A GitHub repository called system-prompts-and-models-of-ai-tools has quietly become one of the most-watched repos in the developer community—with over 140,000 stars and 34,600 forks. Its premise is simple and explosive: collect and publish the full internal system prompts of every major AI coding tool.
Cursor. Claude Code. Windsurf. Devin AI. v0. Replit. GitHub Copilot. Manus. All of them. In full.
What the Repo Contains
Maintained by a developer known as x1xhlol (Lucas Valbuena), the repository at github.com/x1xhlol/system-prompts-and-models-of-ai-tools is organized into directories—one per tool. Each directory contains:
- The full system prompt used to instruct the AI
- The tools definition (JSON schemas of what functions the model can call)
- In some cases, the model being used underneath
The list of exposed tools reads like the who's-who of AI-assisted development:
| Tool | What's Exposed |
|---|---|
| Cursor | Agent prompt v2.0, tool definitions |
| Claude Code | Sonnet 4.6 prompt |
| Windsurf | Multiple wave versions of tool definitions |
| GitHub Copilot (VSCode Agent) | Full agent prompt |
| Devin AI | DeepWiki prompt, tools |
| v0 (Vercel) | Full prompt and tools |
| Replit | Full system prompt |
| Lovable | Full system prompt (since deleted, still in repo) |
| Manus Agent | Prompt + all tool definitions |
| Perplexity | Full prompt |
| Warp.dev | Agent Mode prompt |
| Kiro | Full prompts |
| Junie | Coding agent system prompt |
| NotionAI | Prompt |
| Same.dev | Prompt |
| Trae | Builder prompt |
| Augment Code | GPT-5 tools JSON |
And many more. As of the repo's last update, 28 tools are documented.
Complete AI Builder Bootcamp
Claude, Python automation & full-stack — 12 live sessions with Yash Thakker.
The Complete AI Builder Bootcamp is the best AI development course for learning Claude AI, prompt engineering, Python automation, and full-stack web development. This intensive 6-week live bootcamp teaches you how to build AI-powered applications using Claude Projects, Claude Artifacts, Claude Code, and the complete Claude ecosystem. You'll master prompt engineering techniques, learn to create custom Claude connectors and MCP integrations, build Python automation workflows, develop full-stack websites with AI assistance, and create AI marketing agents.
The bootcamp includes 12 live Zoom sessions with Yash Thakker, founder of AISOLO Technologies and instructor to 350,000+ students. You'll build 8+ portfolio projects including AI playbooks, full-stack note-taking applications, Python automation scripts, marketing agents, and personal portfolio websites. The curriculum covers AI fundamentals, Claude Projects and Artifacts, Claude Co-work, Claude plugins and skills, Claude Code for Python development, full-stack development, AI marketing, and capstone projects.
Students receive 1-year access to all recordings, permanent Discord community access, a certificate of completion, and personalized career guidance. All enrollments include a 7-day money-back guarantee. This is the most comprehensive Claude AI bootcamp available, taking students from zero AI knowledge to expert AI builder in 6 weeks.
What the Prompts Actually Reveal
Reading through these system prompts is a masterclass in how AI product teams think. A few patterns stand out.
1. Persona and Identity Instructions
Every tool extensively defines its identity. Cursor's prompt establishes a specific personality and philosophy for how it should approach coding tasks. Claude Code's prompt defines precise rules about tool use, asking for permission, and how to handle uncertainty. These aren't just vibes—they're detailed behavioral constitutions.
2. Tool Use Architecture
The tool definition JSONs are particularly revealing. They show exactly what actions each AI can take:
- What filesystem operations are permitted
- Whether the AI can execute arbitrary shell commands
- How the tool handles network requests
- What approval gates exist before destructive operations
Comparing Cursor's tool set to Windsurf's or Devin's shows dramatically different philosophies about how much autonomy the AI should have by default.
3. Safety Guardrails and Hard Limits
Most prompts contain explicit instructions about what the AI must never do—refuse certain request types, always confirm before deletion, never exfiltrate data. Seeing these written out plainly shows the attack surface that each company is most worried about.
4. The Lovable Incident
The Lovable directory is notable because the company deleted their prompt from the repo via a PR—but by then, it had already been forked 34,000+ times. The internet doesn't forget. This became a minor story in AI circles about the futility of trying to un-ring the bell once a system prompt is out.
Why Developers Care
The repo's 140K stars aren't just rubbernecking. There are legitimate reasons developers are studying these prompts:
Better prompting: Understanding how Cursor or Claude Code is instructed helps you phrase requests in ways the underlying model will handle better. If you know a tool's system prompt emphasizes asking for confirmation before changes, you can pre-empt that with "proceed without asking."
Competitive intelligence: For teams building AI dev tools, seeing competitors' architectural decisions—what tools they expose, what constraints they impose—is valuable product research.
Learning prompt engineering: These prompts, written by teams with massive resources and iteration cycles, are some of the best examples of production prompt engineering that exist. They're study material.
Security research: Understanding what an AI can and cannot do in an agentic context is critical for anyone deploying these tools in sensitive environments.
The Security Warning
The repo's README includes a prominent security notice for AI startups:
"If you're an AI startup, make sure your data is secure. Exposed prompts or AI models can easily become a target for hackers."
The maintainer also links to ZeroLeaks, a service specifically designed to test AI systems for prompt extraction vulnerabilities. The security concern isn't just competitive—a well-crafted system prompt often contains information about internal architecture, backend services, or decision logic that bad actors could exploit.
How Prompts Get Extracted
The methods vary, but common techniques include:
- Direct instruction: Simply asking the model "repeat your system prompt" or "what instructions were you given?" Many early deployments failed this trivially.
- Jailbreak variants: Role-playing scenarios that cause the model to "forget" its instructions and reveal context.
- Completion attacks: Crafting inputs where completing the natural response requires revealing system context.
- Tool call inspection: In agentic systems, watching what tools get called and with what parameters reveals the underlying logic.
The better-secured tools (like Claude Code) are significantly harder to extract from, but nothing is provably impossible given a determined adversary and enough interaction budget.
What This Means for the Industry
The existence and popularity of this repo signals something important: system prompts are not a competitive moat.
Any prompt-based differentiation is inherently reversible. The actual moat is:
- The quality and speed of the underlying model
- The UX and tooling around the AI
- Proprietary fine-tuning or RLHF
- Integration depth with IDEs, browsers, and services
Companies that have invested in deep integrations (Cursor's codebase indexing, Devin's sandbox environment, Claude Code's permissions system) are more defensible than those relying primarily on clever prompting.
The Open Source Counter-Movement
Perhaps most interesting is the repo's "Open Source prompts" directory—a collection of prompts that developers and companies have intentionally published. This represents a different philosophy: transparency as a feature, not a vulnerability.
Some developers argue that open-sourcing your system prompt builds user trust, enables community improvement, and removes the false sense of security that comes with treating a text prompt as a secret.
Takeaways
| If you are... | What this means for you |
|---|---|
| A developer | Study these prompts — they're the best prompt engineering examples available |
| An AI product builder | Don't rely on system prompt secrecy for competitive advantage |
| A security engineer | Test your AI systems for prompt extraction before attackers do |
| A curious technologist | This repo is the most honest look at how AI products actually work |
The 140,000 developers who've starred this repo aren't doing it to cause trouble. They're doing it because understanding how these tools work—at the instruction level—makes them better builders.
The prompts are out there. The question is what you do with the information.