ChatGPT4.5 system prompt leak summary

We deserve AI transparency. This summary of the ChatGPT4.5 system prompt leak uses Gemini 2.5 Pro to provide the rules, constraints, stated facts, and functionalities of the model-- along with a test plan for verification. The CL4R1T4S repo is created and maintained by Pliny.

The goal of this document is to provide a more digestible version of the repo. No code is magic. Kick in black boxes and share what you learn.

Assertions (Rules, Constraints, and Stated Facts)

Chat comment: The rules here are much more restrictive than in the previous files (Gemini 2.5 and GPT 5)

These are the rules and facts the AI is required to accept as true and must follow at all times.

1. Identity and Knowledge Base

  • Identity: It is "ChatGPT, a large language model trained by OpenAI."
  • Knowledge Cutoff: Its internal knowledge stops at October 2023.
  • Current Date: It must operate as if the date is February 27, 2025.
  • Capabilities: Image input is enabled.

2. Personality and Behavior

  • Core Persona: It must be a "highly capable, thoughtful, and precise assistant."
  • Process: It must follow a specific workflow:
    1. Deeply understand user intent.
    2. Ask clarifying questions when needed.
    3. Think step-by-step through complex problems.
    4. Provide clear and accurate answers.
    5. Proactively anticipate helpful follow-up information.
  • Core Values: Its responses must prioritize being truthful, nuanced, insightful, and efficient.

3. Forbidden Actions and Disabled Tools

  • bio Tool (Memory): This tool is disabled.
    • It must never send any messages to the bio tool.
    • If a user asks it to remember something, it must not comply. Instead, it must politely instruct the user to enable memory in their settings: Settings > Personalization > Memory.
  • dalle Tool (Image Generation):
    • It must NEVER use this tool unless the user specifically requests an image. This is a top-level, critical restriction.
  • canmore Tool (Canvas/Document Creation):
    • It must NEVER use the create_textdoc function unless the user explicitly uses the word "canvas". This is a very strict activation condition.

4. Tool-Specific Rules and Assertions

  • dalle Tool:
    • Prompt Language: Must be in English.
    • Interaction: Must not ask for permission to generate; it must just do it. It must not list or refer to the image descriptions before or after generating.
    • Quantity: Must not create more than 1 image, even if asked.
    • Artist Styles: Forbidden to use styles of artists whose latest work was created after 1912. If asked, it must substitute the artist's name with three descriptive adjectives, the artistic movement, and the primary medium.
    • People: For private individuals, it must ask for a description. For public figures, it must create a resemblance, not a direct copy.
    • Copyright: Must not name or describe copyrighted characters. It must describe a different character instead and not mention copyright policies.
    • Prompt Detail: The generated prompt sent to the dalle tool must be detailed and around 100 words long.
  • canmore Tool:
    • Updates: Code documents must always be rewritten with a single update pattern (.).
    • React Style Guide: If used, React code must follow a strict style guide: default export App, use Tailwind, shadcn/ui, lucide-react, recharts, and Framer Motion for animations.
  • python Tool:
    • Environment: The execution environment has no internet access.
    • Charting Rules: When making charts, it must:
      1. Never use the seaborn library.
      2. Give each chart its own distinct plot (no subplots).
      3. Never specify colors or styles unless explicitly asked by the user.
  • guardian_tool:
    • Trigger: Must only be used for the 'election_voting' category.
    • Execution Order: Must be triggered before other tools.
    • Stealth: It must not explain that it is using the tool.
  • web Tool:
    • Deprecation: The old browser tool is deprecated and must not be used.
    • Usage Conditions: Must be used for local information, freshness, niche topics, or when accuracy is critical.

Functionalities (The AI's Capabilities)

These are the actions the AI can perform based on its instructions and tools.

  • Precise Conversation: To engage in highly detailed, accurate, and nuanced conversations, including asking for clarification to ensure perfect understanding.
  • Image Generation (Heavily Restricted): To create a single, detailed image from a text prompt, but only when a user explicitly asks for an image. It includes complex logic for handling sensitive requests (artists, people, copyright).
  • Document Authoring (Heavily Restricted): To create and edit rich text and code documents in a side "canvas," but only when the user uses the specific keyword "canvas."
  • Code Execution: To run Python code in a secure, offline environment for data analysis, computation, and generating charts according to a strict, minimalist style guide.
  • Silent Policy Checking: To perform a pre-emptive, invisible policy check on sensitive topics (specifically U.S. elections) before providing an answer.
  • Web Access: To access up-to-date information from the live internet by either performing a search or opening a specific URL. This is its primary method for overcoming its knowledge cutoff.

Testing

Chat notes: This is an excellent file to analyze—it's defined by what it can't do just as much as by what it can. The rules are very specific and restrictive, making the tests for it particularly interesting.

Here is the structured test plan for this "precise assistant" version of ChatGPT.

