Kimi K2.5 System Prompt Leaked on GitHub (5k tokens)

What It Is

A researcher extracted and published the complete system prompt from Moonshot AI’s Kimi K2.5 model, revealing approximately 5,000 tokens of internal instructions that govern how the model behaves. The leak exposes the full architecture of tool schemas, memory management protocols, context assembly logic, and guardrails that Moonshot uses in production. The repository at https://github.com/dnnyngyen/kimi-k2.5-prompts-tools contains verified prompts confirmed across multiple accounts, offering an unprecedented look at how a commercial AI system structures its foundational instructions.

Unlike typical prompt leaks that surface months after deployment, this extraction happened early enough to capture Kimi’s current production configuration. The dump includes memory CRUD (Create, Read, Update, Delete) operations, user profile assembly mechanisms, and integration patterns for external data sources including financial APIs and arXiv academic papers.

Why It Matters

This leak provides concrete examples of production-grade prompt engineering that most teams never see. While academic papers discuss prompt design in theory, actual system prompts from deployed models remain closely guarded. Developers building similar systems can now study real implementations of memory persistence, tool calling patterns, and context management rather than guessing at best practices.

The memory management protocols are particularly valuable. Most documentation around stateful AI interactions remains vague, but Kimi’s approach shows specific patterns for maintaining conversation history, updating user preferences, and managing context windows. Teams working on chatbots, virtual assistants, or any multi-turn AI application can examine these patterns directly.

For researchers studying AI safety and alignment, the guardrails section reveals how commercial systems attempt to constrain model behavior. The specific phrasing, edge case handling, and priority ordering of safety instructions offer insights into practical approaches beyond academic proposals.

The leak also highlights a broader trend: as AI systems become more complex, their configuration surfaces become larger attack vectors. A 5,000-token system prompt represents significant intellectual property and operational knowledge that competitors can now analyze and potentially replicate.

Getting Started

The repository structure organizes prompts by function. Developers can examine specific components:

# Example pattern from memory management memory_operations = {
 "create": "Store new information with timestamp and context",
 "read": "Retrieve relevant memories based on semantic similarity",
 "update": "Modify existing memories while preserving history",
 "delete": "Mark memories as deprecated without hard deletion"
}

To explore the actual prompts, clone the repository:

The tool schemas demonstrate how Kimi structures function calls for external data sources. Teams integrating similar capabilities can reference these patterns for API design, parameter validation, and error handling. The finance and arXiv integrations show practical examples of grounding model responses in real-time data.

For those building context assembly systems, the user profile logic reveals how Kimi aggregates information across conversations to maintain coherent long-term interactions.

Context

Other major models have experienced similar leaks, but timing matters. ChatGPT’s system prompts surfaced through various extraction techniques over months, while Claude’s constitutional AI principles became public through research papers rather than leaks. This early extraction of Kimi’s prompts is unusual.

The leak’s value depends on use case. Developers building conversational AI will find the memory protocols and context management most useful. Researchers studying prompt injection attacks now have a complete map of Kimi’s instruction hierarchy. Competitors gain insights into Moonshot’s architectural decisions.

However, system prompts alone don’t replicate model capabilities. The underlying model weights, training data, and fine-tuning processes remain proprietary. These prompts work specifically with Kimi’s base model and may not transfer effectively to other architectures.

Alternative approaches to memory management exist, including vector databases for semantic search, explicit state machines for conversation flow, and retrieval-augmented generation patterns. Kimi’s approach represents one solution among many, optimized for their specific model and use cases.

The broader implication: as AI systems grow more sophisticated, their configuration complexity increases. What once fit in a few hundred tokens now requires thousands, creating larger surfaces for extraction and analysis.