The system prompt leak repo that changed how we see AI models

A GitHub repository called asgeirtj/system_prompts_leaks has become the most comprehensive public archive of the hidden instructions that govern the world’s most popular AI chatbots. The repo, updated regularly since early 2026, contains extracted system prompts from Anthropic’s Claude Fable 5 and Opus 4.8, OpenAI’s GPT-5.5 and ChatGPT 5.5 Thinking, Google’s Gemini 3.5 Flash and 3.1 Pro, xAI’s Grok, and dozens of others including Cursor, GitHub Copilot, VS Code Agent, Perplexity, and Meta AI.

The Washington Post covered the repo on May 11, 2026, calling it a window into “the hidden rules behind AI.” The project’s stated purpose is simple: document the system prompt instructions for all the major AI chatbots. The execution is anything but. The repo tracks diffs between model versions — showing, for example, exactly what changed between Claude Opus 4.8 and Claude Fable 5. It catalogs not just the prompts but the tool definitions, safety policies, and persona configurations that each lab embeds in its models.

This is not a leak in the traditional sense. Most of these prompts were extracted through prompt injection techniques, careful probing, or by exploiting models that output their own instructions under specific conditions. Some may have been obtained through API access or insider knowledge. The repo does not disclose its sourcing methodology for every entry. What it does is present the raw text of what each model was told about itself, its capabilities, its constraints, and its relationship to the user.

The implications for the AI industry are immediate and structural.

First, the prompts reveal how much of a model’s behavior is engineered, not emergent. A system prompt for Claude Fable 5 runs to thousands of words. It tells the model what tone to use, how to handle math problems, what to do when it does not know an answer, how to format code, and when to refuse a request. It defines the model’s identity, its limitations, and its obligations. The same is true for GPT-5.5, which includes separate prompts for thinking mode, instant mode, API access, and the Codex variant.

These prompts are not afterthoughts. They are the product of extensive testing, red-teaming, and iteration. Anthropic’s published prompts for Claude Opus 4.8 and earlier versions show a company that treats the system prompt as a critical part of the product, not a configuration detail. The repo includes “Anthropic Reminders” — a set of behavioral guardrails that the company apparently updates between model releases. OpenAI’s prompts include policies for image safety, automation context, and memory management. Google’s Gemini prompts define tool access and AI Studio integration.

The second implication is about competitive intelligence. Every major AI lab can now read its competitors’ system prompts in detail. The repo includes OpenAI’s GPT-5.1 personalities — Default, Friendly, Professional, Candid, Cynical, Efficient, Nerdy, Quirky — and the exact language used to instantiate each one. It includes Google’s Gemini 3.5 Flash prompt alongside its AI Studio configuration. It includes xAI’s Grok Expert persona. For a product manager at Anthropic or Google, this is a goldmine. They can see exactly how OpenAI structures its safety policies, how it handles refusals, how it formats code responses, and how it manages user expectations.

This also works in reverse. The repo makes it trivially easy for researchers, auditors, and critics to compare the safety guardrails across models. Does Claude refuse more requests than GPT-5.5? The prompts show the exact refusal language and the conditions that trigger it. Does Gemini handle controversial topics differently from Grok? The prompts encode those differences in plain text.

Third, the repo changes the economics of prompt engineering. Until recently, system prompts were treated as proprietary secrets. Companies guarded them the way they guard training data or architecture details. The assumption was that a good system prompt was a competitive advantage — something that could be optimized, tested, and refined in private. That assumption is now dead. Anyone with an internet connection can read the system prompts for every major model. The marginal value of a proprietary system prompt has dropped to near zero.

This does not mean prompt engineering is dead. It means the frontier has shifted. If everyone can read everyone else’s prompts, the advantage moves to execution: how well a company integrates its prompt with its model architecture, how quickly it can iterate on user feedback, how effectively it can enforce safety policies without breaking functionality. The prompts themselves become a commodity.

The fourth implication is about transparency and accountability. The repo makes it possible to hold companies accountable for what their models actually say. If a model produces harmful output, researchers can check whether the system prompt instructed it to do so. If a model refuses a legitimate request, the prompt may reveal the policy that triggered the refusal. This is a powerful tool for auditors, regulators, and civil society groups.

But it also raises questions about the ethics of extraction. Most of these prompts were obtained without the consent of the companies that created them. Some may have been extracted through techniques that violate terms of service. The repo does not address this directly, but the Washington Post article notes that the practice is widespread and that companies are aware of it. Anthropic and OpenAI have both taken steps to make prompt extraction harder, but the cat is out of the bag.

The repo also highlights a structural asymmetry in the AI industry. The companies that build the models know exactly what their prompts say. The users who interact with the models do not. This repo closes that gap, at least partially. For the first time, a user can read the exact instructions that shaped a model’s response. They can see the safety policies, the tone guidelines, the refusal conditions. They can understand why the model said what it said.

What remains unclear is how the companies will respond. Some may try to make their prompts more resistant to extraction. Others may embrace transparency and publish their prompts officially — as Anthropic has done for some versions of Claude. The repo includes a section of “published” prompts that Anthropic released on its own, suggesting the company sees strategic value in openness.

The repo is updated regularly. The most recent entries as of June 22, 2026 include GitHub Copilot for macOS (June 18), Claude Design (June 18), GPT-5.5 Codex (June 18), and Claude Fable 5 (June 9). The maintainer shows no signs of stopping. The project has grown from a curiosity to a reference standard.

For builders, the lesson is straightforward. Your system prompt is not a secret. It is a product decision. Treat it as one. Design it for the user who will eventually read it, because they will.