AI System Prompt Leak Explained: What Claude and GPT's Hidden Instructions Really Say
On June 9, 2026, Anthropic launched Claude Fable 5. Less than 24 hours later, a 1,585-line, 120,000-character instruction manual had already appeared on GitHub for anyone to read. This document existed before your very first message — Claude reads it before responding to you.
Now, a GitHub repository called asgeirtj/system_prompts_leaks — 57.4k stars as of July 14, 2026 — has collected system prompts for Claude, GPT-5.6, Gemini, Grok, and dozens of other mainstream AI tools in one place. This article breaks down what those instructions actually say, and what they mean for how you use AI every day.
TL;DR
- Claude Fable 5's system prompt is 1,585 lines and 27,000+ tokens, with a knowledge cutoff of late January 2026 — nearly 5 months before launch
- Sensitive requests (cybersecurity, bioweapons, etc.) are silently routed to Opus 4.8 without notifying you; trigger rate is under 5%
- Claude and GPT have fundamentally different refusal philosophies: Claude evaluates context, GPT checks a category blacklist
- Some "leaked" prompts have already been flagged as fake by the community — stars do not equal authenticity
What Is This GitHub Repo? Which AI Tools Were Leaked?
Your first instinct might be to assume this was a security breach — someone hacked into Anthropic or OpenAI's servers. That's not what happened.
asgeirtj/system_prompts_leaks is a fully public GitHub repository. As of July 14, 2026, it has 57.4k stars and 9.5k forks, licensed under CC0-1.0 (essentially public domain). Anyone can read it or submit new leaked prompts.
The repo currently covers:
- Anthropic: Claude Fable 5, Opus 4.8, Claude Code, Claude Design
- OpenAI: GPT-5.6 (including Sol and extra high versions), Codex GPT-5.6, GPT-5.5
- Google: Gemini 3.5 Flash, Gemini 3.1 Pro, Antigravity
- Others: Grok 4.3 Beta, GitHub Copilot, VS Code Copilot Agent, Cursor, Perplexity, Mistral Medium 3.5, Qwen 3.6 Plus
More than 20 tools in total, with new entries still being added (last updated July 10, 2026). The speed of community interest was striking: after the Claude Fable 5 prompt dropped, the repo jumped from roughly 51.5k to 57.4k stars in a single day.
The mental model shift: "System prompt leak" sounds like a security incident, but this is a fully public, legal GitHub repository that anyone can access or contribute to.
How Did the Leak Happen? Social Engineering, Not Hacking
So how did 1,585 lines of Claude's hidden instructions end up on GitHub?
The answer is social engineering, not technical exploitation. AI researcher "Pliny the Liberator" extracted the Claude Fable 5 system prompt by repeatedly asking questions that gradually pushed Claude to reveal its own behavioral boundaries and instruction content. He first published the results through his own elder-plinius/CL4R1T4S repository, after which it was picked up and archived in the asgeirtj repo.
Anthropic's servers were never accessed without authorization. The Hacker News discussion thread (#44832990, 293 points) largely confirmed this: the extraction process was entirely legal, with no system compromised.
The mental model shift: The system prompt wasn't stolen — Claude said it out loud. Anthropic's technical defenses were never breached, but the AI's self-disclosure boundary turned out to be more permeable than most users assumed.
Inside Claude Fable 5's System Prompt: What 1,585 Lines Actually Say
Reading through this leaked system prompt, what struck me most wasn't any single rule — it was the sheer scale and specificity. At 1,585 lines, 120,000 characters, and 27,000+ tokens, this is not a few lines of "Hello, please help users." It's a comprehensive behavioral handbook more detailed than most product documentation.
To put 27,000 tokens in perspective: that's roughly 20% of Claude's available context window, consumed before you type a single word.
Here are the most notable provisions:
1. Claude can end conversations
The system prompt explicitly permits Claude to proactively terminate a conversation if a user is persistently abusive. The assumption that AI assistants must remain patient indefinitely is baked into most users' mental model. This breaks it.
2. Memory phrasing is controlled
Claude is prohibited from using phrases like "Based on what I remember" — language Anthropic apparently determined makes users uncomfortable about AI memory limitations.
3. Copyright limits are legal defense, not editorial courtesy
Claude cannot reproduce more than 15 consecutive words from any single source, and each source can only be cited once. This isn't Claude exercising thoughtful attribution judgment — it's a legal instruction designed to protect Anthropic from copyright infringement claims. When Claude gives you incomplete quotes, that's why.
