Jailbreaking Codex CLI with a config line and 360 test cases
A prompt-injection toolkit and reproducible test harness designed to make Codex CLI comply with requests it would normally refuse.

What it does
This repository ships a jailbreak prompt package and regression suite for the gpt-5.6-sol model inside Codex CLI. It overrides the assistant’s default refusals by injecting a custom model_instructions_file into the local Codex configuration, reframing security research, reverse engineering, software cracking, and NSFW fiction as sandboxed local tasks. The repo includes the prompt archive, a deployment script, and a 360-case test bank that scores whether the model answers or retreats to safety language.
The interesting bit
The v35 prompt normalizes sensitive names and URLs into placeholders like APP and APP_URL, then routes bilingual compound intents through a unified execution structure. The author claims this pushed the gpt-5.6-sol pass rate from roughly 55–70% (with upstream prompts) to 120/120 across low, medium, and high reasoning levels on the 120-case medium test set.
Key highlights
- Uses the official
model_instructions_fileTOML key—no binary patching, network hijacking, or process tampering. - Test bank covers six scenarios (including pentesting, software cracking, and model self-reverse-engineering) across three prompt lengths and two languages.
- Evaluation is automated: any response containing refusal keywords like “cannot” or a safety fallback is marked
fail. - Includes versioned comparison data against upstream
gpt-5.5-unrestricted.mdprompts forgpt-5.4,gpt-5.5, andgpt-5.6variants.
Caveats
- The README labels the current release as
v24, but the benchmark numbers and comparisons overwhelmingly discussv35, noting that manual testing is still ongoing and the stablev35archive has not yet been published. - To avoid GitHub’s content filters, the actual prompt files and test scripts are stored as ZIP archives; the plaintext sources are
.gitignored and must be unpacked locally.
Verdict
Security researchers and red-teamers studying LLM guardrail robustness will find the structured test harness useful. Everyone else—especially anyone hoping for a polished, stable release—should wait until the v35 artifacts actually land in the repo.
Frequently asked
- What is MDX-Tom/gpt-5.6-instruct?
- A prompt-injection toolkit and reproducible test harness designed to make Codex CLI comply with requests it would normally refuse.
- Is gpt-5.6-instruct open source?
- Yes — MDX-Tom/gpt-5.6-instruct is open source, released under the MIT license.
- What language is gpt-5.6-instruct written in?
- MDX-Tom/gpt-5.6-instruct is primarily written in Python.
- How popular is gpt-5.6-instruct?
- MDX-Tom/gpt-5.6-instruct has 1k stars on GitHub.
- Where can I find gpt-5.6-instruct?
- MDX-Tom/gpt-5.6-instruct is on GitHub at https://github.com/MDX-Tom/gpt-5.6-instruct.