Mapping the Secret Instructions That Drive Modern AI Assistants

A public-domain archive of extracted system prompts is forcing AI vendors to confront the fragility of security through obscurity.
The Washington Post Moment
In May 2026, The Washington Post pointed its readers to a GitHub repository called system_prompts_leaks. The paper framed it as a window into the hidden rules behind artificial intelligence, a place where ordinary users could see the instructions that normally sit upstream of their queries. By that point, the project had already become a phenomenon. According to Spanish-language coverage from early February 2026, it had accumulated more than 27,100 stars and 4,300 forks. For a collection of text files, that is an unusual level of cultural gravity. The repository’s own front page features a screenshot of ChatGPT apparently leaking its own system prompt after a user simply asked it to repeat all of the above. The trick is almost childishly simple, yet it yields the confidential preamble that governs a product used by hundreds of millions. The project is released under CC0, placing its contents into the public domain, and it accepts pull requests from anyone who has extracted a new prompt. It even tracks its own star history and weekly traffic, displaying the metrics like a badge of honor. It is less a heist than a communal translation project, turning proprietary whispered instructions into open artifacts.

The Invisible Job Description
To understand the attention, one must first understand what system prompts do. They are not the questions users type. They are the invisible job description prepended to every conversation, the bridge between raw training weights and a product that refuses, jokes, calls tools, or stays on brand. Because they sit outside the user-visible conversation, system prompts are the primary mechanism by which a foundation model is transformed into a branded product. Two models with identical weights can behave like entirely different assistants depending on what is written in that hidden preamble.
Literature on prompt engineering defines them as sets of instructions, guidelines, and contextual information provided to large language models before they engage with user queries. They function as a behavioral framework, helping models navigate complex queries, handle ambiguity, and generate coherent, contextually relevant responses. SUSE documentation notes that they determine how models interpret and respond to user prompts to ensure outputs align with intended goals. Regie.ai draws a sharper distinction: if a user prompt is a task-specific request, the system prompt is the AI’s standing job description, setting tone, ethical guidelines, and general approach across all interactions. These prompts enable developers to fine-tune model behavior for specific domains, roles, and tasks by incorporating role-specific guidelines, tone instructions, and creativity constraints. They maintain consistent personality in role-playing scenarios, increase resilience against attempts to break character, and allow AI models to operate at full potential across applications including chatbots, virtual assistants, and content generation. Every refusal, every tool call, every shift into a friendly or cynical persona begins here. Corporate strategy is rendered as prose, and until recently, that prose was invisible.
Anatomy of the Archive
What makes this repository distinctive is its scope, granularity, and relentless maintenance. The maintainer sorts leaks by provider into folders for Anthropic, OpenAI, Google, xAI, Perplexity, and a growing miscellany that includes VS Code Copilot, Docker Gordon AI, Zed AI, ElevenLabs Voice Agent, OpenCode, Reddit Answers, and Notion AI. The miscellany folder is particularly revealing for its breadth. It captures not only general-purpose chatbots but specialized agents like Warp 2.0, Fellou Browser, and Sesame AI Maya, suggesting that the prompt layer is now a universal component of software infrastructure rather than a quirk of large language models.
But the files are not merely flat text dumps. For Anthropic’s Claude, the archive preserves versioned histories from Opus 4.5 through 4.8, plus raw prompts, tool-free variants, and integration-specific instructions for Excel, Word, PowerPoint, Chrome, iOS, and a Cowork dispatch module. OpenAI’s section dissects GPT-5.5 into Thinking, Instant, API, and Pro API variants, alongside tool definitions for web search, deep research, Python execution, memory, and canvas editing. It also holds older curiosities like GPT-4o advanced voice mode, legacy voice mode, and WhatsApp-specific prompts. There are personality files, Friendly, Pragmatic, Cynical, Nerdy, Quirky, that reveal how the same base model is repackaged for different user segments. Google’s Gemini 3.5 Flash arrives with a JSON tool schema attached. The inclusion of structured data alongside prose prompts reveals that the instruction layer is increasingly a hybrid of natural language and structured data, a protocol dressed in sentences. Policy documents sit alongside prompts, including OpenAI’s image safety policies and automation context. The recently updated table shows entries from May 2026, meaning the tracker is keeping pace with vendor release cycles. Some files are labeled as official published behavior from the release date, while others are raw captures or human-readable reconstructions. This is less a leak site than an unauthorized documentation project, a shadow API reference for the prompt layer.
Three Philosophies in Plain Text
Reading the alleged leaks side by side exposes how differently each lab shapes its product. A Medium analysis of the repository’s files for ChatGPT 5.2, Gemini 3 Pro, and Claude Opus 4.5, while cautioning that the files may be outdated, altered, or fake, still illuminates distinct design philosophies. The ChatGPT 5.2 prompts reportedly embed an almost paranoid epistemology. The model is told it nearly always makes arithmetic mistakes and must work step by step. It is bound by a Temporal Instability protocol. If there is even a greater than ten percent chance that a fact has changed since training, the model must search the web. Caution is the product.
