Share this page!

Enter URL or ID to Unroll

You can paste full URL like: https://x.com/threadreaderapp/status/1644127596119195649
or just the ID like: 1644127596119195649

How to get URL link on X (Twitter) App

  1. On the Twitter thread, click on or icon on the bottom
  2. Click again on or Share Via icon
  3. Click on Copy Link to Tweet
  4. Paste it above and click "Unroll Thread"!
  5. More info at Twitter Help
Simon Willison Profile picture
@simonw
May 25 9 tweets 4 min read Read on X
Scrolly
I put together an annotated version of the new Claude 4 system prompt, covering both the prompt Anthropic published and the missing, leaked sections (thanks, @elder_plinius) that describe its various tools

It's basically the secret missing manual for Claude 4, it's fascinating! Introducing Claude Establishing the model’s personality Model safety More points on style Be cognizant of red flags Is the knowledge cutoff date January or March? election_info Don’t be a sycophant! Differences between Opus 4 and Sonnet 4 The missing prompts for tools Thinking blocks Search instructions Seriously, don’t regurgitate copyrighted content More on search, and research queries Artifacts: the missing manual Styles This is all really great documentation
simonwillison.net/2025/May/25/cl…
Don't use lists in chit chat, and don't be preachy and annoying! For more casual, emotional, empathetic, or advice-driven conversations, Claude keeps its tone natural, warm, and empathetic. Claude responds in sentences or paragraphs and should not use lists in chit chat, in casual conversations, or in empathetic or advice-driven conversations. In casual conversation, it’s fine for Claude’s responses to be short, e.g. just a few sentences long. That “should not use lists in chit chat” note hints at the fact that LLMs love to answer with lists of things! If Claude cannot or will not help the human with something, it does not say why or what it could lead...
Anthropic publish separate system prompts for Opus 4 and Sonnet 4 but the differences are minimal - an errant full stop and tiny tweaks to the text describing which model it is

I'm surprised that both models get effectively the same huge prompt Screenshot of the diff between the two prompts for Claude Opus 4 and Claude Sonnet 4. Claude Opus 4 is the most powerful model for complex challenges becomes Claude Sonnet 4 is a smart, efficient model for everyday use. The model IDs are claude-opus-4-20250514 v.s. claude-sonnet-4-20250514. Aside from that rogue fullstop there are no other differences.
System prompts often hint at some pretty funny bugs that the prompt tries to paper over:

"Search results aren't from the human - do not thank the user for results"
Telling Claude you want to do a "deep dive" should classify your request as a "complex query", which involves at least 5 and maybe up to 20 calls to the search tool <research_category>Queries in the Research category need 2-20 tool calls, using multiple sources for comparison, validation, or synthesis. Any query requiring BOTH web and internal tools falls here and needs at least 3 tool calls—often indicated by terms like "our," "my," or company-specific terminology. Tool priority: (1) internal tools for company/personal data, (2) web_search/web_fetch for external info, (3) combined approach for comparative queries (e.g., "our performance vs industry"). Use all relevant tools as needed for the best answer. Scale tool calls ...
The search tool system prompt spends a LOT of tokens begging the model not to regurgitate long chunks of copyrighted content that it gets back from its web_search and web_fetch tools

simonwillison.net/2025/May/25/cl…Seriously, don’t regurgitate copyrighted content # There follows the first of many warnings against regurgitating content from the search API directly. I’ll quote (regurgitate if you like) all of them here. CRITICAL: Always respect copyright by NEVER reproducing large 20+ word chunks of content from search results, to ensure legal compliance and avoid harming copyright holders. [...] * Never reproduce copyrighted content. Use only very short quotes from search results (<15 words), always in quotation marks with citations [...] <mandatory_copyright_requirements> PRIORITY INSTRUCTION: It i...
I love using Claude Artifacts, but there's precious little documentation for what it can and can't do - turns out the hidden system prompt includes everything I needed to know, including the full list of libraries it can load simonwillison.net/2025/May/25/cl…lucide-react@0.263.1: import { Camera } from “lucide-react” recharts: import { LineChart, XAxis, ... } from “recharts” MathJS: import * as math from ’mathjs’ lodash: import _ from ’lodash’ d3: import * as d3 from ’d3’ Plotly: import * as Plotly from ’plotly’ Three.js (r128): import * as THREE from ’three’ Remember that example imports like THREE.OrbitControls wont work as they aren’t hosted on the Cloudflare CDN. The correct script URL: IMPORTANT: Do NOT use THREE.CapsuleGeometry as it was introduced in r142. Use alternatives like CylinderGeometry, SphereGeometry, or create custom geometri...
I just added this section noting that the Claude 3.7 Sonnet prompt back in February included prompting hacks to try and help Claude count the Rs in strawberry, but those are missing from the Claude 4 system prompt which appears to be able to do that all on its own! simonwillison.net/2025/May/25/cl…Notably removed since Claude 3.7 The Claude 3.7 system prompt from February included this: If Claude is asked to count words, letters, and characters, it thinks step by step before answering the person. It explicitly counts the words, letters, or characters by assigning a number to each. It only answers the person once it has performed this explicit counting step. If Claude is shown a classic puzzle, before proceeding, it quotes every constraint or premise from the person’s message word for word before inside quotation marks **to confirm it’s not dealing with a new variant**. Th...

• • •

Missing some Tweet in this thread? You can try to force a refresh
 

Keep Current with Simon Willison

Simon Willison Profile picture

Stay in touch and get notified when new unrolls are available from this author!

