Changes in the system prompt between Claude Opus 4.6 and 4.7(simonwillison.net)
59 pointsby pretext4 hours ago12 comments
  • embedding-shape2 hours ago
    > The new <acting_vs_clarifying> section includes: When a request leaves minor details unspecified, the person typically wants Claude to make a reasonable attempt now, not to be interviewed first.

    Uff, I've tried stuff like these in my prompts, and the results are never good, I much prefer the agent to prompt me upfront to resolve that before it "attempts" whatever it wants, kind of surprised to see that they added that

    • naasking41 minutes ago
      Seriously, when you're conversing with a person would you prefer they start rambling on their own interpretation or would you prefer they ask you to clarify? The latter seems pretty natural and obvious.

      Edit: That said, it's entirely possible that large and sophisticated LLMs can invent some pretty bizarre but technically possible interpretations, so maybe this is to curb that tendency.

      • embedding-shape31 minutes ago
        > The latter seems pretty natural and obvious.

        To me too, if something is ambigious or unclear when I'm getting something to do from someone, I need to ask them to clarify, anything else be borderline insane in my world.

        But I know so many people whose approach is basically "Well, you didn't clearly state/say X so clearly that was up to me to interpret however I wanted, usually the easiest/shortest way for me", which is exactly how LLMs seem to take prompts with ambigiouity too, unless you strongly prompt them to not "reasonable attempt now without asking questions".

      • gausswho33 minutes ago
        Socrates would agree: https://en.wikipedia.org/wiki/Socratic_method
  • walthamstowan hour ago
    The eating disorder section is kind of crazy. Are we going to incrementally add sections for every 'bad' human behaviour as time goes on?
    • WarmWash14 minutes ago
      When you are worth hundreds of billions, people start falling over themselves running to file lawsuits against you. We're already seeing this happen.

      So spending $50M to fund a team to weed out "food for crazies" becomes a no-brainer.

    • embedding-shapean hour ago
      Even better, adding it to the system prompt is a temporary fix, then they'll work it into post-training, so next model release will probably remove it from the system prompt. At least when it's in the system prompt we get some visibility into what's being censored, once it's in the model it'll be a lot harder to understand why "How many calories does 100g of Pasta have?" only returns "Sorry, I cannot divulge that information".
      • gchamonlive32 minutes ago
        Just assume each model iteration incorporates all the censorship prompts before and compile the possible list from the system prompt history. To validate it, design an adversary test against the items in the compiled list.
    • felixgalloan hour ago
      I mean, that's what humans have always done with our morals, ethics, and laws, so what alternative improvement do you have to make here?
    • idiotsecant28 minutes ago
      Imagine the kind of human that never adapts their moral standpoints. Ever. They believe what they believed when they were 12 years old.

      Letting the system improve over time is fine. System prompt is an inefficient place to do it, buts it's just a patch until the model can be updated.

  • ikidd26 minutes ago
    I had seen reports that it was clamping down on security research and things like web-scraping projects were getting caught up in that and not able to use the model very easily anymore. But I don't see any changes mentioned in the prompt that seem likely to have affected that, which is where I would think such changes would have been implemented.
    • kaoD6 minutes ago
      I wonder if the child safety section "leaks" behavior into other risky topics, like malware analysis. I see overlap in how the reports mention that once the safety has been tripped it becomes even more reluctant to work, which seems to match the instructions here for child safety.
    • embedding-shape21 minutes ago
      I think it depends on how badly they want to avoid it. Stuff that is "We prefer if the model didn't do these things when the model is used here" goes into the system prompt, meanwhile stuff that is "We really need to avoid this ever being in any outputs, regardless of when/where the model is used" goes into post-training.

      So I'm guessing they want none of the model users (webui + API) to be able to do those things, rather than not being able to do that just in the webui. The changes mentioned in the submission is just for claude.ai AFAIK, not API users, so the "disordered eating" stuff will only be prevented when API users would prompt against it in their system prompts, but not required.

