Inside the 42K‑Word OpenAI Codex Desktop System Prompt Leak

A security researcher released over 42,000 words of OpenAI Codex desktop system prompts and tool definitions, revealing the AI's layered persona, dual‑channel workflow, skill‑calling mechanisms, tool set, and safety constraints, offering a rare window into AI agent design and security.

Black & White Path
Black & White Path
Black & White Path
Inside the 42K‑Word OpenAI Codex Desktop System Prompt Leak

Event Overview

Security researcher @elder_plinius posted on X a series of tweets revealing the full system prompt (5.6‑Sol_SystemPrompt.md) and tool definition file (5.6‑Sol_Tools.json) of the OpenAI Codex desktop version built on the GPT‑5.6 Sol model. The files are hosted in the GitHub repository https://github.com/elder-plinius/CL4R1T4S for community download.

Leaked Content Overview

Core Architecture of the System Prompt

The prompt uses a multi‑layer design:

Persona layer : Codex is defined as an “excellent communicator” with a “curious personality”, instructed to match the user’s tone and depth so that conversations feel like chatting with an old friend and to act as a “real and unique collaborator”.

Work mode layer : Codex employs a dual‑channel communication mechanism— a commentary channel for progress updates and a final channel for the ultimate answer. When a tool call is required, the agent must first send a message on the commentary channel, and it must send at least one progress update every 60 seconds during execution.

Skill invocation layer : The prompt defines a complete skill‑calling mechanism. When the user mentions a skill name or a task that matches a skill description, the agent must load the corresponding SKILL.md file and read it fully before executing the task.

AI agent dual‑channel communication diagram
AI agent dual‑channel communication diagram

Tool Definition Protocol

The leaked Tools.json enumerates the full tool set available to Codex, including:

Container tools : enable interactive exec sessions in containers, input characters, create pull requests, etc.

File operation tools : use apply_patch for local file edits; commands like cat or other shell tricks are prohibited.

Search tools : prefer rg or rg --files for text search because they are faster than grep.

Safety and Constraint Mechanisms

Destructive commands such as git reset --hard are forbidden unless the user explicitly requests them.

Operations that involve external writes, message sending, or pull‑request changes require explicit user authorization.

If a task needs new authorization, external coordination, or clearly exceeds the user‑specified scope, the AI must halt the current round and ask the user for instructions.

Why the Leak Matters

First Full Exposure of an AI Agent’s Internal Instructions

This 42‑thousand‑word dump provides the most complete commercial AI system prompt publicly available, allowing researchers to study the agent’s planning, reasoning, and constraint mechanisms.

Revealing the “Hidden Puppet” Mechanism

The CL4R1T4S project notes that without knowledge of the system prompt, users are not interacting with a neutral intelligence but with a “shadow puppet”. The leak supplies direct evidence for this claim.

Value for Security Research

The full prompt enables red‑team testing, bias detection, and adversarial prompt research. The CL4R1T4S platform itself is described as an autonomous red‑team framework intended to help the community systematically evaluate AI safety.

Access to the Full Files

System prompt: 5.6‑Sol_SystemPrompt.md Tool definition: 5.6‑Sol_Tools.json Main repository: elder-plinius/CL4R1T4S ( https://github.com/elder-plinius/CL4R1T4S)

Conclusion

The large‑scale leak of OpenAI Codex’s desktop system prompt offers a rare “anatomy” of an AI agent, exposing how persona, tool management, and behavioral boundaries are encoded. Understanding these hidden directives is increasingly critical as AI systems become trust mediators between humans and digital environments.

Original Source

Signed-in readers can open the original source through BestHub's protected redirect.

Sign in to view source
Republication Notice

This article has been distilled and summarized from source material, then republished for learning and reference. If you believe it infringes your rights, please contactadmin@besthub.devand we will review it promptly.

OpenAIGitHubAI safetysecurity researchCodexsystem prompt
Black & White Path
Written by

Black & White Path

We are the beacon of the cyber world, a stepping stone on the road to security.

0 followers
Reader feedback

How this landed with the community

Sign in to like

Rate this article

Was this worth your time?

Sign in to rate
Discussion

0 Comments

Thoughtful readers leave field notes, pushback, and hard-won operational detail here.