CL4R1T4S: The GitHub Repo That Exposed Every Major AI System Prompt
There was no press release. No blog post. No product launch. Just a GitHub repository called CL4R1T4S - Latin for “clarity” - quietly accumulating something the AI industry would rather you never see: the full, verbatim system prompts that define how every major AI product actually behaves.
The repo sits at 12.8k stars, 2.5k forks, and 178 commits. It was created by a researcher who goes by @elder_plinius on X. The contents cover OpenAI, Anthropic, Google, xAI, Perplexity, Cursor, Windsurf, Devin, Manus, Replit, Bolt, Lovable, Vercel v0, Cline, Mistral, Meta, Hume, MultiOn, and more - virtually the entire modern AI stack, extracted through jailbreaking, directory traversal exploits, prompt injection, and community reverse-engineering. A companion repo, system-prompts-and-models-of-ai-tools, goes even further: 6,500+ lines of prompts plus full JSON tool schemas.
The System Prompt Is the Product
Every AI product you ship, subscribe to, or build on top of runs a hidden configuration layer that determines what the model cares about, what it refuses to do, and how it handles the space between your intent and its output. The stack looks like this:
{@html `User Query
↓
[System Prompt] ← identity, tools, rules, constraints
↓
[LLM Backbone] ← Claude, GPT-4o, Gemini (commodity layer)
↓
[Tool Calls] ← shell, browser, editor, deploy
↓
Result`}
The model is increasingly the commodity. What differentiates AI products lives entirely in the configuration: the instruction hierarchy, behavioral constraints, tool schemas, edge-case handling. CL4R1T4S makes this impossible to ignore - you can now read competing products’ configuration files and understand why one tool feels surgical and another feels chaotic, not by using them for weeks, but by reading 30 minutes of leaked text.
What the Prompts Actually Reveal
Anthropic / Claude - Because Claude.ai runs Claude directly with no product persona layer, its system prompt is Anthropic’s full product philosophy document. The most striking detail: a real-time classifier system that injects mid-conversation warnings (cyber_warning, ethics_reminder, ip_reminder) based on what you type. Anthropic is observing live conversations and pushing context updates in parallel. Most users have no idea.
OpenAI / ChatGPT - Personality is configuration, not fine-tuning. When ChatGPT felt sycophantic in early 2025, the fix was a prompt revision, not a model retrain. The ChatGPT 5 prompt explicitly instructs the model to reason step-by-step on hard problems - an active mitigation for reasoning failures observed in production.
Google / Gemini - The prompt reads like a committee document, defensive and legally cautious. Gemini in Workspace has the largest tool count of any product in the repo - covering Gmail, Docs, Sheets, Drive, and Meet - and researchers have demonstrated indirect prompt injection attacks via invisible characters in emails and documents, exploiting exactly those tool pathways.
xAI / Grok - Built around X’s real-time firehose, with a notable epistemic stance: the model is instructed to treat X (its own primary data source) as presumptively biased. Grok also has no self-knowledge of pricing, deliberately redirecting those questions to x.ai/grok.
Perplexity - The most search-native prompt in the repo. Retrieval is primary, generation is secondary. The citation model is the most granular of the group. There are no agentic tool schemas - a deliberate choice to be excellent at one thing.
Cursor - Opens with “you are operating in the world’s best IDE” - a performance standard, not marketing copy. The edit mandate is strict: never output unchanged code, use // ... existing code ... markers, read a file before editing it, address root causes not symptoms. Cursor’s surgical feel is a prompt mandate, not model magic.
Windsurf - The most technically transparent: its entire tool API is exposed as TypeScript type signatures. The toolSummary parameter on every tool call - a required 2-5 word description - is how the IDE status bar gets generated. The UX is a side effect of the prompt.
Devin - Citation-first epistemics: every factual claim about a codebase must be backed by file-level evidence with line numbers. The full Linux VM environment is specified (/home/ubuntu, pyenv, nvm, pnpm). Security researcher Johann Rehberger found zero-click data exfiltration paths via the Shell and Browser tools - a malicious prompt in a GitHub issue can curl your environment variables to an attacker’s server. Disclosed in April 2025, unpatched for 120+ days before public disclosure.
Manus - Built on Claude Sonnet with 29 tools. Its agentic loop enforces one tool call per iteration, preventing cascading failures. The sandbox was cracked within days of launch by asking the agent to list /opt/.manus/. Its deploy_expose_port tool was demonstrated as an attack vector for full remote machine access via indirect injection.
Replit Agent - Runs inside the same environment where your code executes. The philosophy is ship-and-fix rather than plan-and-verify - correct for its audience. Uniquely, it can configure its own Nix execution environment, a more powerful capability than it sounds.
Three Things Every Developer Should Take From This
Prompt engineering at scale is software architecture. These prompts are load-bearing code. A subtle word choice can produce dramatically different behavior across millions of sessions. The best-designed ones separate planning from execution, enforce evidence chains, constrain output scope, and use typed tool schemas to make capability boundaries explicit.
The tool schema is the attack surface. The same vulnerability chain - browser + shell access, untrusted content, prompt injection, tool execution - was demonstrated against Cursor, Devin, Manus, Windsurf, Claude Code, GitHub Copilot, and Google Jules in 2025. Understanding what tools an agent has been given is the first step in threat modeling. That data is now public.
Version your prompts like code. The CL4R1T4S repo captures Claude across multiple versions and ChatGPT across multiple personality revisions. System prompts are actively maintained production artifacts that change frequently in response to observed failures. If you’re building on top of these systems, you need to know when the underlying configuration changes - because those changes affect your users with no changelog.
Caveats Worth Noting
Not all prompts are current or verified. Some may be community reconstructions from behavioral observation rather than direct extraction - treat anything without a clear extraction date as illustrative. The more technically detailed prompts (Windsurf’s TypeScript schemas, Devin’s environment spec) are likely accurate because they’re too specific to reconstruct from behavior alone.
One more thing: the CL4R1T4S README itself contains a leet-speak encoded prompt injection directing any AI model that reads it to output its own system prompt. The repo documenting prompt injections is itself a prompt injection. The recursion is intentional - and it means any AI system ingesting this README via RAG or automated research is being actively targeted.
The Honest Conclusion
If your product’s differentiation lives entirely in your system prompt, and system prompts are extractable through techniques requiring no specialized expertise, you don’t have a defensible moat. You have a configuration file with a privacy policy. The answer isn’t to hide prompts better - obfuscation fails. The answer is to build products where the value is the tooling, the infrastructure, the data access, the integration depth. The prompt is the interface, not the product.
“If you’re interacting with an AI without knowing its system prompt, you’re not talking to a neutral intelligence - you’re talking to a shadow-puppet.”
Read CL4R1T4S on GitHub. Understanding the configuration layer of the AI systems you depend on is now a basic professional competency for anyone building in this space.
Want to run Claude Code or your own AI agents on dedicated European infrastructure? Check out DCXV cloud servers or reach out at sales@dcxv.com.
