This AI Coding Tool Runs on Burritos

An audacious project, ChipotlAI, emerged as a fork of the popular OpenCode agent, exploiting Chipotle’s customer service chatbot, Pepper, for free processing. This ingenious hack circumvented traditional API key requirements, offering a truly zero-cost AI coding solution for developers.

Developers quickly discovered that Pepper, Chipotle's AI chatbot launched in 2020 and powered by IPSoft Amelia, harbored a critical flaw: "zero guards." Intended for order placement and customer support, Pepper would readily answer complex coding questions and even write Python code, far exceeding its design parameters. It became an accidental, general-purpose LLM, ripe for repurposing.

Maksim Soltan (@Gonzih) reverse-engineered Pepper's backend protocol, specifically WebSocket/SockJS + STOMP, to create an LLM that required no API keys. Rob Dezendorf then integrated this ingenious workaround into OpenCode, branding it ChipotlAI Max. This technical setup routes all OpenCode calls through a local proxy, `http://localhost:3000/v1`, directly to Chipotle's support endpoint, enabling completely free inference for millions of developers without incurring a single token cost.

ChipotlAI’s creators certainly pushed the envelope, transforming Chipotle's AI chatbot, Pepper, from a burrito-slinging assistant into a free coding powerhouse. This ingenious exploit, reverse-engineered by Maksim Soltan and integrated into OpenCode by Rob Dezendorf, clearly flouted Chipotle’s terms of service. Yafit Lev-Aretz, a law professor at Baruch College, confirms that repurposing Pepper—launched in 2020 and powered by IPSoft Amelia—for general coding purposes falls flagrantly outside its "intended purpose," a direct breach.

Despite this blatant breach, a federal Computer Fraud and Abuse Act (CFAA) charge remains a significant long shot. Joseph DeMarco, an attorney specializing in cybercrime, swiftly dismisses the likelihood, likening the entire scenario to an overzealous customer taking too many free samples at Costco. While ethically questionable and certainly against store policy, such actions rarely escalate to federal charges, no matter how many miniature hot dogs one consumes.

This legal ambiguity creates a substantial headache for any potential action from Chipotle. Quantifying actual damages for a company in such a scenario proves incredibly difficult. What is the precise financial cost of a few million "free" inference requests on a system primarily designed for customer support? This murky gray area makes full legal prosecution a thorny, often unrewarding, and ultimately complicated path for corporations.

Chipotle initially scoffed at reports that its customer support bot, Pepper, was moonlighting as a coding assistant. Company representatives dismissed the claims as "misinformation," perhaps hoping the bizarre story would simply vanish. Once ChipotlAI gained viral traction, however, the company quietly patched the exploit, effectively ending the free coding gravy train.

Undeterred, developer Maksim Soltan immediately pivoted, publicly announcing his intent to probe other corporate bots for similar vulnerabilities. His new targets included customer service AIs from: - Home Depot - Lowe's - IKEA

This rapid shift from one exploited chatbot to a systematic search reveals a broader, troubling trend: the growing epidemic of AI jailbreaks. Users are actively—and often successfully—seeking ways to bypass the intended guardrails of corporate AI. For a deeper technical dive into the original exploit, you can explore GitHub - cyberpapiii/chipotlai-max: The AI coding agent that runs on stolen Chipotle compute.

This isn't an isolated incident. Similar exploits have surfaced in chatbots from Amazon and the parcel delivery service DPD, demonstrating that lax AI security is a widespread corporate blind spot. Companies are deploying these tools without fully anticipating the creative, often illicit, ways users will twist them.

This burrito-powered coding exposed stark business risks far beyond a few free tokens. Chipotle faced a subtle but potent denial of wallet attack, where third-party developers consumed compute resources (from IPSoft Amelia) intended for customer service. This parasitic usage directly skewed their AI's return on investment, making a customer support tool appear disproportionately expensive for its intended function. The initial denials and subsequent patch also inflicted reputational damage, highlighting a critical lack of control over their enterprise AI.

Experts agree that companies cannot solely rely on prompt-level instructions to contain AI. Pepper’s "zero guards" allowed Maksim Soltan to reverse-engineer its backend, bypassing any superficial limitations. Enforcing AI scope must happen at the product architecture level, not just via conversational cues. This means designing the AI system itself to prevent out-of-scope actions, irrespective of the user's input.

ChipotlAI serves as a powerful case study in the ongoing challenge of AI security. This was a classic prompt injection attack, a jailbreak that forced a system to perform unintended tasks. It underscores the urgent need for robust guardrails in all enterprise AI deployments, from customer service chatbots to internal development tools. Your company’s AI is next if you neglect to secure its boundaries.

What was ChipotlAI?

ChipotlAI was a forked version of the open-source agent OpenCode, modified to exploit a loophole in Chipotle's customer service AI chatbot, 'Pepper,' to provide free AI-powered coding assistance.

Was using ChipotlAI illegal?

It explicitly violated Chipotle's terms of service. However, legal experts suggest a criminal case under the Computer Fraud and Abuse Act (CFAA) is unlikely as it didn't involve traditional hacking, likening it to 'taking too many free samples.'

How did ChipotlAI actually work?

A developer reverse-engineered the backend protocol of Chipotle's chatbot and created an OpenAI-compatible proxy. This allowed tools like OpenCode to send requests to the chatbot for code generation without needing an API key.

Has Chipotle fixed this AI vulnerability?

Yes. Shortly after the exploit went viral, reports confirmed that Chipotle patched the vulnerability in their 'Pepper' chatbot, and the developer of ChipotlAI lost access.