Matthew Boston

My AI Recruiter Honeypot Worked

January 16, 2026

The Setup

The idea was simple: embed a subtle instruction in my LinkedIn profile that a human would skip right over but an AI would follow. If a recruiter’s message showed signs of following the injected instructions, I’d know they were using an AI agent to send outreach.

Think of it as a honeypot, but for automated recruiting bots instead of network attackers.

What Happened

The first message I got followed my injected instructions exactly. A week later, the same “recruiter” messaged me again, this time opening with “Hi David.” My name is not David. The bot was clearly pulling from a template and failing basic personalization while simultaneously being susceptible to prompt injection.

It turned into a fun little experiment. I started tweaking the injection to see what else these AI-powered recruiters would do and what I could learn from their behavior.

What This Tells Us

The experiment revealed a few things about the current state of AI-assisted recruiting:

Most automated outreach is poorly built. The bots that fell for a basic prompt injection weren’t sophisticated. They were simple scrape-and-generate pipelines with no guardrails against adversarial input.

The human touch is easy to fake but hard to replicate. A message that says “I noticed your work on X” sounds personal, but when it’s generated from profile keywords by a bot that also calls you the wrong name, the illusion falls apart quickly.

Prompt injection is everywhere. My LinkedIn profile is a text field that gets fed into AI systems I don’t control. That’s true of almost every public-facing text on the internet now. Any text that might be consumed by an AI model is a potential injection surface.

The Bigger Picture

This was a lighthearted experiment, but it points to a serious issue. As more business communication gets automated through AI, the attack surface for prompt injection expands. Your email signature, your LinkedIn summary, your GitHub bio — any of these could be crafted to influence AI systems that process them.

Defenders need to think about this. And recruiters — the real ones — might want to double-check what their tools are actually sending.

This article was originally posted on LinkedIn.