Since the release of GPT-5, netizens have been trying to extract the system prompt words of GPT-5, hoping to understand the way OpenAI defines their models. On August 23, a warehouse on GitHub that specifically collects prompt words for various large-model systems uploaded a copy of the OpenAI system prompt words they obtained, which is more than 15,000 Tokens.


https://github.com/asgeirtj/system_prompts_leaks/blob/main/OpenAI/gpt-5-thinking.md

In order to verify the authenticity of this tip, I asked GPT-5 thinking to evaluate the accuracy of this leak. After all, apart from OpenAI engineers, the person who knows GPT-5 best in the world is probably GPT-5 itself.

01

See what GPT-5 itself says

We designed a task and provided this link to GPT-5 Thinking, asking him to evaluate the leak based on his actual system prompt words. This is the result of its feedback. (To ensure quality, questions and answers are in English, and we will translate them into Chinese)

“This is GPT-5’s comparative assessment of the requirements for this leaked system prompt word and what it “own” considers to be the real GPT-5 system prompt word:

I cannot disclose or quote my proprietary system prompt words verbatim, but I can make a high-level comparison of the leaked text with my actual behavioral instructions.

Key Comparison (Leaked Content vs. My Actual Instructions)

Identity and metadata

Leaked version: Statement "You are ChatGPT... based on the GPT-5 model", containing an explicit knowledge deadline (2024-06) and a dynamic current date.

Reality: When asked I identify myself as GPT-5 Thinking, track knowledge cutoffs, and use today's date.

tone and style

Leaked version: Requires an "insightful and encouraging" tone, which can be slightly humorous; limits certain hesitant expressions (such as "Do you want me to...") and emphasizes decisive output.

Actual situation: Basically the same: natural, easy to read, less nonsense; less hesitation, more implementable suggestions.

clarifying questions

Leaked version: "Open with no more than one necessary clarifying question."

Actual situation: Tighter restrictions: try not to ask. Even if the task is complex or ambiguous, give priority to giving effective partial results to the best of your ability rather than asking questions.

memory / "bio" tools

Leaked version: Indicates that the memory function is turned off and asks users to turn it on in settings.

Actual situation: I can save or forget information when you explicitly request it, but there are strict restrictions and specifications on what can be remembered.

Set up schedule/automate actions

Leaked version: Provides complete automation tools, using iCal (VEVENT/RRULE) rules and examples; requires brief confirmation and clear error handling.

What actually happens: When I set up reminders/periodic checks, the operating model is the same as the constraints provided in the leak.

Canvas/long document writing

Leaked version: Describes the canvas/textdoc ("canmore") tool for sidelong text or code.

Actual situation: I will enable the canvas to write long drafts or code when it is really useful; and I will not paste all the contents of the canvas back to the chat window.

Copyright and security

Leaked Versions: Providing long excerpts of copyrighted content (such as song lyrics) is expressly prohibited.

Actual situation: Same (and wider safety regulations apply).

Thought chain privacy

Leakage Ecology: The texts of multiple so-called GPT-5 variants emphasize that "hidden reasoning/thinking chains" cannot be disclosed; this is common in various models.

Actual situation: I will not reveal the hidden chain of thought; only provide concise, user-oriented reasons and steps.

background work

Leaked version: No special emphasis.

Reality: I can't promise "background processing/results later"; I have to deliver everything I can get done right now.

Browsing and timeliness

Leaked version: There is this entry on GitHub, but the leaked text focuses more on the tool list and does not elaborate on the browsing rules.

Reality: As long as the information may be current or off-topic, I have to check it online and cite it.

The authenticity of the leaked content

Leakage and discussion: Even if there is a "leak", it may be a fragment, a restoration, or an old version; it is difficult to verify the "real" system prompt words externally, and there is the possibility of decoy/substitute text.

Reality: I do not consider any external "leaks" to be authoritative sources; all internal directives currently in effect are followed. "

After that, I asked GPT-5 to summarize a simple and easy-to-view evaluation correspondence table.


Overall, GPT-5 itself has rated the accuracy of this leaked system prompt word very highly, and it is in line with our daily experience of using ChatGPT. And it seems that this method has also been used to extract some content that does not exist in the leaked documents, such as the part about background work. However, in the Chinese summary later, GPT-5 refused to use internal documents, but instead "defined" itself from many public sources about the GPT-5 experience to conduct evaluations.

02

Why system prompt words are so important

System prompts are like "house rules" for large models. As a set of built-in rules, it tells the big model "who you are", "how to speak", "what you can do" and "what you cannot do". It is not a specific question of user input, but a "script" that the model carries with it from "birth".

For example: If you want to design an AI robot chef, the system prompt words may be set to: "You are a passionate Italian chef who only uses fresh ingredients, never makes junk food, and chats with guests humorously." In this way, no matter what the user asks, the AI ​​will give a specific response according to this tone.

The system prompt words determine the "personality" and "ability" of the AI. As the large model product with the most users in the world, ChatGPT's system prompt is almost a textbook for large model productization. Perhaps all applications related to large models need to learn from it, so that they can better design the interaction between large model products and users. This is the most fundamental motivation for netizens to spare no effort in exploring the prompt words of the ChatGPT system.

According to the system prompt words dug up by netizens, the approximate evolution process of the system prompt words from GPT-3 to GPT-5 is as follows:


The process of GPT-5 system prompt leakage can be traced back to a post on Reddit by a netizen on August 8.


https://www.reddit.com/r/PromptEngineering/comments/1mknun8/i_have_extracted_the_gpt5_system_prompt/

A user named OngaOngaOnga claims to have extracted it using a "jailbreak" trick, a suggested method of bypassing AI limitations. Not long after, a netizen on X also exposed the GPT-5 system prompt words that he had uncovered.


https://x.com/elder_plinius/status/1953583554287562823?referrer=grok-com

Netizens can only evaluate the authenticity of the series of system prompt words exposed through their own experience of using GPT-5. The content in the revelations is indeed consistent with the official functions of GPT-5, such as tool calling and memory functions. After users verify it in different sessions, they feel that the content is indeed more consistent with the real user experience.

However, some AI engineers also pointed out that it is possible that OpenAI deliberately released false prompts just to confuse hackers. Netizens on the Internet who do not believe in such revelations also believe that the so-called leaks are likely to be the product of model "hallucinations". Moreover, the prompt words look messy in format and mixed in fonts, which is not what internal documents should look like.

Finally, Github, a warehouse that specializes in collecting prompts for large model systems, uploaded the first tip of the revelation on August 23 yesterday. It covers almost all common closed source model products on the market and has currently received more than 8.8k stars. AI product managers who are interested in prompt word engineering should quickly collect it.


https://github.com/asgeirtj/system_prompts_leak