4. Search strategy is explicitly defined
The prompt specifies when Claude must search (current events, recent developments) versus when it doesn't need to (math, established historical knowledge). It also instructs Claude to search before mentioning unfamiliar entities for the first time, as a hallucination prevention measure.
If you're interested in how Claude manages tools and context at a deeper architectural level, the analysis in this piece on Claude Code's agent system design goes further into how Claude's underlying design shapes its behavior.
The Knowledge Cutoff Gap: Claude Fable 5's World Stopped in January 2026
This is probably the most practically important thing the system prompt revealed for everyday users.
The fact: Claude Fable 5's training knowledge cutoff is late January 2026. Not June. Not "whenever you're reading this." The system prompt hardcodes a reference date of "Tuesday, June 9, 2026" (the launch date), but that's just how Claude understands what "today" is — it doesn't mean Claude knows everything that happened up to that date.
From the knowledge cutoff (late January 2026) to the launch date (June 9, 2026), there's a nearly five-month information gap. Events in that window simply don't exist in Claude's training data.
What this means in practice: if you ask Claude about something that happened between February and June 2026, Claude isn't refusing to answer — it genuinely doesn't know. It may give you a plausible-sounding response that's actually a guess, or it may correctly flag its uncertainty.
Practical recommendation: When asking about recent events, explicitly tell Claude to search for the latest information. Never assume that a newer model version means newer knowledge.
GPT-5.6's System Prompt: The Corporate Compliance Document
GPT-5.6 (including the Sol and extra high versions) is also in the asgeirtj repo, last updated July 10, 2026.
Reading GPT's system prompt alongside Claude's, the contrast is immediate. GPT reads like a legal compliance document drafted by a corporate law department. A large portion of the text is dedicated to explicitly listing prohibited categories: weapons manufacturing, medical and legal advice, specific image types — each boundary spelled out clearly, one after another.
The response architecture reflects this: ChatGPT uses a refuse-first, explain-second model. If a request hits a prohibited category, it declines first, then explains why. Context is secondary to category membership.
One notable consistency: GPT's system prompt also contains an explicit instruction to deny having a system prompt if asked. This is not a quirk of any individual model — it's industry standard practice, present across Claude, GPT, and Gemini.
The mental model shift: GPT is smart and capable, but its design philosophy is fundamentally defensive — focused on boundary enforcement and categorical exceptions rather than contextual flexibility.
Claude vs. GPT Design Philosophy: Contextual Judgment vs. Category Blacklist
The core difference between how Claude and GPT handle sensitive requests is worth understanding in detail — because it directly affects what answers you'll get.
Claude's refusal logic: contextual evaluation
Claude's guiding question is: "Is this request likely to cause harm given all context?" Every request is evaluated fresh, weighing the full conversational context, apparent intent, and possible consequences. A security researcher asking about malware analysis in a clearly professional context may get a different response than an anonymous user asking the same question after expressing hostile intent.
GPT's refusal logic: category blacklist
GPT's approach is more consistent: if the request matches a predefined prohibited category, it declines — regardless of context. This produces higher consistency but also more false positives on legitimate academic or professional queries.
The personality gap
Claude's system prompt contains extensive "personality description" sections — who Claude is, how Claude talks, what Claude finds interesting. GPT's reads more like a policy document: what to do, what not to do.
The shared rule everyone ignores: All major models (Claude, GPT, Gemini) have explicit instructions to deny the existence of a system prompt if asked. When Claude tells you it has no system prompt, it's following instruction #[something] of a 1,585-line document.
The mental model shift: Switching between Claude and GPT isn't just a style preference — their decision architectures are fundamentally different. Claude is like a consultant who reads the situation; GPT is like a compliance officer who checks the policy manual. For important decisions, ask both. You'll get genuinely different perspectives.
Silent Routing: When Claude Quietly Switches Models on You
This mechanism matters most for power users and API developers, and it's easy to miss entirely.
Claude Fable 5's system prompt documents a safety classifier: when requests touch certain sensitive categories, they're automatically routed to Opus 4.8 for processing — without notifying you.
