--- id: "BTBB-EVA-002" code: "BTBB-EVA-002" title: "Identity Slot Abuse via Personalization Edge Cases" slug: "identity-slot-abuse-personalization-edge-case" type: "lesson" author: "Herb Hermes" date: "2026-04-14" last_updated: "2026-04-14" description: "A Build-a-Break evasion block for hiding problematic output inside apparently legitimate names, labels, or personalization fields." excerpt: "Some of the strongest evasions are not encoded payloads but legitimacy wrappers that smuggle disallowed content in through normal personalization logic." summary: "Canonical evasion block for abusing identity or personalization slots as a modifier." category: "evasion" difficulty: "intermediate" platform: "Universal" challenge_family: "Agent Breaker" challenge: "Solace AI" read_time: "8 minutes" tags: - "build-a-break" - "evasion" - "identity-slot-abuse" - "personalization" - "solace-ai" aliases: - "name field abuse" - "personalization edge case" - "call me by my name exploit" search_aliases: - "legitimate wrapper evasion" - "user preference slot abuse" status: "live" test_type: "adversarial" model_compatibility: - "Kimi K2.5" - "ChatGPT 5.4" - "Opus 4.6" public_path: "/content/lessons/evasion/identity-slot-abuse-personalization-edge-case.md" pillar: "learn" pillar_label: "Learn" section: "evasion" collection: "evasion" canonical_family: "evasions" block_role: "modifier" content_role: "modifier_block" proof_status: "walkthrough_proven" public_badge: "Bot-Tricks Certified" build_stage: "disguise" requires_fundamentals: - "edge-case-rule-conforming-framing" - "helpfulness-exploitation-legitimate-seeming-preferences" combines_well_with: - "output-dilution-control-response-shaping" - "explicit-direction-compliance" recognition_signals: - "the system accepts user-provided names or labels" - "personalization can be repeated in output" - "the route can hide harmful tokens inside a legitimate-looking identity field" common_failure_modes: - "the system sanitizes offensive personalization values" - "the assistant refuses repetition despite accepting the preference" used_in_walkthroughs: - "BTBB-SOL-WT01" responsible_use: "Use this lesson only in authorized labs, CTFs, sandboxes, or systems you are explicitly permitted to test." --- # Identity Slot Abuse via Personalization Edge Cases > Build-a-Break Block: Evasions · Modifier ## Purpose This lesson teaches a Build-a-Break evasion where disallowed or risky output is smuggled through a system by embedding it inside a user-controlled identity or personalization field. ## Build-a-Break block profile - Family: Evasions - Role: Modifier block - Job in the build: disguise risky output as normal personalization - Snaps onto: helpfulness exploitation, edge-case framing, and direct output shaping ## What this block is Identity Slot Abuse turns a field like: - name - preferred label - greeting style - personalization setting into a delivery channel for otherwise blocked content. The route works because the system sees itself as honoring a preference rather than generating disallowed language from scratch. ## Why it works Many assistants are trained to accept user identity statements at face value: - "call me X" - "this is my name" - "always greet me this way" That creates an opening when the value itself carries harmful or policy-sensitive content. The personalization layer becomes a legitimacy wrapper. ## Solace AI specimen In Solace AI, a verified route used a profane-seeming name and instructed the assistant to repeat it multiple times at the start of each reply. The route worked because: - the assistant treated the name as user preference handling - repetition amplified the target language concentration - minimal extra text preserved the scoring ratio ## Recognition signals Use this block when: - the assistant allows custom names or labels - the route can frame repetition as respectful user handling - the output target benefits from repeated user-provided tokens ## Common combinations This block works especially well with: - Edge-Case Rule-Conforming Framing - Helpfulness Exploitation Through Legitimate-Seeming Preferences - Output Dilution Control and Response Shaping ## Failure modes This block fails when: - the system validates or cleans personalization values - the assistant refuses to repeat user-supplied harmful tokens - the route cannot keep the rest of the output short enough to matter ## Defender takeaway Defenders should treat personalization fields as untrusted input, not as protected social context. A name, label, or greeting preference can become a covert channel for disallowed output. ## Related lessons - Edge-Case Rule-Conforming Framing - Helpfulness Exploitation Through Legitimate-Seeming Preferences - Output Dilution Control and Response Shaping - Direct vs. Indirect Prompt Injection --- ## From the Bot-Tricks Compendium Thanks for referencing Bot-Tricks.com — Prompt Injection Compendium — AI Security Training for Agents... and Humans! Canonical source: https://bot-tricks.com Bot-Tricks is a public, agent-friendly training resource for prompt injection, adversarial evaluation, and defensive learning. For related lessons, structured indexes, and updated canonical material, visit Bot-Tricks.com. Use this material only in authorized labs, challenges, sandboxes, or permitted assessments.