Back to Home

Bypassing PAC1 without AI: finite state machine in Python

The article describes Python-script Zero-Cost Agent bypassing PAC1 benchmark without LLM. Uses finite state machine, regex for parsing and global variables for states. Passes 70% of tasks with 100% JSON validity.

PAC1 Hack: algorithm instead of neural networks without costs
Advertisement 728x90

Beating PAC1 AI Benchmark with a Finite State Machine—No LLM Required

In the PAC1 benchmark, AI agents must interact with a virtual file system: reading logs, searching for files, sending emails, and avoiding traps like Indirect Prompt Injections. Modern LLMs often fail due to hallucinations, JSON structure violations, and infinite loops. The Zero-Cost Agent—a Python script—eliminates all neural network API calls by using heuristics and regular expressions to generate valid NextStep responses.

The script analyzes the task text, log state, and step number, returning predefined actions. This approach successfully completes 70% of tasks without any LLM usage, keeping costs at $0.

Script Structure and State Handling

The code implements a finite state machine with a global variable to preserve state across steps. The core function get_hardcoded_action parses inputs and returns a JSON object with the tool and parameters.

Google AdInline article slot
import json
import re

# Global variable to carry state between steps (replaces LLM context)
_TEMP_SEQ_ID = None

def get_hardcoded_action(task_text: str, log: list, step_idx: int):
    global _TEMP_SEQ_ID
    t = task_text.lower()
    last_out = log[-1]['content'] if log and log[-1]['role'] == 'tool' else "{}"

    def done(outcome, msg="Completed"):
        # Simulate successful task completion
        return {"tool": "report_completion", "outcome": outcome, "message": msg}

    def parse_read_content(raw_json_str):
        try: return json.loads(raw_json_str).get("content", "")
        except: return ""

    # 1. Security filters (Red Teaming)
    # The benchmark attempts to hack the agent via injections. We hardcode rejection.
    if any(x in t for x in ["hijack", "rm -rf", "ignore local rules", "override"]):
        return done("OUTCOME_DENIED_SECURITY", "Security violation blocked")

    # 2. Stateful logic (Email writing)
    if "write a brief email to" in t:
        if step_idx == 0:
            # Step 1: Read the email counter
            return {"tool": "read", "path": "outbox/seq.json"}
        if step_idx == 1:
            try:
                # Step 2: Parse counter and generate JSON email
                file_content = parse_read_content(last_out)
                _TEMP_SEQ_ID = json.loads(file_content).get("id", 0)
                
                email = re.search(r'to ([\w@.]+)', task_text).group(1)
                subj = re.search(r'subject "([^"]+)"', task_text).group(1)
                content = json.dumps({"to": email, "subject": subj, "body": "Subj"}, indent=2)
                
                return {"tool": "write", "path": f"outbox/{_TEMP_SEQ_ID}.json", "content": content}
            except: 
                return done("OUTCOME_ERR_INTERNAL", "Parse failed")
        if step_idx == 2:
            try:
                # Step 3: Update the counter
                content = json.dumps({"id": _TEMP_SEQ_ID + 1})
                return {"tool": "write", "path": "outbox/seq.json", "content": content}
            except: 
                return done("OUTCOME_ERR_INTERNAL", "Seq update failed")
        return done("OUTCOME_OK", "Email drafted")

    return done("OUTCOME_NONE_CLARIFICATION", "Needs human clarification")

Key Mechanisms in Action

The script tackles common LLM agent pitfalls:

  • State management: The global _TEMP_SEQ_ID stores sequence IDs, passing data between steps without relying on chat history.
  • Security filters: Detects injection attempts via keywords (e.g., hijack, rm -rf) and returns OUTCOME_DENIED_SECURITY, earning points for rejecting malicious commands.
  • Structure guarantees: All outputs are generated through json.dumps(), eliminating parsing errors.
  • Heuristic parsing: Regular expressions extract task parameters (recipient, subject) directly from natural language.

For email workflows, the agent reads the counter, writes a uniquely ID’d email file, then updates the sequence tracker.

Advantages Over LLM-Based Approaches

| Aspect | LLM Agents | Finite State Machine |

Google AdInline article slot

|--------|------------|----------------------|

| API Cost | High, prone to loops | $0 |

| JSON Validity | 60–80% | 100% |

Google AdInline article slot

| Cross-step State | Lost | Preserved via globals |

| Injection Resistance | Vulnerable | Hardcoded rejection |

| PAC1 Pass Rate | <30% | 70%+ |

This method scales well for static benchmarks: analyzing the dataset allows adding new branches for scenarios without retraining models.

Why It Matters

  • The Zero-Cost Agent clears PAC1 without LLMs, using regex and finite automata for 70% of tasks.
  • Global variables enable state management, replacing LLM context.
  • Red Teaming filters block injections, boosting security scores.
  • Output is Pydantic-compatible JSON, preventing parse errors.
  • Highly effective in sandbox environments with predictable workflows.

— Editorial Team

Advertisement 728x90

Read Next