We’ve all gotten used to corporate chatbots by now. You land on a company’s website, a little window pops up, and a friendly bot offers to help you track an order or reset a password. They’re usually limited on purpose. So here’s something you don’t see every day: a fast-food ordering bot quietly moonlighting as a full-blown coding assistant — for free.
That’s the story Gizmodo’s Webb Wright dug into this week, and the more you sit with it, the weirder it gets.
## The setup
Chipotle has a chatbot named Pepper. It launched on Facebook Messenger back in 2020 to do exactly one boring thing: help you order food. Unlike most of today’s customer-support bots, Pepper isn’t built on ChatGPT — it runs on an older conversation engine called Amelia.
Earlier this year, curious developers poked at Pepper and discovered it would do far more than take a burrito order. Ask it a tricky programming question and it would answer. Ask it to write Python and it would write Python. A burrito kiosk, it turned out, was sitting on top of a capable language model.
## Where it gets clever
Plenty of people screenshotted Pepper answering code questions for laughs. But a couple of developers took it further.
One, who goes by @Gonzih, reverse-engineered the system behind Pepper’s chat and turned it into a usable model that needs no API key at all — he called it “free inference via fast food.” Then a Brooklyn technologist named Rob Dezendorf wired Pepper’s connection straight into OpenCode, a popular open-source coding tool, slapped Chipotle’s colors on it, and released the whole thing as “ChipotlAI Max.”
In other words: nobody broke in. There was no stolen password, no locked door pried open. Someone took a free, public-facing service and pointed it somewhere it was never meant to go. That distinction is what makes this hard to file under “hacking” in the usual sense.
## Why it actually resonated
ChipotlAI Max started as a joke — Dezendorf’s own GitHub page jokes that Chipotle will probably sue him and that it’s worth it. But it racked up hundreds of stars and dozens of copies within days, and Dezendorf thinks that’s because it poked at something real: Serious AI coding tools cost real money, and a lot of developers are tired of paying. A burrito bot offering the same thing for nothing is funny precisely because it’s also a little bit pointed.
Chipotle didn’t sue. It just quietly patched the hole so the trick stopped working.
## A novel legal gray zone
The legal experts Gizmodo spoke with mostly shrugged at the idea this broke federal anti-hacking law — one compared it to grabbing too many free samples at the Costco cheese table. The service was public and free, so there’s not much “unauthorized access” to point at.
The more interesting wrinkle is that Dezendorf didn’t stop at his own stunt. He posted a step-by-step guide for doing the same thing to other companies’ bots — Lowe’s, Home Depot, Sephora, Expedia. That turns a one-off prank into a repeatable playbook, and one expert noted that’s where the real legal exposure lives. A single experiment is hard to punish. An open invitation with a how-to attached is a different animal.
Dezendorf himself, asked directly, dropped the bravado: It’s not legal, don’t do what I did. Which is its own kind of perfect ending.
## Takeaway
Strip away the burrito jokes and this is a genuinely new category of stunt — not a break-in, not quite theft, but a public tool bent into a use its makers never imagined, then packaged up for anyone to repeat. It’s the kind of edge case our rules haven’t caught up to yet, and probably won’t for a while.
-----
*Based on reporting by Webb Wright for Gizmodo: [“Should You Hijack a Corporate AI Chatbot for Free Tokens?”](https://gizmodo.com/should-you-hijack-a-corporate-ai-chatbot-for-free-tokens-2000767595)*