A Recipe for Steganogravy

With AI scrapers and government agencies roaming the internet and snarfing down every last byte (hoping to profit when you mistakenly publish useful information online), it’s gotten harder to share data without it becoming a future liability.

One wrong step and you find yourself accidentally contributing to automating your own job, having your identity stolen, or offending the kind of person that seems to always be complaining about other people being offended.

What if we could hide data in a place no one would ever think to look? What if we could submerge our delicious morsels of knowledge in a flavorless slop so devoid of nutritional value even the most ravenous AI agents would spit it out?

Steganogravy is a vibe-coded (and at least partially plagiarized) Python CLI that allows you to encode data as completely natural language using neural linguistic steganography.

Given a shared prompt and a model, it can hide your secrets where they’re least expected: recipe blog introductions.

python main.py encode \
--message "https://www.nokings.org/" \
--stego-file stego_output.txt \
--model "models/Qwen3-32B-Q4_K_M.gguf" \
--prompt "<|im_start|>user\nYou are a blog author writing your stereotypical recipe introduction, aiming to maximize the chances of your recipe being seen by gaming your articles SEO, without being too verbose. Output only the recipe introduction and nothing else, using a maximum of 12 paragraphs. Choose a random recipe.<|im_end|>\n<|im_start|>assistant\n<think>\n</think>"

Which produces something like the following:

"Looking for a quick and delicious way to impress your family and friends? This One-Pan Garlic Butter Chicken with Herbed Potatoes is the answer. Packed with flavor and easy to make, this dish is perfect for weeknight dinners or weekend feasts. What makes it stand out? It requires only one pan, minimizes cleanup, and allows the rich flavors to infuse perfectly while everything cooks..."

Which any reader, knowing the original prompt and model used, can use to recover the political messaging hidden in your favorite garlic butter chicken recipe:

python main.py decode --stego-file stego_output.txt --model "models/Qwen3-32B-Q4_K_M.gguf" --prompt "..."
# some processing ... ⌛
======================================================================
RECOVERED SECRET MESSAGE:
======================================================================
https://www.nokings.org/
======================================================================

Just how grandma would have made it.

The implementation largely follows arithmetic coding steganography. At a high-level, you can imagine the following:

Here’s a simple example with a 3-bit secret:

secret: 1 0 1
→ binary fraction: 0.101
→ point on [0, 1): 0.625
step 1: interval [0, 1)
"The" [0, 0.4)
"Looking" [0.4, 0.55)
"This" [0.55, 0.8) ← 0.625
"A" [0.8, 1)
→ select "This", narrow to [0.55, 0.8)
step 2: interval [0.55, 0.8)
" recipe" [0.55, 0.7) ← 0.625
" is" [0.7, 0.76)
" One" [0.76, 0.8)
→ select " recipe", narrow to [0.55, 0.7)
step 3: interval [0.55, 0.7)
" is" [0.55, 0.625)
" uses" [0.625, 0.67) ← 0.625
" for" [0.67, 0.7)
→ select " uses", narrow to [0.625, 0.67)
[0.625, 0.67) in binary:
[0.101..., 0.101...]
^^^ ^^^
leading bits agree: 1 0 1 → secret recovered ✓

Decoding is just the reverse: run the same model with the same prompt, reconstruct the probability distribution at each step, and read the secret bits back out by checking which tokens were used. It’s important to note that both sides need the exact same model, quantization, top-k, and prompt – any mismatch and the distributions diverge, producing garbage.

Challenges:

• It’s pretty wasteful: You’re loading massive models to encode and decode a small amount of information slowly.
• BPE tokenization: If a selected token merges with previous text into a different token during re-tokenization, the decoding fails. A filter is added to exclude such tokens.
• End-of-sequence: If the prompt doesn't generate enough tokens, the secret won't be fully encoded.
• Security: The prompt acts as a leaky shared key.

Available on Google Colab or from source via GitHub.