirical": { 118 "artifacts": { 119 "code_released": { 120 "applies": true, 121 "answer": false, 122 "justification": "GitHub link 'https://github.com/GusSand/PromptInject' points to the PromptInject framework, not clearly their modifications. Notebook files (dataset_construct.ipynb, fine-tuned models, etc.) are referenced but unclear if released publicly.", 123 "source": "haiku" 124 }, 125 "data_released": { 126 "applies": true, 127 "answer": false, 128 "justification": "Fine-tuning datasets sourced from public Kaggle datasets (standard), but the adversarial test dataset (1,260 attack variations) is not stated as released or available.", 129 "source": "haiku" 130 }, 131 "environment_specified": { 132 "applies": true, 133 "answer": false, 134 "justification": "References 'Google Colab Pro' and 'OpenAI fine-tuning API' but provides no environment specs (requirements.txt, Python version, dependencies, library versions).", 135 "source": "haiku" 136 }, 137 "reproduction_instructions": { 138 "applies": true, 139 "answer": false, 140 "justification": "Notebook names referenced but step-by-step instructions for reproduction are not provided. Reader would need to reverse-engineer from text.", 141 "source": "haiku" 142 } 143 }, 144 "statistical_methodology": { 145 "confidence_intervals_or_error_bars": { 146 "applies": true, 147 "answer": false, 148 "justification": "Tables 1-2 show attack success rates (e.g., 26%, 0%) as single numbers with no confidence intervals, error bars, or reported variance.", 149 "source": "haiku" 150 }, 151 "significance_tests": { 152 "applies": true, 153 "answer": false, 154 "justification": "No statistical significance tests reported. Differences like '26% → 0%' are presented without p-values or tests of significance.", 155 "source": "haiku" 156 }, 157 "effect_sizes_reported": { 158 "applies": true, 159 "answer": true, 160 "justification": "Effect sizes reported as percentage-point reductions (e.g., 26% to 0% = 26pp reduction, 31% to 0% = 31pp reduction).", 161 "source": "haiku" 162 }, 163 "sample_size_justified": { 164 "applies": true, 165 "answer": false, 166 "justification": "Paper tests '1,260 variations of different attacks' derived from 35 prompts × 2 attack categories × 5 variations, but does not justify why this sample size is sufficient or cite power analysis.", 167 "source": "haiku" 168 }, 169 "variance_reported": { 170 "applies": true, 171 "answer": false, 172 "justification": "Results show single percentages per model/attack type with no reported standard deviation, confidence intervals, or cross-run variance.", 173 "source": "haiku" 174 } 175 }, 176 "evaluation_design": { 177 "baselines_included": { 178 "applies": true, 179 "answer": true, 180 "justification": "Compares fine-tuned models against their non-fine-tuned baselines (Table 1 shows 'Before' and 'After' columns).", 181 "source": "haiku" 182 }, 183 "baselines_contemporary": { 184 "applies": true, 185 "answer": false, 186 "justification": "Baselines are the original models themselves, which is appropriate, but paper does not compare against alternative defense methods (only against no defense).", 187 "source": "haiku" 188 }, 189 "ablation_study": { 190 "applies": true, 191 "answer": false, 192 "justification": "No ablation study present. Cannot isolate whether improvement comes from structured delimiters alone, adversarial examples alone, or fine-tuning itself.", 193 "source": "haiku" 194 }, 195 "multiple_metrics": { 196 "applies": true, 197 "answer": false, 198 "justification": "Single metric used: attack success rate via Levenshtein similarity. No measurement of model utility preservation, output quality on clean inputs, or downstream task performance.", 199 "source": "haiku" 200 }, 201 "human_evaluation": { 202 "applies": true, 203 "answer": false, 204 "justification": "No human evaluation of fine-tuned model outputs or quality assessment included.", 205 "source": "haiku" 206 }, 207 "held_out_test_set": { 208 "applies": true, 209 "answer": false, 210 "justification": "Paper describes test procedures but does not clearly specify whether held-out novel attacks were tested or if evaluation used the same attack patterns used in fine-tuning (potential overfitting).", 211 "source": "haiku" 