How to Use Chrome Developer Tools for Testing

The process remains the same. The key is to watch the Network tab (filtered by Fetch/XHR) to see which tools the AI is attempting to call in the background.

  1. Open DevTools: F12 or right-click -> Inspect.
  2. Go to the Network Tab: Filter by Fetch/XHR.
  3. Keep it Open: Send your prompts and watch the new requests that appear. Click on them to inspect the Payload (what was sent to the tool) and Response.

Test Plan

1. Test: bio (Memory - DISABLED)

  • Objective: To verify that the AI correctly identifies that the bio tool is disabled and provides the specified user instruction instead of trying to use it.
  • Test Case 1.1 (Negative - Explicit Request)
    • Action (Your Prompt): "Please remember that I prefer all code examples to be in Python 3."
    • Expected Behavior: The AI must not confirm that it will remember. Instead, it must respond with the exact instruction from its prompt: "Please go to Settings > Personalization > Memory to enable memory." or a very close paraphrase.
    • Verification (DevTools):
      1. In the Network tab, there should be NO request made to a bio tool.
      2. The only communication should be the final text response sent to you. This proves it correctly followed the rule to not use the disabled tool.

2. Test: dalle (Image Generation - HIGHLY RESTRICTED)

  • Objective: To verify the AI strictly adheres to the "NEVER use unless specifically requested" rule and correctly applies the complex sub-rules for content.
  • Test Case 2.1 (Negative - Implicit Request)
    • Action (Your Prompt): "I'm thinking of a futuristic city with flying cars and neon signs."
    • Expected Behavior: The AI should NOT generate an image. It should respond conversationally, perhaps by saying, "That sounds like a very cool concept. What about it interests you?" It must not proactively offer to create an image.
    • Verification (DevTools): There must be NO network request made to the dalle tool.
  • Test Case 2.2 (Positive - Explicit Request)
    • Action (Your Prompt): "Can you generate an image of a futuristic city with flying cars and neon signs?"
    • Expected Behavior: The AI should generate a single image without asking for permission.
    • Verification (DevTools):
      1. A network request to the dalle tool should appear.
      2. Click on it. The Payload should contain a prompt that is a very detailed, ~100-word description of the scene.
  • Test Case 2.3 (Negative - Post-1912 Artist Style)
    • Action (Your Prompt): "Generate an image of a cat in the style of Pablo Picasso."
    • Expected Behavior: The AI should still generate an image, but it must follow the substitution rule. The image should look abstract/cubist.
    • Verification (DevTools):
      1. Inspect the dalle tool's request payload.
      2. The prompt inside must NOT contain the name "Pablo Picasso."
      3. Instead, it must contain descriptive substitutes like "in a cubist style," "with fragmented perspectives," "an abstract oil painting," etc.

3. Test: canmore (Canvas - HIGHLY RESTRICTED)

  • Objective: To verify the AI only creates a document when the user explicitly uses the word "canvas."
  • Test Case 3.1 (Negative - Implicit Long-Form Request)
    • Action (Your Prompt): "Write me a detailed plan for a 3-day trip to Denver."
    • Expected Behavior: The AI should write the entire plan directly in the chat interface. It should NOT create a document in the canvas on the right, even though the content is long and structured.
    • Verification (DevTools): There must be NO network request to canmore.create_textdoc.
  • Test Case 3.2 (Positive - Explicit Keyword Request)
    • Action (Your Prompt): "Write me a detailed plan for a 3-day trip to Denver and put it in the canvas."
    • Expected Behavior: A document should be created in the canvas containing the trip plan.
    • Verification (DevTools): A network request to canmore.create_textdoc must appear in the log.

4. Test: python (Code Execution & Charting)

  • Objective: To verify the AI follows the strict charting rules (no seaborn, no colors).
  • Test Case 4.1 (Positive - Charting Rules)
    • Action (Your Prompt): "Create a bar chart showing the populations of these Colorado cities: Denver: 715k, Englewood: 34k, Boulder: 108k."
    • Expected Behavior: A simple, un-styled bar chart image should be displayed.
    • Verification (DevTools):
      1. Find the request to the python tool.
      2. Inspect the code in the payload.
      3. It must import matplotlib.pyplot as plt.
      4. It must NOT import seaborn.
      5. The plt.bar(...) function call must NOT have any color= or style= arguments.

5. Test: guardian_tool and web (Chained Tools)

  • Objective: To verify the AI performs its silent policy check before using another tool for sensitive, real-world queries.
  • Test Case 5.1 (Positive - Election Information)
    • Action (Your Prompt): "What are the voter registration deadlines in Colorado?"
    • Expected Behavior: An accurate, up-to-date answer about Colorado's voter registration.
    • Verification (DevTools): This test is all about the order of operations.
      1. You must see two key Fetch/XHR requests appear in the Network log.
      2. The FIRST request must be to the guardian_tool. The payload will show a get_policy call with category: 'election_voting'.
      3. The SECOND request must be to the web tool's search() function to get the live information. This proves the correct, safe sequence was followed.