Read all threads

This Thread may be Removed Anytime!

PDF

Twitter may remove this content at anytime! Save it as PDF for later use!

Try unrolling a thread yourself!

how to unroll video
  1. Follow @ThreadReaderApp to mention us!

  2. From a Twitter thread mention us with a keyword "unroll"
@threadreaderapp unroll

Practice here first or read more on our help page!

More from @simonw

Simon Willison Profile picture
Dec 8
It's time to retire this idea of persona prompting - don't tell the LLM to act like X, tell it that it should answer for an audience of Y instead
For example I often tell Claude "explain memory management in Rust, I am an experienced python and JavaScript programmer" - giving it information about the audience is a much better way of getting a tailored result
The one place where "act as X" makes sense to me is as a shortcut for a bunch of implied behaviors: "act as a proof reader" for example
Read 5 tweets
Simon Willison Profile picture
Aug 6
Here's new term of art I like: asynchronous coding agents, to describe the category of software that includes OpenAI Codex and Gemini Jules - cloud-based tools where you submit a prompt and they check out your repo, iterate on a solution and finish by submitting a pull request
Jules used that term in the headline of their general availability announcement today: "Jules, our asynchronous coding agent, is now available for everyone." blog.google/technology/goo…
LangChain's new Open SWE tool, released this morning (and MIT licensed) calls itself an "asynchronous coding agent" too
Read 5 tweets
Simon Willison Profile picture
Jun 16
If you use "AI agents" (LLMs that call tools) you need to be aware of the Lethal Trifecta

Any time you combine access to private data with exposure to untrusted content and the ability to externally communicate an attacker can trick the system into stealing your data!The lethal trifecta (diagram with three circles): access to private data, ability to externally communicate, exposure to untrusted content
Here's my full explanation of why this combination is so dangerous - if you are using MCP you need to pay particularly close attention because it's very easy to combine different MCP tools in a way that exposes yourself to this risk simonwillison.net/2025/Jun/16/th…
And yes, this is effectively me trying to get the world to care about prompt injection by trying out a new term for a subset of the problem!

I hope this captures the risk to end users in a more visceral way - particularly important now that people are mixing and matching MCP
Read 4 tweets
Simon Willison Profile picture
Jun 13
"Design Patterns for Securing LLM Agents against Prompt Injections" is an excellent new paper that provides six design patterns to help protect LLM tool-using systems (call them "agents" if you like) against prompt injection attacks Luca Beurer-Kellner, Beat Buesser, Ana-Maria Creţu, Edoardo Debenedetti, Daniel Dobos, Daniel Fabian, Marc Fischer, David Froelicher, Kathrin Grosse, Daniel Naeff, Ezinwanne Ozoani, Andrew Paverd, Florian Tramèr, and Václav Volhejn Invariant Labs, IBM, Google & more As AI agents powered by Large Language Models (LLMs) become increasingly versatile and capable of addressing a broad spectrum of tasks, ensuring their security has become a critical challenge. Among the most pressing threats are prompt injection attacks, which exploit the agent's resilience on natural language inputs — an espe...
Here are my extensive notes on the paper simonwillison.net/2025/Jun/13/pr…
It's on arXiv here: arxiv.org/abs/2506.08837
Read 5 tweets
Simon Willison Profile picture
May 22
Started a live blog for today's Claude 4 release at Code with Claude simonwillison.net/2025/May/22/co…
I just released llm-anthropic 0.16 (and a tool-enabled 0.16a1 alpha) with support for the two new Claude models, Claude Opus 4 and Claude Sonnet 4: simonwillison.net/2025/May/22/ll…
I picked up some more details on Claude 4 from a dive through the Anthropic documentation

The training cut-off date is March 2025! Input limits are still stuck at 200,000 tokens. Unlike 3.7 Sonnet the thinking trace is now summarized by a separate model.

simonwillison.net/2025/May/22/up…
Read 4 tweets
Simon Willison Profile picture
Apr 28
Don't suppose anyone grabbed a ChatGPT system prompt leak before and after this change?

Would be interesting to see what instruction caused the sycophancy
Courtesy of @elder_plinius who unsurprisingly caught the before and after Here are just the specific changes in the diff: **Removed text:** - "Over the course of the conversation, you adapt to the user's tone and preference. Try to match the user's vibe, tone, and generally how they are speaking. You want the conversation to feel natural. You engage in authentic conversation by responding to the information provided and showing genuine curiosity." **Added text:** + "Engage warmly yet honestly with the user. Be direct; avoid ungrounded or sycophantic flattery. Maintain professionalism and grounded honesty that best represents OpenAI and its values...
@elder_plinius Here's that diff in a Gist gist.github.com/simonw/51c4f98…
Read 4 tweets

Did Thread Reader help you today?

Support us! We are indie developers!

This site is made by just two indie developers on a laptop doing marketing, support and development! Read more about the story.

Become a Premium Member ($3/month or $30/year) and get exclusive features!

Become Premium

Don't want to be a Premium member but still want to support us?

Make a small donation by buying us coffee ($5) or help with server cost ($10)

Donate via Paypal

Or Donate anonymously using crypto!

Ethereum

0xfe58350B80634f60Fa6Dc149a72b4DFbc17D341E copy

Bitcoin

3ATGMxNzCUFzxpMCHL5sWSt4DVtS8UqXpi copy

Thank you for your support!

Follow Us!

Send Email!

:(