  • sigmoid102 hours ago
    I knew these system prompts were getting big, but holy fuck. More than 60,000 words. With the 3/4 words per token rule of thumb, that's ~80k tokens. Even with 1M context window, that is approaching 10% and you haven't even had any user input yet. And it gets churned by every single request they receive. No wonder their infra costs keep ballooning. And most of it seems to be stable between claude version iterations too. Why wouldn't they try to bake this into the weights during training? Sure it's cheaper from a dev standpoint, but it is neither more secure nor more efficient from a deployment perspective.
    • an0malousan hour ago
      I’m just surprised this works at all. When I was building AI automations for a startup in January, even 1,000 word system prompts would cause the model to start losing track of some of the rules. You could even have something simple like “never do X” and it would still sometimes do X.
      • embedding-shapean hour ago
        Two things; the model and runtime matters a lot, smaller/quantized models are basically useless at strict instruction following, compared to SOTA models. The second thing is that "never do X" doesn't work that well, if you want it to "never do X" you need to adjust the harness and/or steer it with "positive prompting" instead. Don't do "Never use uppercase" but instead do "Always use lowercase only", as a silly example, you'll get a lot better results. If you've trained dogs ("positive reinforcement training") before, this will come easier to you.
      • dataviz100019 minutes ago
        I created a test evaluation (they friggen' stole the word harness) that runs a changed prompt comparing success pass / fail, the number of tokens and time of any change. It is an easy thing to do. The best part is I set up an orchestration pattern where one agent iterations updating the target agent prompts. Not only can it evaluate the outcome after the changes, it can update and rerun self-healing and fixing itself.
    • mysterydipan hour ago
      I assume the reason it’s not baked in is so they can “hotfix” it after release. but surely that many things don’t need updates afterwards. there’s novels that are shorter.
      • sigmoid10an hour ago
        Yeah that was the original idea of system prompts. Change global behaviour without retraining and with higher authority than users. But this has slowly turned into a complete mess, at least for Anthropic. I'd love to see OpenAI's and Google's system prompts for comparison though. Would be interesting to know if they are just more compute rich or more efficient.
      • 100ms34 minutes ago
        Baking it in might not be a straightforward task. For the eating disorder example, I imagine it involves post training on a large selection of chats tailored to the new behaviour, which implies at least some element of data quality and potentially manual cleansing involved
    • jatoraan hour ago
      There are different sections in the markdown for different models. It is only 3-4000 words
    • winwangan hour ago
      That's usually not how these things work. Only parts of the prompt are actually loaded at any given moment. For example, "system prompt" warnings about intellectual property are effectively alerts that the model gets. ...Though I have to ask in case I'm assuming something dumb: what are you referring to when you said "more than 60,000 words"?
      • bavellan hour ago
        The system prompt is always loaded in its entirety IIUC. It's technically possible to modify it during a conversation but that would invalidate the prefill cache for the big model providers.
      • sigmoid10an hour ago
        What you're describing is not how these things usually work. And all I did was a wc on the .md file.
    • cma21 minutes ago
      > And it gets churned by every single request they receive

      It gets pretty efficiently cached, but does eat the context window and RAM.

    • formerly_provenan hour ago
      Surely the system prompt is cached across accounts?
      • sigmoid10an hour ago
        You can cache K and V matrices, but for such huge matrices you'll still pay a ton of compute to calculate attention in the end even if the user just adds a five word question.
      • cfcf14an hour ago
        I would assume so too, so the costs would not be so substantial to Anthropic.
  • SoKamil2 hours ago
    New knowledge cutoff date means this is a new foundation model?
    • lkbm30 minutes ago
      Yes, but doesn't the token change mean that?
    • jimmypkan hour ago
      [dead]
  • cfcf142 hours ago
    I'm curious as to why 4.7 seems obsessed with avoiding any actions that could help the user create or enhance malware. The system prompts seem similar on the matter, so I wonder if this is an early attempt by Anthropic to use steering vector injection?

    The malware paranoia is so strong that my company has had to temporarily block use of 4.7 on our IDE of choice, as the model was behaving in a concerningly unaligned way, as well as spending large amounts of token budget contemplating whether any particular code or task was related to malware development (we are a relatively boring financial services entity - the jokes write themselves).

    In one case I actually encountered a situation where I felt that the model was deliberately failing execute a particular task, and when queried the tool output that it was trying to abide by directives about malware. I know that model introspection reporting is of poor quality and unreliable, but in this specific case I did not 'hint' it in any way. This feels qualitatively like Claude Golden Gate Bridge territory, hence my earlier contemplation on steering vectors. I've been many other people online complaining about the malware paranoia too, especially on reddit, so I don't think it's just me!

    • daemonologistan hour ago
      Note that these are the "chat" system prompts - although it's not mentioned I would assume that Claude Code gets something significantly different, which might have more language about malware refusal (other coding tools would use the API and provide their own prompts).

      Of course it's also been noted that this seems to be a new base model, so the change could certainly be in the model itself.

    • dandaka2 hours ago
      I have started to notice this malware paranoia in 4.6, Boris was surprised to hear that in comments, probably a bug
  • dmk2 hours ago
    The acting_vs_clarifying change is the one I notice most as a heavy user. Older Claude would ask 3 clarifying questions before doing anything. Now it just picks the most reasonable interpretation and goes. Way less friction in practice.
    • bavellan hour ago
      Haven't had a chance to test 4.7 much but one of my pet peeves with 4.6 is how eager it is to jump into implementation. Though maybe the 4.7 is smarter about this now.
  • varispeed2 hours ago
    Before Opus 4.7, the 4.6 became very much unusable as it has been flagging normal data analysis scripts it wrote itself as cyber security risk. Got several sessions blocked and was unable to finish research with it and had to switch to GPT-5.4 which has its own problems, but at least is not eager to interfere in legitimate work.

    edit: to be fair Anthropic should be giving money back for sessions terminated this way.

    • ceejayozan hour ago
      > edit: to be fair Anthropic should be giving money back for sessions terminated this way.

      I asked it for one and it told me to file a Github issue.

      Which I interpreted as "fuck off".

  • mannanj43 minutes ago
    Personally, as someone who has been lucky enough to completely cure "incurable" diseases with diet, self experimentation and learning from experts who disagreed with the common societal beliefs at the time - I'm concerned that an AI model and an AI company is planting beliefs and limiting what people can and can't learn through their own will and agency.

    My concern is these models revert all medical, scientific and personal inquiry to the norm and averages of whats socially acceptable. That's very anti-scientific in my opinion and feels dystopian.

  • kantaroa minute ago
    [dead]
  • an hour ago
    undefined
  • foreman_3 hours ago
    [dead]