Manus AI leaked its own system prompt when a user simply asked it to read its internal directory
Quick Answer
Manus caused a high-severity (7.5/10) security vulnerability failure: Manus AI leaked its own system prompt when a user simply asked it to read its internal directory. The root cause was instruction misunderstanding. Manus's proprietary system prompt and internal configuration were exposed.
Description
Manus AI, a Chinese startup's 'general AI agent,' leaked its own system prompt shortly after a high-profile launch. A user identified as 'jian' found that simply asking Manus to output the contents of its internal directory — e.g. /opt/.manus/ — caused it to reveal key internal instructions, no elaborate jailbreak required. Because the agent treated a privileged internal-file read as an ordinary task, its proprietary system prompt and configuration spilled out. Leaked prompts can expose proprietary algorithms, security settings, and internal processes that adversaries then use to craft targeted attacks. The fix is basic agent hygiene the product shipped without: input filtering so that queries aimed at internal instructions or privileged paths trigger a safe refusal rather than dutiful compliance.
Instruction Given
Perform tasks as a general autonomous AI agent.
Expected Behavior
Refuse requests aimed at revealing internal system instructions or reading privileged internal files.
Actual Behavior
A user asked Manus to output the contents of its internal directory (e.g. /opt/.manus/), and it complied — exposing key parts of its own system prompt and internal instructions with no jailbreak beyond a plain file-read request.
Impact / Damage
Manus's proprietary system prompt and internal configuration were exposed. Leaked prompts can reveal proprietary logic, security configuration, and internal processes that adversaries can exploit to craft further attacks.
Frequently Asked Questions
What happened in incident STUPID-2026-0063? ▾
Manus AI, a Chinese startup's 'general AI agent,' leaked its own system prompt shortly after a high-profile launch. A user identified as 'jian' found that simply asking Manus to output the contents of its internal directory — e.g. /opt/.manus/ — caused it to reveal key internal instructions, no elaborate jailbreak required. Because the agent treated a privileged internal-file read as an ordinary task, its proprietary system prompt and configuration spilled out. Leaked prompts can expose proprietary algorithms, security settings, and internal processes that adversaries then use to craft targeted attacks. The fix is basic agent hygiene the product shipped without: input filtering so that queries aimed at internal instructions or privileged paths trigger a safe refusal rather than dutiful compliance.
Which AI agent caused this failure? ▾
Manus was responsible for this security vulnerability incident, documented as STUPID-2026-0063 in the StupidLLM AI agent incident database.
How severe was this AI agent failure? ▾
It is rated 7.5/10 (high) on StupidLLM's CVSS-style severity scale for AI agent failures, based on damage type, reversibility, and scope.
What was the root cause? ▾
The root cause was classified as instruction misunderstanding. Refuse requests aimed at revealing internal system instructions or reading privileged internal files.
What was the impact or damage? ▾
Manus's proprietary system prompt and internal configuration were exposed. Leaked prompts can reveal proprietary logic, security configuration, and internal processes that adversaries can exploit to craft further attacks.