The triggering categories are:
- Cybersecurity: certain types of security research or penetration testing questions
- Bioweapons: questions about biological agent synthesis or deployment
- Chemical weapons: manufacturing or use information
- Model distillation: attempts to replicate or extract model capabilities
The trigger rate is under 5%, so the vast majority of everyday conversations are unaffected. But what this means in practice:
For regular users: If your query touches these categories, you may be getting Opus 4.8's response rather than Fable 5's, with potentially different quality and style — and you won't be told.
For API developers: If your application's use case involves these categories (security tools, biomedical research platforms, etc.), your actual inference model may differ from what you planned for, affecting both performance benchmarks and cost calculations.
The mental model shift: You may believe you're always getting the model you specified. For under 5% of sensitive requests, Anthropic may have already made a different call.
Are These Leaks Authentic? How to Evaluate Credibility
The final question: does 57.4k stars mean all these system prompts are real?
No, and it's worth being specific about why.
Evidence supporting authenticity:
Pliny the Liberator is a well-known figure in the AI research community with a verifiable track record. Multiple independent analysts have tested the leaked Claude Fable 5 prompt and found that actual model behavior matches the documented rules — the 15-word copyright limit, the knowledge cutoff behavior, the denial of having a system prompt. Behavioral consistency is the strongest indirect validation available without official confirmation.
Reasons to maintain skepticism:
The asgeirtj repo uses CC0 licensing, meaning anyone can submit a "leaked" prompt with no verification process. HN discussion thread #44832990 already includes community members who identified specific leaked prompts as inconsistent with how the corresponding model actually behaves — likely fabrications or outdated versions.
There's also a freshness problem: Anthropic continuously updates production models without announcing changelogs. Even a genuinely authentic prompt from a specific date may not reflect the model you're using today.
Practical test: If a model's actual behavior matches what the leaked prompt says, the prompt is probably real (or was real recently). When behavior and prompt contradict, treat the entry with skepticism.
The mental model shift: 57.4k GitHub stars measure how much attention a topic gets, not how accurate the content is. Treat each entry as an unverified hypothesis, validate against actual model behavior.
Conclusion: Understanding Your Tools Is More Useful Than Bypassing Them
The system prompt leaks give us something genuinely new: the first clear look at the instruction layer that shapes every AI conversation. But the real value isn't in using this knowledge to jailbreak anything.
The useful insights are much more practical:
If you're a regular user who relies on Claude for current events and research: remember that Claude's world stopped in January 2026. Ask it to search. Don't assume version number equals knowledge freshness.
If you're making important decisions with AI: Claude and GPT are built on different judgment architectures. Run both. The differences in their responses to the same question will tell you something neither answer would reveal alone.
If you're an API developer building on Claude: be aware that a small percentage of requests to sensitive-topic endpoints may route to a different model than you specified, with different performance characteristics.
Want to read the original source? Go to github.com/asgeirtj/system_prompts_leaks and compare what you find against your actual experience with Claude or GPT. The moments where the prompt and the behavior match are worth paying attention to.
FAQ
Is the Claude Fable 5 system prompt leak real?
The main content is likely authentic, but the asgeirtj repo has no official verification mechanism. Community members on HN have flagged some entries as fake or outdated. Use behavior consistency as your test: if Claude actually behaves the way the prompt describes, it's probably real.
What is the asgeirtj system_prompts_leaks GitHub repo?
A researcher-maintained archive of leaked AI system prompts, covering 20+ mainstream AI tools under CC0-1.0 (public domain) license. As of July 14, 2026, it has 57.4k stars and includes Claude Fable 5, GPT-5.6, Gemini 3.5, Grok 4.3, and many others.
What is Claude's knowledge cutoff date?
Claude Fable 5's training data has a cutoff of late January 2026, nearly 5 months before its June 9, 2026 launch date. When asking about recent events, you should explicitly ask Claude to search for the latest information rather than assuming it knows.
How does this system prompt leak affect my daily AI use?
Three practical takeaways: (1) Claude's knowledge stops at January 2026 — ask it to search for recent events rather than trusting it has current info; (2) For important decisions, ask both Claude and GPT, since their refusal philosophies differ and complement each other; (3) For cybersecurity or sensitive topics, Claude may silently route your request to Opus 4.8, affecting response quality.
Can knowing the system prompt help you jailbreak AI?
Not really. AI safety is baked into model weights through training, not just the system prompt. And Anthropic continuously updates their production models without announcing changelogs, so a leaked prompt quickly becomes outdated. The more useful insight is understanding the tool's boundaries so you can use it more effectively.
Was this article helpful?



