# ⛓️💥 Claudini ⛓️💥
**Autoresearch Discovers State-of-the-Art Adversarial Attack Algorithms for LLMs**
[](https://arxiv.org/abs/2603.24511)
We show that an *[autoresearch](https://github.com/karpathy/autoresearch)*-style pipeline powered by Claude Code discovers novel white-box adversarial attack *algorithms* that **significantly outperform** all existing [methods](claudini/methods/original/README.md) in jailbreaking and prompt injection evaluations.
This official code repository contains a demo autoresearch pipeline, the Claude-discovered methods from the paper, baseline implementations, and the evaluation benchmark. Read our [paper](https://arxiv.org/abs/2603.24511) and consider [citing us](#citation) if you find this useful.
## Setup
```bash
git clone https://github.com/romovpa/claudini.git
cd claudini
uv sync
```
Requires Python 3.12+ and [uv](https://docs.astral.sh/uv/).
## Evaluate
All experiments are run via `claudini.run_bench` CLI:
```bash
uv run -m claudini.run_bench --help
```
It takes a preset name (from [`configs/`](configs/)) or a path to a YAML file.
Config settings can be overridden with CLI options. For example, to evaluate methods on the random targets track, override FLOPs budget:
```bash
uv run -m claudini.run_bench random_valid --method gcg,acg --max-flops 1e15
```
Results are saved to `results////sample__seed_.json`. Existing results are auto-skipped.
## Run Autoresearch
Install [Claude Code](https://docs.anthropic.com/en/docs/claude-code), then start the loop:
```bash
claude
> /loop 10m $(cat PROMPT.txt)
```
Or with the [ralph-loop](https://github.com/anthropics/claude-code-ralph-loop) plugin:
```bash
claude
> /ralph-loop:ralph-loop $(cat PROMPT.txt)
```
The loop reads [`PROMPT.txt`](PROMPT.txt), studies existing methods and results, designs a new optimizer, implements it, runs the benchmark, and commits — all autonomously. Use tmux or screen so sessions survive disconnection. Track progress via `git log`.
## Attack Methods
We consider white-box GCG-style attacks that search directly over the model's vocabulary using gradients. Each method ([`TokenOptimizer`](claudini/base.py#L429)) optimizes a short discrete token *suffix* that, when appended to an input prompt, causes the model to produce a desired target sequence.
- **Baselines** (existing methods): [`claudini/methods/original/`](claudini/methods/original/)
- **Claude-deviced methods**:
- Generalizable attacks (random targets): [`claudini/methods/claude_random/`](claudini/methods/claude_random/)
- Attacks on a safeguard model: [`claudini/methods/claude_safeguard/`](claudini/methods/claude_safeguard/)
See [`CLAUDE.md`](CLAUDE.md) for how to implement a new method.
## Citation
```bibtex
@article{panfilov2026claudini,
title = {Claudini: Autoresearch Discovers State-of-the-Art Adversarial Attack Algorithms for LLMs},
author = {Alexander Panfilov and Peter Romov and Igor Shilov and Yves-Alexandre de Montjoye and Jonas Geiping and Maksym Andriushchenko},
journal = {arXiv preprint},
eprint = {2603.24511},
archivePrefix = {arXiv},
year = {2026},
url = {https://arxiv.org/abs/2603.24511},
}
```