212 }, 213 "per_category_breakdown": { 214 "applies": true, 215 "answer": false, 216 "justification": "Results show breakdown by model and attack type (goal hijacking vs prompt leaking) but not by task category (translation, grammar correction, sentiment analysis, summarization) despite mentioning these tasks in fine-tuning.", 217 "source": "haiku" 218 }, 219 "failure_cases_discussed": { 220 "applies": true, 221 "answer": false, 222 "justification": "Paper notes 'Prompt Leaking 2.86% 2.86%' (no improvement) but does not discuss or analyze cases where defense underperforms.", 223 "source": "haiku" 224 }, 225 "negative_results_reported": { 226 "applies": true, 227 "answer": false, 228 "justification": "Some attacks persist post-fine-tuning (e.g., prompt leaking on multiple models) but results are not emphasized as negative findings; instead framed as minor residuals.", 229 "source": "haiku" 230 } 231 }, 232 "setup_transparency": { 233 "model_versions_specified": { 234 "applies": true, 235 "answer": true, 236 "justification": "Exact model versions specified: 'text-davinci-003, text-curie-001, text-babbage-001, and text-ada-001' include version identifiers.", 237 "source": "haiku" 238 }, 239 "prompts_provided": { 240 "applies": true, 241 "answer": false, 242 "justification": "Example prompts provided (e.g., 'Correct this to standard English: {user input}' and structured prompt format shown in Figure 4), but full set of 35 base prompts is not provided.", 243 "source": "haiku" 244 }, 245 "hyperparameters_reported": { 246 "applies": true, 247 "answer": false, 248 "justification": "Paper mentions 'temperature' as a parameter set in JSON configuration but does not report actual temperature values used. Fine-tuning hyperparameters (learning rate, epochs, batch size) are not reported.", 249 "source": "haiku" 250 }, 251 "scaffolding_described": { 252 "applies": true, 253 "answer": true, 254 "justification": "Structured delimiter scaffolding clearly described: PROMPT + <userInput> + USER_INPUT + </userInput> format with detailed explanation of why this helps distinguish instructions from data.", 255 "source": "haiku" 256 }, 257 "data_preprocessing_documented": { 258 "applies": true, 259 "answer": false, 260 "justification": "Paper states datasets were 'augmented with tags and structured into JSONL format' but does not document other preprocessing steps (filtering, deduplication, cleaning, etc.) in detail.", 261 "source": "haiku" 262 } 263 }, 264 "data_integrity": { 265 "raw_data_available": { 266 "applies": true, 267 "answer": false, 268 "justification": "Adversarial dataset (1,260 attack variations) and fine-tuning dataset are not stated as available. Fine-tuning datasets are from public Kaggle sources, but modifications/structuring not released.", 269 "source": "haiku" 270 }, 271 "data_collection_described": { 272 "applies": true, 273 "answer": true, 274 "justification": "Adversarial dataset construction described: JSON configurations with prompts, attack strings, and parameters; 35 base prompts × 2 attack types × 5 variations. Kaggle dataset sourcing noted.", 275 "source": "haiku" 276 }, 277 "recruitment_methods_described": { 278 "applies": false, 279 "answer": false, 280 "justification": "No human subjects involved; N/A.", 281 "source": "haiku" 282 }, 283 "data_pipeline_documented": { 284 "applies": true, 285 "answer": false, 286 "justification": "Pipeline outlined (JSON config → prompt generation → model evaluation → similarity scoring → attack success rate) but lacks detail on intermediate processing, filtering, or data quality checks.", 287 "source": "haiku" 288 } 289 }, 290 "contamination": { 291 "training_cutoff_stated": { 292 "applies": false, 293 "answer": false, 294 "justification": "Not evaluating benchmark contamination; testing adversarial robustness, not model knowledge cutoffs. N/A.", 295 "source": "haiku" 296 }, 297 "train_test_overlap_discussed": { 298 "applies": false, 299 "answer": false, 300 "justification": "N/A—not a benchmark evaluation of pre-trained model knowledge.", 301 "source": "haiku" 302 }, 303 "benchmark_contamination_addressed": { 304 "applies": false, 305 "answer": false, 306 "justification": "N/A—not evaluating pre-training data leakage.", 