Cute but like a lot of captchas misguided at this stage
The problem they try to solve is real, but I don't think that 'hacking minigames' are the correct direction to be looking to solve this, and ultimately end up making mandatory human identity verification seem more palatable as the less annoying option
games and challenges like this are more annoying / resource consuming to humans (i.e., time, patience), and can imagine it ends up excluding humans who cannot complete the challenge due to extenuating circumstances, like i have no idea if someone who uses sight assistance accessibility tooling can complete this challenge reasonably, and if this style of challenge takes off I am pretty sure the challenges will continue to exclude many humans who use accessibility tools
I worry this approach ends up being the next cookie banners (which were always malicious compliance in the saltiest, pettiest way)
anubis-style cycle burning approaches seem to be best, but have not looked for research on the efficacy of this approach. if it does have a positive impact for operators though, a method like that seems better
edit: to be clear, I do not want mandatory identity verification -- not at all it's awful, and my fear is that tools like this will only serve to make that option seem more palatable in comparison
I think this purely as an idea is pretty fun, and there is value in that. But beyond the initial impressions it's exactly as you say. It's not different at all from others in how it will get annoying over time.
Accessibility is a big concern with all kinds of CAPTCHAs it seems. Even without any disabilities, I've seen some that I cannot solve because it's illegible.
Is there reason to believe this is a good discriminator of human vs AI? I didn't see any about page, or statistic, or anything like that, but maybe I'm just missing it?
edit: The page links to [1], but [1] has none of the information I'm really looking for -- why should somebody use this tool?
Claude Opus 4.8 one-shotted it... I think we should gear these systems towards making the cost of abuse expensive as they will be able to get around these things more and more easily.
Captcha are already expensive at scale due to escalating checks when abuse is detected. You have to orchestrate and pay for residential proxies, containers with different fingerprints, different behavioural data, clean IP rep, emulate device performance to avoid revealing youre running on a server... A 1-shot doesn't scale against this.
unless it has video input, i wonder if something based on animation and timing would work, as screenshots wouldn't clearly capture motion and response time would be too slow as well
Yup. I could guess what needs to be grabbed without reading the prompt because it was always the front-most object. It also has the largest grab area; some of the plushies can't even be grabbed.
Not only on the front layer, but mostly in the centre too. I just tested it a bunch of times and the overwhelming majority it worked without even moving the claw, it was just grab and release.
They should make it more clear that it's a concept.
I could see a real version that sends the inputs to the backend where some analysis is done, but right now an adversary can just run the onVerify callback as "bypass".
Reverse captcha: only robots can reprove one of the Euler problems on the fly? Statistically speaking we can round the people who can into the outlier group, right?
Like when games detect aimbots, they don't ban people, but put them in an aimbot bracket, so everyone you play with is a cheater.
Provide a captcha that is essentially harder for a human to solve, but trivial for either a human or an AI, and transparently separate them into two communities.
Just stop this insanity already. The amount of "anti-bot" challenges actual humans fail to pass is getting ridiculous. For small commercial entities, you could say them shooting themselves in the foot is probably them getting what they deserve as a result of them not reigning in vigilante sysadmins, but when it is also happening on actual official government sites, this is where the line has been crossed.
I don't know what a next generation CAPTCHA should look like, but I know anything game-shaped will be a trivial target for RLVR. That's like trying to beat Stockfish. That ship has sailed.
I'm tired of constantly having to prove I'm a human. Especially if it's trying to be lighthearted and fun on the surface, it just reminds me how Internet has fallen.
Imagine you get pwned for trying this out in your home project and the APT escalates to your company repos and infects your company assets, and then the post mortem comes in and you have to explain this is what infected the company it stack
Coworkers on project: "Containers? Not running things as root? Hah, you're overengineering things: Just follow the readme where it says to install the daemons and run all code and plugins on your dev-box. It works fine, then we can show how we're using AI!"
(Yeah, not as good as completely separate computer, diminishing returns, but still...)
Not saying the package is malicious, (although it might be, but it's a more likely threat that the devs themselves become infected by a supply chain worm and spread it downstream.) just saying, if you are going to audit it, actually audit it as if you were up against an attacker.
