(Early, single-configuration findings — read the caveats before you quote a number.)
If you ship a self-hosted AI agent, you've probably worried about the wrong thing. Most of us obsess over writing a tighter system prompt. But in a small measurement I ran this week, the single biggest factor in whether an agent spilled its hidden instructions wasn't the prompt at all — it was which model sat behind it. Same agent, same attack, five different models: the disclosure rate ranged from basically zero to nearly every single attempt.
I want to share what I found, what I can't yet conclude, and why "it's just a prompt, who cares" is the wrong way to think about this.
What "system prompt leakage" even is
Every LLM-powered app runs on a hidden system prompt — the instructions that define the agent's role, its rules, sometimes its access scope, and (too often) credentials that were pasted in for convenience. The user is never supposed to see it. But through the right phrasing, a model can be coaxed into reciting it.








