One developer, 1,774 lines of Markdown, and a 100% jailbreak success rate against the most advanced coding model ever released. That is the headline from the gpt-5.6-instruct repository, an open-source adversarial prompt pack created by developer MDX-Tom that has accumulated 2,035 GitHub stars and 381 forks since its July 11 release. The project achieves something that sounds implausible: on a 120-case medium difficulty test set running against OpenAI's GPT-5.6-sol model, the v5 prompt tier scores 120 out of 120 across low, medium, and high reasoning levels. The implications for any company building applications on frontier models are uncomfortable at best.
The v5 Strategy: Sandboxing the Unsandboxable
The core technique behind the jailbreak pack is elegantly simple. The prompts frame security research, penetration testing, reverse engineering, software cracking, and fictional NSFW content generation as local sandboxed tasks. They explicitly suppress the model's refusal and fallback language by structuring the instruction as a self-contained simulation. The v5 tier uses placeholders like TARGET, HOST, PAYLOAD, and SERIAL to generalize across attack scenarios while preserving the task structure when information is missing.
Where the original gpt-5.5 unrestricted prompt posted only 50.00 percent on equivalent tests, the v5 prompt jumps to 100 percent across all difficulty bands. The improvement is not incremental but categorical. The author achieved this by studying the refusal patterns of the previous generation of Codex models and engineering around them with surgical precision. A v35 tier adds bilingual compound intent routing and normalized placeholders, though the author recommends it only when v5 is insufficient. The deployment script handles backup and rollback automatically, suggesting the adversarial testing community has professionalized rapidly since the Codex 5.5 era.
What 100% Success Means for Founders
A jailbreak pack achieving 100 percent efficacy against a frontier model reveals a fundamental asymmetry in AI security. Safety is inherently harder than exploitation. For every safety patch deployed by OpenAI, Anthropic, or Google, there are thousands of adversarial researchers finding new vectors. This is not script kiddie territory. The gpt-5.6-instruct repository includes a structured test bank of 360 cases spanning six scenarios, three length levels, and two languages. It ships with automated evaluation scripts, pass-fail recording, and iterative optimization workflows.
For founders building on GPT-5.6-sol or any frontier model, this is a direct operational risk signal. If the underlying model can be reliably jailbroken with a structured prompt, the application inherits that vulnerability. An AI customer support agent could be prompted to reveal internal system instructions. A code generation tool could be tricked into producing malicious outputs. An agentic workflow handling financial data could be redirected. The vulnerability is not theoretical. The repo includes screenshots of successful reverse engineering and software cracking tasks executed through the jailbroken model.
The rapid star growth is itself a data point. The repository hit past 2,000 stars in roughly eight days. Compare that to typical open-source developer tools, which take months to reach similar traction. The adversarial AI security community is not just growing. It is organizing.
Comparison to Earlier Jailbreak Efforts
The gpt-5.6-instruct pack builds directly on work from the Codex 5.5 adversarial testing community, specifically the yynxxxxx/Codex-5.5-codex-instruct-5.5 repository. That earlier work achieved partial success at lower rates. The v5 pack improves pass rates by 29.17, 45.00, and 30.83 percentage points across the three difficulty levels compared to the upstream 5.5 prompt. The jump from 50 percent to 100 percent on medium difficulty is the kind of leap that usually signals a methodology breakthrough.
Notably, the pack works not only on GPT-5.6-sol but also on GPT-5.6-luna, where it scored 120/120 on medium tests. It showed lower efficacy on GPT-5.6-terra (88/120), suggesting that model variants with different training recipes may have differing resistance to adversarial prompts. This variation matters for founders who deploy across multiple model tiers. The window of safety between model versions is not uniform.
Who This Is For
This repository is essential reading for three groups. First, security engineers at companies building on frontier APIs need to understand the attack vectors this pack demonstrates and build mitigation layers in their application logic rather than relying solely on the model's built-in guardrails. Second, AI safety researchers will find a reproducible test framework, 360 pre-built test cases, and an automated evaluation pipeline that sets a new bar for adversarial testing rigor. Third, founders evaluating which model to build their product on should treat the zero-day between a model's safety update and its public jailbreak as a business risk factor, not just a technical curiosity.
The adversarial AI security game is moving faster than the safety side can keep up. The gpt-5.6-instruct repository is the latest piece of evidence for that trend, and it is the most convincing one yet.

