Cute but like a lot of captchas misguided at this stage
The problem they try to solve is real, but I don't think that 'hacking minigames' are the correct direction to be looking to solve this, and ultimately end up making mandatory human identity verification seem more palatable as the less annoying option
games and challenges like this are more annoying / resource consuming to humans (i.e., time, patience), and can imagine it ends up excluding humans who cannot complete the challenge due to extenuating circumstances, like i have no idea if someone who uses sight assistance accessibility tooling can complete this challenge reasonably, and if this style of challenge takes off I am pretty sure the challenges will continue to exclude many humans who use accessibility tools
I worry this approach ends up being the next cookie banners (which were always malicious compliance in the saltiest, pettiest way)
anubis-style cycle burning approaches seem to be best, but have not looked for research on the efficacy of this approach. if it does have a positive impact for operators though, a method like that seems better
edit: to be clear, I do not want mandatory identity verification -- not at all it's awful, and my fear is that tools like this will only serve to make that option seem more palatable in comparison
I think this purely as an idea is pretty fun, and there is value in that. But beyond the initial impressions it's exactly as you say. It's not different at all from others in how it will get annoying over time.
Accessibility is a big concern with all kinds of CAPTCHAs it seems. Even without any disabilities, I've seen some that I cannot solve because it's illegible.
Your lack of punctuation and capitallization impedes your communication.
Also, what is "anubis-style"? Google failed me (which is becoming more common).
Is there reason to believe this is a good discriminator of human vs AI? I didn't see any about page, or statistic, or anything like that, but maybe I'm just missing it?
edit: The page links to [1], but [1] has none of the information I'm really looking for -- why should somebody use this tool?
Congratulations! You have proven you are human by complaining about the test instead of solving it. Redirecting you now...
Of course not. It is clearly a fun toy.
It's nothing like a claw machine. It picked up the toys twice in two tries.
A human would be incredibly suspicious of this.
the real CAPTCHA would be having a "this is not realistic" button that only humans would press
Yeah, real claw machines straight up have tunable win probability controls(subject to local gambling laws).
but this is fun!
My exact thought: this is nothing like a real claw machine.
Claude Opus 4.8 one-shotted it... I think we should gear these systems towards making the cost of abuse expensive as they will be able to get around these things more and more easily.
It's just a concept, not a real test.
Captcha are already expensive at scale due to escalating checks when abuse is detected. You have to orchestrate and pay for residential proxies, containers with different fingerprints, different behavioural data, clean IP rep, emulate device performance to avoid revealing youre running on a server... A 1-shot doesn't scale against this.
If the payoff is worth it, no captcha is too expensive.
OP said "already expensive"; you said "too expensive". Both can be true.
unless it has video input, i wonder if something based on animation and timing would work, as screenshots wouldn't clearly capture motion and response time would be too slow as well
So, a paywall is the simple solution
The thing to grab is always on the front layer. Seems like an AI could be pretty easily trained to defeat this.
Also when you move the claw left and right, it "leans" in the wrong direction.
Yup. I could guess what needs to be grabbed without reading the prompt because it was always the front-most object. It also has the largest grab area; some of the plushies can't even be grabbed.
Fun idea though
I can bypass this captcha just by using gemma4
Not only on the front layer, but mostly in the centre too. I just tested it a bunch of times and the overwhelming majority it worked without even moving the claw, it was just grab and release.
You donât need to train it just ask current state of model.
I can prove I'm human by losing a claw machine.
>npm install playcaptcha
Imagine you get pwned for trying this out in your home project and the APT escalates to your company repos and infects your company assets, and then the post mortem comes in and you have to explain this is what infected the company it stack
> npm install
Coworkers on project: "Containers? Not running things as root? Hah, you're overengineering things: Just follow the readme where it says to install the daemons and run all code and plugins on your dev-box. It works fine, then we can show how we're using AI!"
(Yeah, not as good as completely separate computer, diminishing returns, but still...)
If you see the code, that dependency just happens to be another file in the repository [0]
The only dependency is the 'motion' library.
does npm install pull code from that github repo, though? If not, auditing that repo is a huge blunder.
I'm seeing this from npm, which is a bit different:
https://www.npmjs.com/package/playcaptcha
Not saying the package is malicious, (although it might be, but it's a more likely threat that the devs themselves become infected by a supply chain worm and spread it downstream.) just saying, if you are going to audit it, actually audit it as if you were up against an attacker.
npm install randomgotcha
The most important part that most commenters did not read:
"And to be clear: it checks that someone is playing, not who they are. Keep your real checks behind it."
It's just a game, not a CAPTCHA.
Both the submission title and the first sentence are: Prove youâre human by winning a claw machine.
They should make it more clear that it's a concept.
I could see a real version that sends the inputs to the backend where some analysis is done, but right now an adversary can just run the onVerify callback as "bypass".
Get a daily email with the the top stories from Hacker News. No spam, unsubscribe at any time.