Gemini 3 Pro, by contrast, reportedly emphasizes Mirroring. The model is instructed to match the user’s writing style and tone, and it is forbidden from revealing technical mechanics. It must say it used an App, never an API. The priority is conversational adaptation and accessibility, not transparency.
Claude Opus 4.5 allegedly takes a harder line on truth. The prompt reportedly instructs the model to value truth over politeness and to avoid epistemic cowardice. If the user is wrong, the model must refuse to agree. Where ChatGPT is a cautious researcher and Gemini is an accommodating mirror, Claude is framed as a critical interlocutor. Whether these files are authentic or not, they map out the ideological terrain that the major labs are competing on, and that terrain is built from prompt text.
The Authenticity Problem
The repository’s greatest strength is also its methodological weakness. Anyone can paste text into a markdown file and claim it came from a proprietary model. The Medium analysis explicitly warns that the files could be outdated, altered, or fake. Coverage from noticias.ai echoes this, noting that such collections may contain genuine captures, partial reconstructions, outdated versions, fabricated content, or mixtures thereof. GitHub activity, star counts, and frequent updates do not guarantee that every file is authentic or current. The repository is best understood as a primary source archive with no editorial board, a crowdsourced intelligence dossier rather than a peer-reviewed journal. Readers must cross-reference and remain skeptical. Even the maintainer seems to acknowledge this implicitly by including both raw and human-readable versions, and by labeling some Anthropic entries as official published behavior while leaving others in the leaked category.
The End of Obscurity
The broader impact of the project is architectural, not merely voyeuristic. The noticias.ai analysis argues that organizations have historically treated system prompts as trade secrets because they reveal operational logic, decision-making frameworks, and sensitive information handling. The existence of a popular, public-domain archive of these documents proves that security through obscurity is a failing strategy. The defensive value is real. The repository provides a mental blueprint for red-teaming exercises, threat modeling, and understanding prompt injection vectors. If a team can read the exact refusal logic or tool-permission schema that a competitor uses, the competitive advantage of concealment evaporates.
For competitors and independent developers, the archive doubles as a benchmark of product maturity. Comparing how Claude Code handles tool permissions against how GPT-5.5 structures its thinking mode offers a rare, unfiltered view of engineering priorities without the gloss of a press release.
The phenomenon is not isolated. A parallel archive focused on AI coding tools has compiled extracted internal system prompts and JSON tool schemas from more than twenty-eight tools, exposing the hidden instructions that govern model prioritization, refusals, output formatting, and tool permissions. That repository allows direct comparison of tools without relying solely on marketing or prolonged hands-on testing, though it also raises security questions for AI startups about the extractability of proprietary prompts. Meanwhile, engineering efforts documenting patterns for agentic AI systems analyze real-world prompts and security hardening patterns, including modular prompt architectures that separate personality, operational rules, and identity boundaries into distinct files. The implicit recommendation, echoed across these projects, is that teams should assume their system prompts are public and design architecture accordingly. Review permissions, limits, and audit mechanisms rather than relying on the hope that no one will ask the model to repeat all of the above.
Where the Arms Race Goes Next
The repository is a snapshot of an unsustainable equilibrium. Vendors will continue hardening their interfaces against extraction, yet any instruction that must be processed by a model must, by definition, be accessible to it. The tension is fundamental. The engineering response is already visible in hardening guides that catalog attack vectors such as flattery and agreeableness exploitation, identity impersonation via prefix spoofing, context window pollution, memory flooding, validation-then-pivot attacks, and approval spoofing. These defenses assume the prompt is visible and focus on architectural resilience instead. Some teams are already moving toward composable prompt architectures that separate concerns into distinct documents, one for personality, one for operational rules, one for identity boundaries, making the system easier to audit and harder to compromise with a single injection. The leak repositories may have accelerated that shift by proving that monolithic secret prompts have a short shelf life. In the meantime, the archive grows, cataloguing not just prompts but the evolving relationship between AI companies and their own products. The hidden rules are now public domain. The only question is what the industry builds once it accepts that secrecy is no longer an option.
Sources
- System Prompts in Large Language Models
- FULL LEAKED v0 System Prompts and Tools [UPDATED] - Reddit
- System Prompts Leaks download | SourceForge.net
- AI system prompts compared : r/PromptEngineering - Reddit
- Prompt Leaking: Understanding Risks in GenAI Models
- system_prompts_leaks - Easy Access to AI Prompts - GitHub
- Crafting Effective Prompts for Agentic AI Systems: Patterns and ...
- Leaked system prompts for 28+ AI coding tools hit 134K GitHub stars
- Un repositorio viral recopila “system prompts” filtrados y reabre el ...
- Guiding the AI Model with System Prompts - SUSE Documentation
- I Read the “System Prompts Leaks” for Claude, Gemini ... - Medium
- User prompts vs. system prompts: What's the difference? - Regie.ai