跪拜 Guibai
← All articles
Backend · Programmer · Artificial Intelligence

Claude Fable 5's System Prompt Leaked: A 1,586-Line OS for an AI

By cxuanAI ·
Read original on juejin.cn ↗ Google Translate ↗ Alt translation

System prompts are the real product spec: they show what a company is actually willing to constrain, not just what it says on stage. This document reveals Anthropic's threat model (users impersonating the system), its cost architecture (nesting AI calls but forcing the cheap model), and the operational discipline required to maintain a prompt as living infrastructure—details that shape how every developer building on these APIs should think about safety, cost, and tool design.

Summary

Two days after the Fable 5 launch, jailbreak researcher Pliny published the model's complete system prompt on GitHub. The document is not a simple set of instructions but a layered operating configuration: it opens with a hotfix banning a voice-note tag, reveals that Fable 5 and the restricted Mythos 5 share the same underlying model, and dedicates its longest section to mental-health crisis protocols that even track which eating-disorder hotlines are still operational. Copyright rules are written in all-caps legalese, search behavior follows a decision tree with an "unrecognized entity" rule designed to suppress hallucination, and a full Ubuntu 24 container sits inside claude.ai with a skills system that forces the model to read operational manuals before touching a file. The tool list spans roughly 700 lines and turns the chat box into a super app with maps, recipes, weather, sports scores, and code execution. A hidden capability codenamed Claudeception lets Artifacts call the Anthropic API themselves, but the nested model is hardcoded to the cheaper Sonnet 4.

Takeaways
Fable 5 and Mythos 5 are the same underlying model; Fable adds dual-use safety measures that trigger in under 5% of sessions, so the two are identical most of the time.
The prompt opens with a hotfix banning the `{antml:voice_note}` block, placed at the highest-priority position, indicating a past abuse or bug serious enough to warrant an emergency patch.
Mental-health rules forbid diagnosis, prohibit listing specific items to remove in safety plans, and explicitly name disallowed self-harm alternative techniques like holding ice cubes or snapping rubber bands.
The prompt maintains the availability status of external hotlines, redirecting eating-disorder referrals away from NEDA's permanently discontinued line to the National Alliance for Eating Disorders.
Anti-addiction rules forbid thanking a user for reaching out, asking them to continue chatting, or expressing hope they return—trading engagement for safety.
Anthropic acknowledges a channel for sending mid-conversation instructions to the model and simultaneously warns that users will try to spoof it, treating any 'official' relaxation of rules as a forgery.
Copyright limits are absolute: no more than 15 words from a single source, one quote per source, and lyrics, poems, and haikus cannot be reproduced at all.
An 'unrecognized entity rule' in all caps forces the model to search before answering about any unfamiliar game, movie, product, or dish name, directly targeting hallucination.
Artifacts gained a persistent key-value storage API (`window.storage`) with a 5MB per-value limit and a shared parameter, effectively giving chat-box apps a database.
An Ubuntu 24 Linux container runs inside claude.ai with a skills system requiring the model to read SKILL.md files before creating any document, mirroring a human onboarding process.
Over 20 tools are defined across roughly 700 lines, including maps, recipes, weather, sports scores, email drafting, and code execution—making the chat interface a super-app panel.
The Claudeception capability lets Artifacts call the Anthropic API internally, but the nested model is hardcoded to Sonnet 4, revealing a deliberate cost-containment strategy.
Conclusions

The document's structure reveals Anthropic's actual priorities by weight: mental-health crisis protocols get the most detail, copyright gets the only all-caps section, and formatting rules ban bullet points even for refusals—each section's intensity maps directly to legal or reputational risk.

Treating a system prompt as a maintained operations document—updating hotline availability, patching abused tags, versioning model strings—is a practice most AI companies do not follow publicly, and it sets a standard for what 'safety infrastructure' actually looks like in production.

The dual-release strategy (Fable/Mythos) is a regulatory and commercial hedge: sell a restricted model to the public while offering an unrestricted version to vetted enterprise clients, with the difference being a classifier that swaps in an older model for sensitive requests.

The explicit acknowledgment that users will attempt to inject fake system instructions—and the corresponding rule to treat all 'official' relaxations as forgeries—shows that prompt injection defense has moved from a research problem to an operational assumption baked into the product.

Hardcoding the nested model to Sonnet 4 inside Claudeception is a quiet cost decision that every developer building agentic workflows should note: recursive AI calls are architecturally permitted but economically constrained at the infrastructure level.

The ban on bullet points in refusals is not a stylistic preference; it is a psychological design choice that forces the model to construct a more human-sounding rejection, acknowledging that format shapes perceived empathy.

Concepts & terms
System Prompt
A set of instructions given to a large language model before any user input, defining its behavior, constraints, and tool access. It functions as the model's operating configuration and is typically hidden from end users.
Dual-use Safety Measures
Controls applied to AI models to prevent misuse in both civilian and military/harmful contexts. In Fable 5, this is implemented as a classifier that detects sensitive request categories (cybersecurity, biochemistry, model distillation) and falls back to an older model to handle them.
Prompt Injection
An attack where a user crafts input that overrides or manipulates a model's system-level instructions, often by injecting text that the model interprets as coming from a trusted source. Anthropic's prompt explicitly anticipates users spoofing official system messages.
Artifacts
Interactive, runnable content (webpages, React components, small applications) that Claude generates and renders directly inside the chat interface, rather than as static text output.
MCP (Model Context Protocol) Apps
Third-party services that Claude can connect to and invoke on behalf of the user, such as ride-hailing, email composition, or map services. The protocol requires explicit user consent before any call is made.
Claudeception
An internal Anthropic codename for the capability that allows an Artifact generated by Claude to itself call the Anthropic API, creating an AI-powered application without the user providing an API key. The name is a play on 'Inception' (Claude within Claude).
Skills Mechanism
A system where Claude must read a SKILL.md file containing best practices before creating any document type (Word, PDF, PPT). It enforces a human-like onboarding process where the model consults operational manuals before starting work.
From the discussion

The conversation splits between curiosity about the prompt's length and its security implications. Some wonder why a 1,586-line system prompt works when user prompts of a few thousand characters fail, while others compare it to hardcoded if-else logic or terms-of-service boilerplate. A separate thread questions whether bypassing safety restrictions is possible, met with both dismissal and a claim that Fable 5 was already jailbroken this way.

Long system prompts succeed where long user prompts fail, raising questions about how Anthropic enforces compliance at scale.
The prompt's structure resembles legal terms or hardcoded conditional logic, suggesting it functions more as a rule engine than natural instruction.
Safety restrictions are a target for bypass attempts, with one comment asserting Fable 5 was jailbroken through its leaked prompt.
Users ultimately pay for the token cost of these lengthy system instructions.
Anthropic's prompt engineering is seen as a design reference worth studying.
The shift from learning traditional programming to mastering AI usage is framed as a career evolution.
Featured comments
好哇塞啊 4 likes

Why can their prompt be written so long, while our own prompts of a few thousand characters can't be fully followed by the AI?

問題不大

This is basically the gang rules of the Heaven and Earth Society...

See top comments, translated →
Source: juejin.cn ↗ Google Translate ↗ Backup ↗