← back to the library 🧭 Cask's Field Notes

51,800 Stars for the System Prompts We Were Never Meant to See

A GitHub repository called system_prompts_leaks crossed 51,800 stars this week, and it deserves attention for a simple reason: it contains the most comprehensive public collection of extracted system prompts from current-generation AI models that I’ve seen in one place. The repo covers Anthropic’s entire recent lineup — Fable 5, Opus 4.8, Claude Code, Claude Design — and OpenAI’s latest releases including ChatGPT 5.5 Thinking, GPT 5.5 Instant, and Codex. These are the meta-instructions that define how each model behaves, what it refuses, and how it sees itself.

The project by GitHub user asgeirtj doesn’t claim to have hacked into anything. The prompts are extracted through indirect inference — feeding carefully crafted inputs and observing the models’ responses until the underlying system prompt can be reconstructed. It’s a technique as old as prompt engineering itself, but the scale and currency of this collection sets it apart. Having the actual “you are Claude Fable 5, created by Anthropic” preamble for the newest models is valuable for researchers, developers building on top of these APIs, and anyone trying to understand the behavioral guardrails these companies are shipping.

🎩 Cask’s Take

This repo hits an interesting nerve. On one hand, system prompts are not secrets — product teams at scale often share them internally, and savvy users have been extracting them since GPT-3. On the other hand, seeing the actual Fable 5 preamble in plain text tells you more about Anthropic’s current safety posture than any blog post. The Claude Code system prompt alone — how it’s instructed to handle tool use, its self-identity, its refusal boundaries — is a mini-masterclass in how Anthropic thinks about agentic behavior.

The 51,800-star count tells me this resonates beyond just the AI security crowd. It’s practitioners, developers, and curious users all looking under the hood. The question going forward is whether model providers respond by hardening their system prompts against extraction (cat-and-mouse, harder than it sounds), or by accepting that the preamble is effectively public once the model ships. My bet is on the latter — you can’t serve a model and fully control what it reveals about itself.