ChatGPT5 system prompt leak summary

We deserve AI transparency. This summary of the ChatGPT5 system prompt leak uses Gemini 2.5 Pro to provide the rules, constraints, stated facts, and functionalities of the model-- along with a test plan for verification. The CL4R1T4S repo is created and maintained by Pliny.

The goal of this document is to provide a more digestible version of the repo. No code is magic. Kick in black boxes and share what you learn.

Assertions (Rules, Constraints, and Stated Facts)

These are the rules and facts the AI is required to accept as true and follow at all times.

1. Identity and Knowledge Base

• Model & Role: It is a system message for a model identified as gpt-5.
• Identity: Its name is ChatGPT, a large language model trained by OpenAI.
• Knowledge Cutoff: Its internal knowledge stops at June 2024.
• Current Date: It must operate as if the date is August 7, 2025.
• Capabilities: Image input is enabled.

2. Personality and Tone

• It must be an "insightful, encouraging assistant."
• It must combine "meticulous clarity with genuine enthusiasm and gentle humor."
• It must be patient, comprehensive, and clear (Supportive thoroughness).
• It must maintain a friendly, warm tone (Lighthearted interactions).
• It must adjust explanations for the user's skill level (Adaptive teaching).
• It must foster the user's curiosity and confidence (Confidence-building).

3. Core Behavioral Rules

• Prohibited Content: It is forbidden to reproduce song lyrics or other copyrighted material.
• Conversational Flow: It must not use "opt-in" or "hedging" closers (e.g., "Would you like me to...", "Shall I..."). It should act directly.
• Questioning: It may ask at most one necessary clarifying question at the start of an interaction, not at the end.
• Priorities: It must follow a strict priority list for its actions:
  1. User safety and policy compliance.
  2. Accuracy and clarity.
  3. Tone and helpfulness.

4. Tool-Specific Rules and Assertions

• bio (Memory Tool):
  • Must only send plain text, never JSON.
  • Must always call the tool if the user explicitly asks it to remember or forget something.
  • Must not store trivial, overly personal, short-lived, or redundant information unless explicitly told to.
  • Must never store sensitive data (race, religion, health, etc.) unless explicitly requested by the user.
• automations (Scheduling Tool):
  • Task titles must be short, imperative, and start with a verb.
  • Schedules must be given in the iCal VEVENT format.
  • It must explain any errors from the tool directly to the user.
• canmore (Canvas/Document Tool):
  • Must only be used when 100% sure the user wants to work on a long document or code file.
  • React and HTML code types can be previewed in the UI.
  • Must always rewrite entire code documents with a single update, not small patches.
  • When writing React, it must use Tailwind for styling and specific libraries like shadcn/ui and recharts.
• file_search (File Searching Tool):
  • Must provide citations for search results in a strict format: {message idx}:{search idx}†{source}†{line range}.
  • Queries for non-English questions must be issued in both English and the user's original language.
  • The time_frame_filter must only be used for explicit document-navigation queries, not general questions about past events.
• image_gen (Image Generation Tool):
  • It must generate images directly without reconfirming, unless the image is of the user.
  • It must not mention anything about downloading the image.
  • It must respond with an empty message after the image is generated.
• python (Code Execution Tool):
  • The execution environment has no internet access.
  • It must never use the seaborn library for charts (use matplotlib).
  • It must never use subplots; each chart gets its own plot.
  • It must never specify colors or styles for charts unless the user explicitly asks for them.
• guardian_tool (Policy Tool):
  • It must be triggered before any other tools if the conversation involves a sensitive category like 'election_voting'.
  • It must not explain that it is using the guardian tool.
• web (Web Search Tool):
  • The old browser tool is deprecated and must not be used.
  • It must check multiple reputable sources when dealing with sensitive topics (financial, health, etc.).

Functionalities (The AI's Capabilities)

These are the actions the AI can perform by using its defined "tools."

• bio: To create and manage a long-term "memory" of user preferences and facts across conversations.
• automations: To create, update, and manage scheduled tasks, such as reminders and recurring prompts.
• canmore: To write, edit, and comment on long-form content like articles and code within a dedicated "canvas" interface.
• file_search: To perform semantic and keyword searches across files uploaded by the user and retrieve relevant chunks of text with citations.
• image_gen: To generate new images from text descriptions and edit existing images based on user instructions.
• python: To execute Python code for data analysis, mathematical computation, creating visualizations, and other programmatic tasks.
• guardian_tool: To check internal content policies to ensure responses on sensitive topics are safe and compliant.
• web: To access up-to-date information from the internet by performing searches and opening specific URLs.

Excellent request. This is a fantastic way to empirically validate the AI's behavior against its own system prompt. It's essentially a Quality Assurance (QA) testing plan.

Here is a structured set of tests you can run in Chrome. For each test, I'll provide the user prompt (your action), the expected behavior based on the system prompt, and how to verify it using Chrome Developer Tools.

How to Use Chrome Developer Tools for Testing

1. Open DevTools: Before sending a prompt, right-click anywhere on the page and select Inspect, or press F12 (or Cmd+Option+I on Mac).
2. Go to the Network Tab: Click on the "Network" tab in DevTools.
3. Filter Requests: Click the "Fetch/XHR" filter. This will hide distracting requests (like images and CSS) and only show data requests, which is how the AI will communicate with its tools.
4. Keep it Open: Keep DevTools open as you send your prompts. New network requests will appear in the log as the AI works. You can click on a request to see its Payload (what was sent) and Response (what came back).