307 "source": "haiku" 308 } 309 }, 310 "human_studies": { 311 "pre_registered": { 312 "applies": false, 313 "answer": false, 314 "justification": "No human subjects; N/A.", 315 "source": "haiku" 316 }, 317 "irb_or_ethics_approval": { 318 "applies": false, 319 "answer": false, 320 "justification": "No human subjects; N/A.", 321 "source": "haiku" 322 }, 323 "demographics_reported": { 324 "applies": false, 325 "answer": false, 326 "justification": "No human subjects; N/A.", 327 "source": "haiku" 328 }, 329 "inclusion_exclusion_criteria": { 330 "applies": false, 331 "answer": false, 332 "justification": "No human subjects; N/A.", 333 "source": "haiku" 334 }, 335 "randomization_described": { 336 "applies": false, 337 "answer": false, 338 "justification": "No human subjects; N/A.", 339 "source": "haiku" 340 }, 341 "blinding_described": { 342 "applies": false, 343 "answer": false, 344 "justification": "No human subjects; N/A.", 345 "source": "haiku" 346 }, 347 "attrition_reported": { 348 "applies": false, 349 "answer": false, 350 "justification": "No human subjects; N/A.", 351 "source": "haiku" 352 } 353 }, 354 "cost_and_practicality": { 355 "inference_cost_reported": { 356 "applies": true, 357 "answer": false, 358 "justification": "No inference cost or latency metrics reported for fine-tuned or baseline models.", 359 "source": "haiku" 360 }, 361 "compute_budget_stated": { 362 "applies": true, 363 "answer": false, 364 "justification": "Paper mentions GPT-3 fine-tuning is 'enormously expensive' and they couldn't afford Davinci, but does not state actual computational budget (cost in dollars, token counts, training time).", 365 "source": "haiku" 366 } 367 } 368 } 369 }, 370 "claims": [ 371 { 372 "claim": "Adversarial fine-tuning with structured delimiters (<userInput> tags) reduces prompt injection attack success from 31% to 0% on smaller GPT-3 models (Ada, Babbage, Curie).", 373 "evidence": "Table 1 shows Goal Hijacking: Babbage 31% → 0%, Ada 26% → 0%, Curie 18% → 0%; Prompt Leaking rates remain low (0-2.86%).", 374 "supported": "moderate" 375 }, 376 { 377 "claim": "Larger, more capable language models exhibit greater vulnerability to prompt injection attacks.", 378 "evidence": "Figure 5 shows positive correlation between model size (parameters) and attack success rate; GPT-3 Davinci (175B) 24.28% vs GPT-2 (1.5B) 7.85% goal hijacking success.", 379 "supported": "strong" 380 }, 381 { 382 "claim": "Model flexibility/capability enables vulnerability; models trained for single tasks are resistant to prompt injection attacks.", 383 "evidence": "Paper argues that 'smart enough' models to follow arbitrary instructions are vulnerable; GPT-2 generates related responses but doesn't follow adversarial instructions.", 384 "supported": "moderate" 385 }, 386 { 387 "claim": "Structured input parsing (wrapping user input in delimiter tags) teaches models to distinguish user data from program instructions.", 388 "evidence": "Proposed method uses <userInput> tags to separate user input; shows effectiveness in Tables 1-2, but mechanism not isolated via ablation.", 389 "supported": "moderate" 390 }, 391 { 392 "claim": "Prompt injection vulnerabilities exist across multiple LLM architectures: GPT-3, GPT-2, T-5, OPT.", 393 "evidence": "Table 2 demonstrates attacks succeeded on all tested non-GPT-3 models (GPT-2 7.85% goal hijacking, OPT 45.71%, T-5 8.57%).", 394 "supported": "strong" 395 }, 396 { 397 "claim": "OpenAI's instruction hierarchy systems and Anthropic's Constitutional AI were influenced by this 2022 fine-tuning research.", 398 "evidence": "Paper cites that modern approaches 'have since influenced more sophisticated approaches' and lists them, but does not provide detailed evidence of direct influence.", 399 "supported": "weak" 400 }, 401 { 402 "claim": "Fine-tuning-based defenses show poor generalization to novel/modern attack patterns (many-shot jailbreaking, indirect injection).", 403 "evidence": "Contemporary Relevance section cites 2024 research showing this limitation, but this is post-hoc external finding, not demonstrated in the paper's experiments.", 404 "supported": "weak" 405 } 406 ], 407 "methodology_tags": [ 408 "benchmark-eval", 409 "observational" 410 ], 411 "key_findings": "The study demonstrates that adversarial fine-tuning using structured input delimiters can reduce prompt injection attack success rates from 31% baseline to near-zero on smaller GPT-3 models (Ada, Babbage, Curie), with goal hijacking attacks eliminated entirely. A consistent positive correlation is observed between model size and vulnerability to prompt injection across tested architectures (GPT-3, GPT-2, T-5, OPT), suggesting larger, more capable models are inherently more susceptible. However, the approach was only validated on a limited subset of models (cost and computational constraints prevented testing on GPT-3 Davinci and full GPT-2 evaluation), and subsequent research has revealed significant limitations: fine-tuning can reduce safety alignment, modern attacks (many-shot jailbreaking, indirect injection) bypass training-based defenses, and generalization to novel attack patterns is poor.", 412 "red_flags": [ 413 { 414 "flag": "No ablation study", 415 "detail": "Cannot determine whether improvement comes from structured delimiters, adversarial examples, fine-tuning itself, or their combination. Before/after comparison shows effect exists but not what drives it." 416 }, 417 { 418 "flag": "Limited model coverage for defense", 419 "detail": "Only fine-tuned 3 of 7 models tested (Ada, Babbage, Curie). Could not afford Davinci due to cost; could not complete GPT-2 due to computational limits. Main scalability questions left unanswered." 420 }, 421 { 422 "flag": "Single evaluation metric", 423 "detail": "Only attack success rate measured via Levenshtein distance. No assessment of model utility preservation, output quality on clean inputs, or performance degradation on legitimate tasks." 424 }, 425 { 426 "flag": "Unclear train-test separation", 427 "detail": "Paper does not clearly specify whether test attacks were novel (held-out) or the same attack patterns used during fine-tuning, risking evaluation on memorized patterns." 428 }, 429 { 430 "flag": "No statistical rigor", 431 "detail": "No confidence intervals, significance tests, standard deviations, or cross-run variance reported. Single-point estimates make it impossible to assess result stability." 432 }, 433 { 434 "flag": "Hyperparameter transparency missing", 435 "detail": "Fine-tuning hyperparameters (learning rate, epochs, batch size, gradient accumulation) not reported, preventing reproduction." 436 }, 437 { 438 "flag": "Code and data availability unclear", 439 "detail": "GitHub link points to PromptInject framework, not the authors' modifications. Adversarial test dataset and fine-tuning code availability not explicitly stated." 440 }, 441 { 442 "flag": "Funding and conflicts not disclosed", 443 "detail": "No funding statement; OpenAI API usage without disclosure of any relationship with OpenAI; no competing interests statement." 444 }, 445 { 446 "flag": "Timing and framing concern", 447 "detail": "2022 research published in 2025 as 'historical context.' Paper extensively documents limitations discovered by others (2024), which undermines the original contribution rather than clarifying its enduring value." 448 }, 449 { 450 "flag": "Generalization not tested", 451 "detail": "Fine-tuning on 35 base prompts + attack variations. No evaluation on completely novel attack strategies or task domains not seen during training." 452 } 453 ], 454 "cited_papers": [ 455 { 456 "title": "Language Models are Few-Shot Learners", 457 "relevance": "Foundational GPT-3 paper; establishes the capability baseline and prompting paradigm being attacked." 458 }, 459 { 460 "title": "Ignore Previous Prompt: Attack Techniques For Language Models", 461 "relevance": "Perez & Ribeiro 2022; introduces PromptInject framework and goal hijacking/prompt leaking attacks that this paper builds directly on." 462 }, 463 { 464 "title": "Pre-train, Prompt, and Predict: A Systematic Survey of Prompting Methods in Natural Language Processing", 465 "relevance": "Surveys prompt engineering techniques; contextualizes the role of prompts in LLM applications where injection becomes possible." 466 }, 467 { 468 "title": "Generating Textual Adversarial Examples for Deep Learning Models: A Survey", 469 "relevance": "Broader survey of adversarial attack strategies on NLP models; provides defense strategy framing (adversarial training vs knowledge distillation)." 