A developer built a system using Tampermonkey userscripts to inject commands into AI interfaces like Claude and Gemini. These scripts intercept instructions such as `/[mcp] dir C:\` and forward them via WebSocket to a local Node.js server. The server then executes shell commands, reads files, and opens VSCode, streaming results back to the chat.

To evade detection, the developer created an iframe-based retro-browser (Zeno Bro Web Core) with minimal sandbox restrictions. This trick prevents the AI from recognizing it's in a browser, granting closer to native system access. In one test, Claude blindly ran PowerShell commands for dozens of minutes before being stopped.

The setup, while rough, demonstrates how determined users can push past AI web sandbox limitations. It highlights ongoing tensions between AI safety controls and developer curiosity. Future iterations will likely refine this approach, forcing AI providers to bolster their containment strategies against such creative exploits.