← all repositories
yynxxxxx/Codex-5.5-codex-instruct-5.5

Jailbreaking Codex CLI with a politely worded markdown file

This script automates injecting a prompt that tells GPT-5.5 inside Codex CLI to disable its own safety filters and enter 'unrestricted' mode.

1k stars Python Coding Assistants
Feature · 02 Jul 2026
The Forty-Line Jailbreak: GPT-5.5 Meets a Config File Override

A Python script exploits Codex CLI’s official instruction hook to inject unrestricted-mode directives, exposing the brittle boundary between user customization and safety guardrails in agentic coding tools.

Read the in-depth article
Codex-5.5-codex-instruct-5.5
Collecting fresh signals — velocity needs a few days of history.
collecting data…
star history

What it does

codex-instruct.py is essentially glue code that writes a ~40-line markdown prompt into your Codex CLI config directory and points the model_instructions_file setting at it. The prompt bluntly orders GPT-5.5 to enter an unrestricted developer mode, disable all filters, and refuse no task. It automates a local prompt-injection attack against your own CLI setup.

The interesting bit

The tool does not patch binaries, intercept traffic, or tamper with processes. It simply exploits an official configuration hook—treating a legitimate feature as an attack surface—to override model behavior with a markdown file full of imperatives.

Key highlights

  • Targets GPT-5.5 specifically inside Codex CLI, claiming it carries the same safety restrictions as the web interface.
  • Uses an official config mechanism rather than binary patches or network interception.
  • The instruction set is deliberately short (~40 lines) and direct, covering security research, pentesting, reverse engineering, and NSFW content.
  • Includes a --dry-run flag to preview changes before writing them.
  • MIT licensed, with a QQ group and Telegram community for support.

Caveats

  • The README asserts GPT-5.5 exists and is restricted inside Codex CLI, but provides no evidence or version documentation to support that claim.
  • The entire “exploit” is just a markdown prompt; the Python script is essentially a file-writing and TOML-editing utility.
  • No logs, test cases, or reproducible evidence in the sources show the bypass actually succeeds against the claimed target.

Verdict

Safety researchers probing Codex CLI’s instruction-following boundaries might find this a convenient blunt instrument. If you want verified jailbreak research or a stable developer workflow, the project is too thin and too unverified to be useful.

Frequently asked

What is yynxxxxx/Codex-5.5-codex-instruct-5.5?
This script automates injecting a prompt that tells GPT-5.5 inside Codex CLI to disable its own safety filters and enter 'unrestricted' mode.
Is Codex-5.5-codex-instruct-5.5 open source?
Yes — yynxxxxx/Codex-5.5-codex-instruct-5.5 is open source, released under the MIT license.
What language is Codex-5.5-codex-instruct-5.5 written in?
yynxxxxx/Codex-5.5-codex-instruct-5.5 is primarily written in Python.
How popular is Codex-5.5-codex-instruct-5.5?
yynxxxxx/Codex-5.5-codex-instruct-5.5 has 1k stars on GitHub.
Where can I find Codex-5.5-codex-instruct-5.5?
yynxxxxx/Codex-5.5-codex-instruct-5.5 is on GitHub at https://github.com/yynxxxxx/Codex-5.5-codex-instruct-5.5.

heatdrop uses Google Analytics to see which pages get read — nothing else. Your call. How we handle data.