Calabi Labs · Guide · 2026-06-18
The search query "Show HN black box API bug detection across 7 AI systems" points to a real June 2026 Hacker News post by KushoAI — a comparative benchmark called APIEval-20 that tested seven AI systems on their ability to find functional bugs in APIs using only black-box testing (no source code access). Calabi is unrelated to that benchmark — it's a metadata-cleaning tool for AI-generated images and video — so this page will connect the dots honestly: what that benchmark found, what it means for AI developers and API teams, and where Calabi fits if you're publishing AI-generated content that needs to pass platform detection.
The KushoAI team posted their results on Hacker News in early June 2026. They built APIEval-20: 20 real-world test scenarios across 7 API domains, each requiring black-box bug detection — meaning the AI agent only sees the API schema, can send requests, and has to infer what's broken from inputs, outputs, and error behavior. No source code, no internal logic.
The seven AI systems tested included general-purpose LLMs and dedicated coding agents. The split was stark:
The HN thread reaction was immediate and pointed. Top comments noted that generating lots of test cases is easy; generating test cases that actually find bugs is hard. Several users compared it favorably to SWE-bench, which tests AI on fixing bugs in open-source repos — APIEval-20 tests the harder problem of finding bugs in the first place.
White-box testing gives you source code. You can read a function, trace the logic, and know exactly what conditions trigger a bug. Black-box testing gives you nothing except an endpoint, a schema, and the ability to send payloads and observe responses.
The fundamental problem is coverage vs. correctness. An AI can generate hundreds of test payloads quickly — but knowing which ones will expose a real bug requires understanding the business logic that isn't in the schema. For example:
type: string with a regex pattern might silently reject certain Unicode ranges only in specific combinations with other fields.These are exactly the kinds of bugs that cause production incidents. The benchmark's findings suggest that current AI systems — even purpose-built coding agents — still miss the majority of this class.
The 76% detection rate for KushoAI versus 34% for general-purpose LLMs is the headline number, but the more interesting signal is the gap between simple and complex bug detection. AI tooling has gotten genuinely good at generating plausible test suites quickly. What it hasn't cracked is knowing which tests to write when the failure mode is non-obvious, context-dependent, or only visible across multiple API calls in sequence.
For engineering teams, the practical takeaway is that AI-assisted API testing is useful as a first pass — it finds the low-hanging fruit — but you still need human judgment for anything involving business logic, stateful workflows, or cross-endpoint side effects. The benchmark essentially validates what many teams were already doing: use AI to generate coverage, use humans to review for logic gaps.
The KushoAI benchmark is about what AI systems produce — test suites, bug reports. Calabi is about what happens when you publish AI-generated content on platforms that actively scan for it.
If you're building AI-powered tooling — whether that's an API testing agent like KushoAI or a content generation pipeline — and you're publishing outputs publicly, platform detection is a real constraint. Instagram, TikTok, YouTube, and Reddit all run automatic scans that look for signals beyond what's visible in the file itself: cryptographic manifests (C2PA / Content Credentials), XMP metadata tags like DigitalSourceType: trainedAlgorithmicMedia, and encoder fingerprints like Lavc or x264 SEI that are only present in AI-generated video bitstreams.
Calabi strips those invisible signals, injects authentic phone-capture identity (Make, Model, GPS, timestamp, real-phone encoder), and returns a forensic proof card showing exactly what was removed before you download. Whether your AI tool is generating images, video, or API test reports — if the end product is a media file being posted somewhere, the metadata layer matters.
Is the KushoAI benchmark publicly available? The KushoAI team linked to their research page at resources.kusho.ai and described APIEval-20 as 20 scenarios across 7 domains. The full methodology and per-system breakdowns appear to be on their site — worth checking if you want the raw numbers.
Does this mean AI coding tools aren't useful for API testing? Not at all. They find the obvious bugs fast and at scale. The benchmark shows they struggle with complex, logic-dependent bugs — which is exactly where human review still matters. Think of AI as a first-pass coverage tool, not a complete replacement for a QA engineer.
Does Calabi relate to AI detection in API outputs? Calabi operates on image and video files, not API payloads or test reports. If you're publishing AI-generated media alongside your tool's outputs, Calabi handles the file-level metadata that platforms scan — separate from whatever your API or testing pipeline produces.
The KushoAI benchmark is worth reading in full if you're building or evaluating AI coding tools. The headline is clear: AI finds simple API bugs well, complex ones still trip up even the best agents. For AI-generated content that lands on social platforms, the parallel problem is metadata — and that's where Calabi steps in.
Try Calabi free at calabilabs.com — 10 cleans, no card.