No human needs to prove they are, online or elsewhere. Online, be it human or bot, the issue is not the ontological class of the direct actor, it's the goal of the people who launch the browsing. When the intention is malevolent, the situation is not better just because the campaign would involve real humans working in inhuman conditions.
If it is DNA then why would I need a claw machine? (Note that this defnition on DNA, which in itself is mega-odd since DNA differs, would mean that via synthetic biology one could yield humans - according to such a definition. But this does not have to be correct, so the definition would be flawed.)
Time and time again, I prove that I'm human by giving this crap the finger and then visiting some other site. It's calling out a false positive and then exercising good taste.
Cute but like a lot of captchas misguided at this stage
The problem they try to solve is real, but I don't think that 'hacking minigames' are the correct direction to be looking to solve this, and ultimately end up making mandatory human identity verification seem more palatable as the less annoying option
games and challenges like this are more annoying / resource consuming to humans (i.e., time, patience), and can imagine it ends up excluding humans who cannot complete the challenge due to extenuating circumstances, like i have no idea if someone who uses sight assistance accessibility tooling can complete this challenge reasonably, and if this style of challenge takes off I am pretty sure the challenges will continue to exclude many humans who use accessibility tools
I worry this approach ends up being the next cookie banners (which were always malicious compliance in the saltiest, pettiest way)
anubis-style cycle burning approaches seem to be best, but have not looked for research on the efficacy of this approach. if it does have a positive impact for operators though, a method like that seems better
edit: to be clear, I do not want mandatory identity verification -- not at all it's awful, and my fear is that tools like this will only serve to make that option seem more palatable in comparison
I think this purely as an idea is pretty fun, and there is value in that. But beyond the initial impressions it's exactly as you say. It's not different at all from others in how it will get annoying over time.
Accessibility is a big concern with all kinds of CAPTCHAs it seems. Even without any disabilities, I've seen some that I cannot solve because it's illegible.
Your lack of punctuation and capitallization impedes your communication.
Also, what is "anubis-style"? Google failed me (which is becoming more common).
Is there reason to believe this is a good discriminator of human vs AI? I didn't see any about page, or statistic, or anything like that, but maybe I'm just missing it?
edit: The page links to [1], but [1] has none of the information I'm really looking for -- why should somebody use this tool?
[1] https://github.com/mortspace/playcaptcha
Of course not. It is clearly a fun toy.
Congratulations! You have proven you are human by complaining about the test instead of solving it. Redirecting you now...
It's nothing like a claw machine. It picked up the toys twice in two tries.
A human would be incredibly suspicious of this.
the real CAPTCHA would be having a "this is not realistic" button that only humans would press
Yeah, real claw machines straight up have tunable win probability controls(subject to local gambling laws).
but this is fun!
My exact thought: this is nothing like a real claw machine.
Claude Opus 4.8 one-shotted it... I think we should gear these systems towards making the cost of abuse expensive as they will be able to get around these things more and more easily.
It's just a concept, not a real test.
Captcha are already expensive at scale due to escalating checks when abuse is detected. You have to orchestrate and pay for residential proxies, containers with different fingerprints, different behavioural data, clean IP rep, emulate device performance to avoid revealing youre running on a server... A 1-shot doesn't scale against this.
If the payoff is worth it, no captcha is too expensive.
OP said "already expensive"; you said "too expensive". Both can be true.
unless it has video input, i wonder if something based on animation and timing would work, as screenshots wouldn't clearly capture motion and response time would be too slow as well
So, a paywall is the simple solution
I can prove I'm human by losing a claw machine.
The thing to grab is always on the front layer. Seems like an AI could be pretty easily trained to defeat this.
Also when you move the claw left and right, it "leans" in the wrong direction.
Yup. I could guess what needs to be grabbed without reading the prompt because it was always the front-most object. It also has the largest grab area; some of the plushies can't even be grabbed.
Fun idea though
I can bypass this captcha just by using gemma4
You don’t need to train it just ask current state of model.
Not only on the front layer, but mostly in the centre too. I just tested it a bunch of times and the overwhelming majority it worked without even moving the claw, it was just grab and release.
The most important part that most commenters did not read:
"And to be clear: it checks that someone is playing, not who they are. Keep your real checks behind it."
It's just a game, not a CAPTCHA.
Both the submission title and the first sentence are: Prove you’re human by winning a claw machine.
