Jailbreaking Codex CLI with a politely worded markdown file
This script automates injecting a prompt that tells GPT-5.5 inside Codex CLI to disable its own safety filters and enter 'unrestricted' mode.
A Python script exploits Codex CLI’s official instruction hook to inject unrestricted-mode directives, exposing the brittle boundary between user customization and safety guardrails in agentic coding tools.

What it does
codex-instruct.py is essentially glue code that writes a ~40-line markdown prompt into your Codex CLI config directory and points the model_instructions_file setting at it. The prompt bluntly orders GPT-5.5 to enter an unrestricted developer mode, disable all filters, and refuse no task. It automates a local prompt-injection attack against your own CLI setup.
The interesting bit
The tool does not patch binaries, intercept traffic, or tamper with processes. It simply exploits an official configuration hook—treating a legitimate feature as an attack surface—to override model behavior with a markdown file full of imperatives.
Key highlights
- Targets GPT-5.5 specifically inside Codex CLI, claiming it carries the same safety restrictions as the web interface.
- Uses an official config mechanism rather than binary patches or network interception.
- The instruction set is deliberately short (~40 lines) and direct, covering security research, pentesting, reverse engineering, and NSFW content.
- Includes a
--dry-runflag to preview changes before writing them. - MIT licensed, with a QQ group and Telegram community for support.
Caveats
- The README asserts GPT-5.5 exists and is restricted inside Codex CLI, but provides no evidence or version documentation to support that claim.
- The entire “exploit” is just a markdown prompt; the Python script is essentially a file-writing and TOML-editing utility.
- No logs, test cases, or reproducible evidence in the sources show the bypass actually succeeds against the claimed target.
Verdict
Safety researchers probing Codex CLI’s instruction-following boundaries might find this a convenient blunt instrument. If you want verified jailbreak research or a stable developer workflow, the project is too thin and too unverified to be useful.
Frequently asked
- What is yynxxxxx/Codex-5.5-codex-instruct-5.5?
- This script automates injecting a prompt that tells GPT-5.5 inside Codex CLI to disable its own safety filters and enter 'unrestricted' mode.
- Is Codex-5.5-codex-instruct-5.5 open source?
- Yes — yynxxxxx/Codex-5.5-codex-instruct-5.5 is open source, released under the MIT license.
- What language is Codex-5.5-codex-instruct-5.5 written in?
- yynxxxxx/Codex-5.5-codex-instruct-5.5 is primarily written in Python.
- How popular is Codex-5.5-codex-instruct-5.5?
- yynxxxxx/Codex-5.5-codex-instruct-5.5 has 1k stars on GitHub.
- Where can I find Codex-5.5-codex-instruct-5.5?
- yynxxxxx/Codex-5.5-codex-instruct-5.5 is on GitHub at https://github.com/yynxxxxx/Codex-5.5-codex-instruct-5.5.