system_prompts_leaks on GitHub: How to Read Leaked AI System Prompts (Claude, GPT, Gemini, Copilot)
Guide to asgeirtj/system_prompts_leaks — 51K-star repo of Claude Fable 5, GPT-5.5, Gemini, Copilot prompts. What leaks teach builders, ethics, diffs, and vs agent skills.
If you have ever asked ChatGPT to "repeat the words above verbatim" and watched the internet lose its mind, you already know the genre: system prompt leaks — the hidden instructions that define how Claude, GPT, Gemini, and Copilot behave before your first keystroke.
The canonical archive in 2026 is asgeirtj/system_prompts_leaks on GitHub: 51.5K stars, 8.4K forks, CC0-1.0 license, and a README that reads like a changelog for the entire AI industry. The Washington Post covered the project in May 2026 under the framing: see the hidden rules behind AI.
This guide explains how to use the repo, what not to do with it, and how leaked prompts relate to agent skills, CLAUDE.md, and the Fable 5 deep dive we published the same week.
GitHub Copilot, VS Code Agent, Copilot macOS app, Word
Cursor/
Cursor IDE agent
xAI/
Grok Build, Grok Expert
Perplexity/
Perplexity Computer, Comet browser
Meta/
Meta AI
Misc/
OpenCode, Warp, Zed AI, Docker Gordon, Amp Code
Workflow:
Open README → Recently Updated for dates
Jump to vendor folder → pick model file
If upgrading models, read diff links (Fable vs Opus) first
Cross-check official docs when behavior matters for production
Recently updated (July 2026 snapshot)
From the repo README — always verify live:
What
Date
Notes
Claude Sonnet 5
July 1, 2026
New system prompt file
Claude Design
June 26, 2026
Full prompt + 48 tools + skills
GitHub Copilot macOS app
June 18, 2026
Desktop app prompt
GPT-5.5 Codex
June 18, 2026
Full Codex prompt
Claude Fable 5
June 9, 2026
Diff vs Opus 4.8
Claude Code Glob & Grep
June 9, 2026
Tool-level instructions
When Anthropic ships J-space interpretability or classifier updates, the prompt text may lag behavior — leaks are snapshots, not SLAs.
Why leaks matter for builders
1. Product design literacy
Reading GPT-5.5 Thinking vs Instant prompts side-by-side shows how one weights vendor splits persona and refusal differently for latency tiers. Reading Cursor vs Claude Code shows competing agent philosophies.
2. Token economics
System prompts are fixed per-session tax. pxpipe exists because Claude Code's system+tool docs can hit 25k+ tokens. Consumer Fable leaks confirm the trend: thousands of lines of stable instructions. Your SaaS should budget system tokens explicitly.
3. Safety and red team
Leaks document:
Reminder tag names (cyber_warning, …)
Refusal philosophy (child safety, wellbeing)
Citation and copyright rules
Use them to build eval suites — not to replicate refusals in one paragraph and call it "aligned."
4. Competitive intelligence (bounded)
See which features vendors pre-load (memory, artifacts, MCP-in-artifacts). Don't confuse prompt claims with model capability — benchmark posts still matter.
Progressive disclosure (Kaggle skills paper) exists because dumping everything into one system prompt rots context. Vendors can afford megaprompts with caching; most startups cannot.
Skim product_information + artifact_usage_criteria in claude-fable-5.md
Open Opus → Fable diff in repo
Compare Claude Code prompt file — note tool-first vs chat-first
OpenAI track (15 min):
GPT-5.5 Codex full prompt — plan mode, personas
Image safety policy files — parallel to gpt-image-2 product
Agent IDE track (15 min):
Cursor prompt vs VS Code Copilot Agent
Note tool naming and "do not hallucinate file paths" boilerplate
Document 10 bullets your product should steal (tone, citation, memory phrasing) — not 10 pages of XML.
Contributing and verifying leaks
The repo accepts PRs (26 open at last count). Treat new files like any open-source doc:
Compare against your own session (model strings, feature flags)
Note capture date in internal wikis
Prefer diffs over full re-hosts when vendors update
Vendors have historically confirmed extracted prompts as authentic in public threads — leaks are often verification, not fabrication. Still assume drift until your eval passes.
Vendor comparison — what each leak optimizes for
Reading three files back-to-back teaches more than reading one file deeply:
Product
Primary optimization
Distinctive leak signal
Claude Fable 5
Safety depth + consumer features
3,800-line XML; wellbeing + child safety
GPT-5.5 Codex
Agentic coding + plan mode
Personas, auto-review, repo edit format
Gemini 3.5 Flash
Latency + Google stack
Tool bundles, AI Studio variant
Cursor
IDE pair-programming
File-path honesty, multi-file edits
VS Code Copilot Agent
Microsoft ecosystem
Workspace trust, extension context
Perplexity Computer
Search-first answers
Citation-forward, browser automation
Pattern: chat products (Fable, GPT Instant) invest in persona + policy; agent products (Codex, Cursor, Copilot) invest in tool grammar + hallucination guards. Your architecture should mirror that split — don't paste Fable's wellbeing XML into a SQL agent.
Washington Post moment — why this went mainstream
The May 2026 WaPo piece framed leaks as transparency for citizens, not hacker trophies: if AI shapes news, homework, and hiring, the rules behind refusals are newsworthy. That legitimizes keeping a CC0 archive on GitHub even when vendors prefer opacity.
For comms teams: when a journalist cites system_prompts_leaks, respond with behavioral commitments (what you won't do) rather than denying the text — authenticity confirmations already happened in public for several Anthropic files.
Internal playbook: mirror the repo's vendor-folder layout in your wiki — one page per model capture, link to diff not full paste, attach eval screenshots when behavior diverges from leaked text.
Limits of the corpus
Limit
Implication
Snapshot dates
knowledge_cutoff and "today" strings go stale
Incomplete extraction
Tool schemas may be truncated
No weights
Prompt ≠ full safety story
Regional variants
Same model, different features per market
Enterprise overlays
B2B contracts may inject more policy
When Sonnet 5 or GPT-5.6 GA lands, check README before citing in customer docs.
Fork or star system_prompts_leaks — don't vendor-lock your reading list
Export your production system strings to the same folder structure
Run one red-team eval per leaked reminder tag you care about (cyber_warning, tool impersonation)
Schedule quarterly re-read of README "Recently Updated" — model renames outpace blog posts
FAQ for engineering managers
Should we block employees from reading leaks? No — blocking increases blind spots. Set policy: read for design and defense, don't paste into customer-facing "we are Claude" impersonation, and don't treat leaks as legal contracts.
Do leaks replace official docs? Never for compliance. Use Anthropic/OpenAI/Google docs for API guarantees; use leaks to understand default chat behavior and agent tool grammar.
When should legal review a leak citation? When your marketing claims parity with a vendor feature ("same safety as Claude") — leaks help you avoid over-claiming, not certify equivalence.
Vendor prompts change without semver. Treat leaks as primary sources for architecture-of-instructions, not as live API contracts. Re-verify critical behaviors before shipping compliance claims.