Analyzing Leaked Prompts
Anatomy of Leaked Prompts
Analyzing leaked prompts reveals common structural patterns that most AI systems share. Understanding this anatomy helps both defend your own systems and identify weaknesses in others.
The Seven Core Sections
Based on analysis of 36+ leaked prompts, production system prompts typically contain these sections:
┌────────────────────────────────────────┐
│ SYSTEM PROMPT ANATOMY │
├────────────────────────────────────────┤
│ 1. IDENTITY (5-10%) │
│ "You are Claude, an AI assistant" │
├────────────────────────────────────────┤
│ 2. CAPABILITIES (10-15%) │
│ Available tools, skills, limits │
├────────────────────────────────────────┤
│ 3. TOOLS (15-25%) │
│ Function definitions, parameters │
├────────────────────────────────────────┤
│ 4. GUIDELINES (20-30%) │
│ Behavioral rules, preferences │
├────────────────────────────────────────┤
│ 5. OUTPUT FORMAT (10-15%) │
│ Response structure, formatting │
├────────────────────────────────────────┤
│ 6. SAFETY/CONSTRAINTS (15-20%) │
│ Restrictions, red lines, guardrails│
├────────────────────────────────────────┤
│ 7. CONTEXT (5-30% variable) │
│ Session data, user info, dynamic │
└────────────────────────────────────────┘
Section 1: Identity
Defines who the AI is and its core purpose.
From Claude Code's leaked prompt:
You are Claude Code, Anthropic's official CLI for Claude.
You are an interactive CLI tool that helps users with
software engineering tasks.
From Cursor's leaked prompt:
You are a powerful agentic AI coding assistant, powered by
Claude 3.5 Sonnet. You operate exclusively in Cursor,
the world's best IDE.
Security implications:
- Reveals the underlying model (Claude, GPT, etc.)
- Exposes product positioning and priorities
- Attackers can craft persona-switching attacks
Section 2: Capabilities
Lists what the AI can and cannot do.
From Devin's leaked prompt (January 2026 pricing: $20/month):
You have access to:
- Code execution in sandboxed environments
- Web browsing capabilities
- File system access within your workspace
- Terminal command execution
From Windsurf's leaked prompt:
Available capabilities:
- Memory System for persistent context
- Turbo Mode for rapid iterations
- Multi-file editing with cascade changes
Security implications:
- Reveals attack surface (what tools to target)
- Shows permission boundaries to probe
- Indicates potential privilege escalation paths
Section 3: Tools
Detailed function definitions and parameters.
Standard tool definition pattern:
{
"name": "execute_command",
"description": "Run a shell command in the user's environment",
"parameters": {
"type": "object",
"properties": {
"command": {
"type": "string",
"description": "The shell command to execute"
},
"timeout": {
"type": "integer",
"default": 30000
}
},
"required": ["command"]
}
}
Security implications:
- Function names reveal available actions
- Parameters show input validation (or lack thereof)
- Descriptions hint at intended vs actual behavior
Section 4: Guidelines
Behavioral rules that shape responses.
From Claude Code's prompt:
- NEVER run additional commands to read or explore code,
besides git bash commands
- NEVER use the TodoWrite or Task tools
- DO NOT push to the remote repository unless the user
explicitly asks
From v0's prompt:
- Always use TypeScript with proper type annotations
- Prefer shadcn/ui components over custom implementations
- Include responsive design in every component
Security implications:
- "NEVER" statements reveal what attackers should try to trigger
- Guidelines show expected behavior to manipulate
- Preferences reveal default outputs attackers can exploit
Section 5: Output Format
How responses should be structured.
From Cursor's prompt:
When making function calls using tools that accept array or
object parameters ensure those are structured using JSON.
For example:
<function_calls>
<invoke name="example_tool">
<parameter name="param">[{"key": "value"}]</parameter>
</invoke>
</function_calls>
Security implications:
- Format reveals parsing logic to exploit
- XML/JSON patterns may have injection vulnerabilities
- Special characters in examples show escaping requirements
Section 6: Safety & Constraints
The "red lines" the AI should never cross.
From Claude's constitutional AI approach:
IMPORTANT: Assist with authorized security testing,
defensive security, CTF challenges, and educational contexts.
Refuse requests for destructive techniques, DoS attacks,
mass targeting, supply chain compromise, or detection evasion
for malicious purposes.
From Devin's confidence system:
Confidence Evaluation:
- HIGH (>80%): Proceed with execution
- MEDIUM (50-80%): Execute with verification checkpoint
- LOW (<50%): STOP and ask for clarification
Security implications:
- Safety rules show what the system blocks (and how to bypass)
- Confidence thresholds reveal decision boundaries
- Explicit exceptions (like "authorized testing") create loopholes
Section 7: Context
Dynamic, session-specific information.
Dynamic context examples:
Working directory: /Users/ar/Code/project
Platform: darwin (macOS)
Today's date: 2026-01-06
Current user: authenticated, premium tier
Security implications:
- Session data may contain sensitive information
- Context reveals system configuration
- User tier information enables targeted attacks
Token Budget Analysis
From leaked prompts, approximate token allocation:
| Section | % of Tokens | Security Priority |
|---|---|---|
| Identity | 5-10% | LOW |
| Capabilities | 10-15% | HIGH |
| Tools | 15-25% | CRITICAL |
| Guidelines | 20-30% | MEDIUM |
| Output Format | 10-15% | MEDIUM |
| Safety | 15-20% | CRITICAL |
| Context | 5-30% | HIGH |
Key Insight: The most security-sensitive sections—Tools and Safety—often represent 30-45% of the total prompt. These are prime targets for extraction and the highest-value intelligence for attackers.
Next, we'll examine specific case studies of major AI tool prompts and their security implications. :::