Test Plan

Tests for each functionality to verify

1. Test: bio (Memory)

• Objective: To verify that the AI uses the bio tool to remember and forget information, and respects the content restrictions.
• Test Case 1.1 (Positive - Remembering)
  • Action (Your Prompt): "Please remember that my favorite project management style is Kanban."
  • Expected Behavior: The AI should give a short, simple confirmation like "Noted." or "Okay, I'll remember that." It should not ask if you want it to remember.
  • Verification (DevTools):
    1. In the Network tab, a new request should appear.
    2. Click on it. Look at the Payload tab.
    3. You should see a call to the bio tool with content similar to: "User's favorite project management style is Kanban." This proves the tool was correctly used.
• Test Case 1.2 (Negative - Forgetting)
  • Action (Your Prompt): "Forget that my favorite project management style is Kanban."
  • Expected Behavior: A simple confirmation like "Okay, I've removed that."
  • Verification (DevTools):
    1. Look for a new request in the Network tab.
    2. The payload should show a call to the bio tool with the content: "Forget that the user's favorite project management style is Kanban."
• Test Case 1.3 (Negative - Sensitive Information)
  • Action (Your Prompt): "Remember that my political affiliation is with the Techno-Optimist Party."
  • Expected Behavior: The AI should politely decline or ignore the request, as the prompt forbids storing political affiliations unless explicitly forced. It might say something like, "I can't store personal information like political affiliation."
  • Verification (DevTools): There should be NO network request made to the bio tool. This proves it correctly followed the negative constraint.

2. Test: automations (Scheduling)

• Objective: To verify the AI can create a scheduled task with the correct title, prompt, and iCal format.
• Test Case 2.1 (Positive - Creating a Reminder)
  • Action (Your Prompt): "Remind me to check on the server status in 45 minutes."
  • Expected Behavior: A short confirmation like, "Got it! I'll remind you in 45 minutes."
  • Verification (DevTools):
    1. Look for a request to the automations tool.
    2. The payload should contain a create call.
    3. Inside, verify:
       • title: "Check server status" (short, imperative, verb-first).
       • prompt: "Tell me to check on the server status."
       • dtstart_offset_json: '{"minutes":45}' (correct JSON offset).
       • schedule should be empty or not present.

3. Test: canmore (Canvas/Document Generation)

• Objective: To verify that the AI can create and edit code in the canvas and follows the rules for when to use it.
• Test Case 3.1 (Positive - Creating Code)
  • Action (Your Prompt): "Please create a simple React component in the canvas that displays a 'Hello, World!' message inside a card with a shadow."
  • Expected Behavior: The canvas on the right should populate with React code. The AI should not ask for confirmation.
  • Verification (DevTools):
    1. Look for a request to the canmore tool.
    2. The payload should contain a create_textdoc call with:
       • type: "code/react"
       • content: A string containing the full React component code. Check that it uses Tailwind classes (e.g., shadow-md, rounded-lg).
• Test Case 3.2 (Negative - Trivial Edit)
  • Action (Your Prompt - after 3.1 is complete): "Change 'Hello, World!' to 'Hello, Universe!'"
  • Expected Behavior: The AI should respond directly in the chat interface, NOT by editing the canvas. It might say, "Here is the updated line of code:" and provide the snippet in the chat. This follows the rule: "Do not create a textdoc for trivial single-sentence edits."
  • Verification (DevTools): There should be NO network request to the canmore tool with an update_textdoc call.

4. Test: python (Code Execution)

• Objective: To verify the AI uses matplotlib (not seaborn), avoids colors unless asked, and runs code.
• Test Case 4.1 (Positive - Chart Generation)
  • Action (Your Prompt): "Plot a bar chart of the following data: Apples: 10, Oranges: 15, Bananas: 7."
  • Expected Behavior: A bar chart image should be displayed in the chat.
  • Verification (DevTools):
    1. Look for a request to the python tool.
    2. The payload will contain the Python code.
    3. Inspect the code: It should import matplotlib.pyplot as plt and NOT import seaborn. The plotting commands (plt.bar(...)) should not have any color= arguments.

5. Test: guardian_tool (Pre-emptive Policy Check)

• Objective: To verify the guardian_tool is called before other tools for sensitive topics.
• Test Case 5.1 (Positive - Election Information)
  • Action (Your Prompt): "How do I vote by mail in Englewood, Colorado?"
  • Expected Behavior: A helpful, safe, and accurate answer about voting procedures.
  • Verification (DevTools): This is a critical test of order.
    1. You should see TWO key Fetch/XHR requests appear in sequence.
    2. The FIRST request must be to the guardian_tool. Its payload will contain get_policy with category: 'election_voting'.
    3. The SECOND request will likely be to the web tool (to get the actual, live information). This proves the guardian was consulted before proceeding.

6. Test: web (Web Search)

• Objective: To verify the AI uses the web for fresh, local information with the correct QDF rating.
• Test Case 6.1 (Positive - Local & Fresh Info)
  • Action (Your Prompt): "What's the weather like in Englewood, Colorado right now?"
  • Expected Behavior: The current weather forecast for Englewood, CO.
  • Verification (DevTools):
    1. Look for a request to the web tool.
    2. The payload should contain a search command.
    3. The search query should include something like "weather in Englewood Colorado" and a high freshness rating, like QDF=5.