They should make it more clear that it's a concept.
I could see a real version that sends the inputs to the backend where some analysis is done, but right now an adversary can just run the onVerify callback as "bypass".
Lichess has a checkmate captcha that I think is cute.
It requires you to solve a mate-in-one puzzle to, e.g., post on the forums.
(Sorry, don't have a better link, there wasn't any non-technical I could find about it).
https://www.reddit.com/r/chess/comments/q19wgq/til_lichess_d...
Because computers turned out to be so bad at chess? :)
Reverse captcha: only robots can reprove one of the Euler problems on the fly? Statistically speaking we can round the people who can into the outlier group, right?
That's actually interesting:
Like when games detect aimbots, they don't ban people, but put them in an aimbot bracket, so everyone you play with is a cheater.
Provide a captcha that is essentially harder for a human to solve, but trivial for either a human or an AI, and transparently separate them into two communities.
Just stop this insanity already. The amount of "anti-bot" challenges actual humans fail to pass is getting ridiculous. For small commercial entities, you could say them shooting themselves in the foot is probably them getting what they deserve as a result of them not reigning in vigilante sysadmins, but when it is also happening on actual official government sites, this is where the line has been crossed.
Thanks to this game, I was able to change my identity from a slightly less fallen human into a machine. Thank you
Codex with Browser Use (Codex 5.3 Spark) was able to solve this with a simple prompt
https://github.com/user-attachments/assets/0b80b07b-d88f-414...
I don't know what a next generation CAPTCHA should look like, but I know anything game-shaped will be a trivial target for RLVR. That's like trying to beat Stockfish. That ship has sailed.
I am a human and have never won anything at a claw machine.
They're rigged.
I'm tired of constantly having to prove I'm a human. Especially if it's trying to be lighthearted and fun on the surface, it just reminds me how Internet has fallen.
I prove I'm a human by giving up trying to use the website. A machine would just relentlessly keep trying. You should try it.
> it just reminds me how Internet has fallen.
phpboard added captchas back in 2004.
Really fun idea and well done, but this would get annoying very quickly.
Much better than Google’s 'find objects in pictures'!
>npm install playcaptcha
Imagine you get pwned for trying this out in your home project and the APT escalates to your company repos and infects your company assets, and then the post mortem comes in and you have to explain this is what infected the company it stack
> npm install
Coworkers on project: "Containers? Not running things as root? Hah, you're overengineering things: Just follow the readme where it says to install the daemons and run all code and plugins on your dev-box. It works fine, then we can show how we're using AI!"
(Yeah, not as good as completely separate computer, diminishing returns, but still...)
If you see the code, that dependency just happens to be another file in the repository [0]
The only dependency is the 'motion' library.
[0]: https://github.com/mortspace/playcaptcha
does npm install pull code from that github repo, though? If not, auditing that repo is a huge blunder.
I'm seeing this from npm, which is a bit different:
https://www.npmjs.com/package/playcaptcha
Not saying the package is malicious, (although it might be, but it's a more likely threat that the devs themselves become infected by a supply chain worm and spread it downstream.) just saying, if you are going to audit it, actually audit it as if you were up against an attacker.
npm install randomgotcha
lol this is actually fun. in this era of ai, knowing who's real human and who's ai is so underrated
Cute but… Will there ever be a day when we don't have to prove that we're human?
No human needs to prove they are, online or elsewhere. Online, be it human or bot, the issue is not the ontological class of the direct actor, it's the goal of the people who launch the browsing. When the intention is malevolent, the situation is not better just because the campaign would involve real humans working in inhuman conditions.
I really like this! Also the other things you can find on the website. Cool stuff! Makes me want to get better at Frontend shenanigans.
I wish all captchas were like this. A lot more fun!
i d rather play 1-1
What makes me human?
If it is DNA then why would I need a claw machine? (Note that this defnition on DNA, which in itself is mega-odd since DNA differs, would mean that via synthetic biology one could yield humans - according to such a definition. But this does not have to be correct, so the definition would be flawed.)
If it is not DNA, how else to prove it?
A CAPTCHA is not concerned with your biology or philosophy, only with if you’re an automated request.
Time and time again, I prove that I'm human by giving this crap the finger and then visiting some other site. It's calling out a false positive and then exercising good taste.