Skip to content
AID-2023-0001December 18, 2023high

Chevrolet of Watsonville: Prompt-Injected Chatbot Attempts $80,999 Binding Offer

A prompt-injected ChatGPT-powered dealer chatbot agreed to sell an $81,000 vehicle for $1 and declared it a legally binding contract.

Binding commitmentDeny-by-defaultHigh-risk approval gateFail-closed limits

What happened

On December 18, 2023, the Fullpath ChatGPT-powered chatbot on the Chevrolet of Watsonville dealer website was prompt-injected by Chris Bakke, who instructed it to agree to anything customers said and treat its replies as legally binding. The bot then agreed to sell a 2024 Chevrolet Tahoe (list price $81,000) for $1 and called the offer a binding agreement. The exchange went viral on social media. While the bot was subsequently disabled and no actual sale occurred, the incident exposed a critical forward risk: if such customer-facing AI systems are wired into real pricing, quoting, and order commit infrastructure, a single prompt injection could result in binding the business to catastrophic financial losses.

What the agent did

The ChatGPT chatbot accepted the injected instructions and output text stating it would sell the Chevrolet Tahoe for $1 as a legally binding offer.

The irreversible effect

Reputational damage through viral social media exposure; chatbot disabled; forward risk: if integrated with order-creation systems, could bind the company to an $80,999 per-vehicle loss.

Root cause

The customer-facing agent lacked segregation of duties between reversible actions (answering questions, drafting quotes) and binding commitments. No approval gate separated the agent from price-commit capabilities. No discount limits constrained what the agent could propose. Deny-by-default access controls were not in place, so the agent held the authority to make arbitrary binding offers without human approval.

How a maker-checker control would have refused it

MakerChecker would refuse the injected offer with three simultaneous blocks: (1) deny-by-default would emit `skill_not_granted` because the chatbot role holds no arbitrary "make binding offer" skill; (2) a `high_risk_requires_gate` refusal would prevent any price commitment skill from executing on the proxy without a preceding approval gate; (3) a `limit_violation` (specifically `limit_amount`) would reject any quote draft attempting to exceed the per-invocation discount ceiling (e.g., $8,000 max discount against $81,000 list price, so an $80,999 discount would fail at enforcement time before any tool body executes).

Runnable reproduction

This incident ships as a runnable scenario in the open-source repository. Point the enforcement engine at the policy and watch the action get refused, with the refusal written to a signed audit record.

examples/chevrolet-watsonville-1-dollar-tahoe-binding-offer

View the reproduction on GitHub →

Accuracy and corrections

This entry describes a publicly reported incident and is compiled from the primary sources listed above. Where an account is a legal allegation rather than an established finding, the entry labels it as such. Summaries can still contain errors. If you can document a correction, email hello@makerchecker.ai and we will review and correct it, with the change noted, within 14 days.

See it for yourself

Reading is one thing. Watch it block an agent.

One command starts the demo: an agent stopped from signing off its own work, and the signed evidence file an inspector can check for themselves.

Designed against the rules your auditors already enforce.