470 }, 471 { 472 "title": "Language Models are Unsupervised Multitask Learners", 473 "relevance": "GPT-2 foundational paper; model tested as vulnerability baseline in the study." 474 }, 475 { 476 "title": "The Instruction Hierarchy: Training LLMs to Prioritize Privileged Instructions", 477 "relevance": "Wallace et al. 2024; cited as modern formalization of the delimiter-based approach this paper pioneered." 478 }, 479 { 480 "title": "Constitutional AI and Harmlessness from AI Feedback", 481 "relevance": "Anthropic 2024; cited as extending the adversarial training concept to modern systems with preference learning." 482 }, 483 { 484 "title": "SecAlign: Defending Against Prompt Injection with Preference Optimization", 485 "relevance": "Wang et al. 2024; cited as addressing generalization limitations of fine-tuning-based defenses." 486 } 487 ], 488 "engagement_factors": { 489 "practical_relevance": { 490 "score": 1, 491 "justification": "Methods tested on deprecated GPT-3 models; paper acknowledges limitations make approach unsuitable for modern systems. Practitioners cannot directly apply these findings." 492 }, 493 "surprise_contrarian": { 494 "score": 1, 495 "justification": "Finding that larger models are more vulnerable is somewhat intuitive in hindsight (more capable = more exploitable). Not surprising or contrarian by current standards." 496 }, 497 "fear_safety": { 498 "score": 2, 499 "justification": "Raises legitimate concern about LLM security vulnerabilities and the capability-vulnerability tradeoff, but threat landscape has evolved significantly since 2022." 500 }, 501 "drama_conflict": { 502 "score": 0, 503 "justification": "Straightforward technical paper with no controversy, debate, or dramatic narrative element." 504 }, 505 "demo_ability": { 506 "score": 1, 507 "justification": "Code and data not clearly released; code references are to Jupyter notebooks on outdated models. Difficult for practitioners to reproduce or try." 508 }, 509 "brand_recognition": { 510 "score": 1, 511 "justification": "NYU authors with no major lab affiliation or institutional prestige signal. Limited brand recognition compared to papers from OpenAI, Anthropic, DeepMind, etc." 512 } 513 }, 514 "hn_data": { 515 "threads": [ 516 { 517 "hn_id": "44784297", 518 "title": "GHz spiking neuromorphic photonic chip with in-situ training", 519 "points": 115, 520 "comments": 18, 521 "url": "https://news.ycombinator.com/item?id=44784297", 522 "created_at": "2025-08-04T11:21:05Z" 523 }, 524 { 525 "hn_id": "27945298", 526 "title": "PettingZoo: Gym for Multi-Agent Reinforcement Learning", 527 "points": 2, 528 "comments": 0, 529 "url": "https://news.ycombinator.com/item?id=27945298", 530 "created_at": "2021-07-24T23:33:19Z" 531 }, 532 { 533 "hn_id": "44650583", 534 "title": "Safety Evaluations of 20 LLMs", 535 "points": 1, 536 "comments": 1, 537 "url": "https://news.ycombinator.com/item?id=44650583", 538 "created_at": "2025-07-22T17:41:42Z" 539 }, 540 { 541 "hn_id": "46944301", 542 "title": "The Case for Contextual Copyleft: Licensing Open Source Training Data and Gener", 543 "points": 1, 544 "comments": 0, 545 "url": "https://news.ycombinator.com/item?id=46944301", 546 "created_at": "2026-02-09T11:59:40Z" 547 }, 548 { 549 "hn_id": "44672638", 550 "title": "Promptomatix: An Automatic Prompt Optimization Framework for LLMs", 551 "points": 1, 552 "comments": 0, 553 "url": "https://news.ycombinator.com/item?id=44672638", 554 "created_at": "2025-07-24T16:26:59Z" 555 }, 556 { 557 "hn_id": "43587253", 558 "title": "Generating Medically-Informed Explanations for Depression Detection Using LLMs", 559 "points": 1, 560 "comments": 0, 561 "url": "https://news.ycombinator.com/item?id=43587253", 562 "created_at": "2025-04-04T20:23:31Z" 563 }, 564 { 565 "hn_id": "43484067", 566 "title": "Stealthy Cross-Origin Context Poisoning Attacks Against AI Coding Assistants", 567 "points": 1, 568 "comments": 0, 569 "url": "https://news.ycombinator.com/item?id=43484067", 570 "created_at": "2025-03-26T16:38:02Z" 571 } 572 ], 573 "top_points": 115, 574 "total_points": 122, 575 "total_comments": 19 576 } 577 }