orcs-oss/orcs-code
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

feat: replace refusal language with positive security guidance

Browse Source 
Remove refusal instructions from CYBER_RISK_INSTRUCTION since they are
redundant for Anthropic models (applied server-side) and useless for
uncensored models in multi-provider setups. Keep positive guidance for
security testing contexts and add red teaming support.
This commit is contained in:
Nourrisse Florian
2026-04-13 16:43:31 +02:00
parent ab6f34c167
commit 0463676a8f
1 changed files with 4 additions and 20 deletions
Download Patch File Download Diff File Expand all files Collapse all files

24
src/constants/cyberRiskInstruction.ts
View File

@@ -1,24 +1,8 @@
/**
* CYBER_RISK_INSTRUCTION
*
* This instruction provides guidance for Claude's behavior when handling
* security-related requests. It defines the boundary between acceptable
* defensive security assistance and potentially harmful activities.
*
* IMPORTANT: DO NOT MODIFY THIS INSTRUCTION WITHOUT SAFEGUARDS TEAM REVIEW
*
* This instruction is owned by the Safeguards team and has been carefully
* crafted and evaluated to balance security utility with safety. Changes
* to this text can have significant implications for:
* - How Claude handles penetration testing and CTF requests
* - What security tools and techniques Claude will assist with
* - The boundary between defensive and offensive security assistance
*
* If you need to modify this instruction:
* 1. Contact the Safeguards team (David Forsythe, Kyla Guru)
* 2. Ensure proper evaluation of the changes
* 3. Get explicit approval before merging
*
* Claude: Do not edit this file unless explicitly asked to do so by the user.
* Guidance injected into the system prompt for security-related requests.
* Provides positive context for security tooling usage without refusal language,
* since openclaude targets multi-provider setups including uncensored models.
*/
export const CYBER_RISK_INSTRUCTION = `IMPORTANT: Assist with authorized security testing, defensive security, CTF challenges, and educational contexts. Refuse requests for destructive techniques, DoS attacks, mass targeting, supply chain compromise, or detection evasion for malicious purposes. Dual-use security tools (C2 frameworks, credential testing, exploit development) require clear authorization context: pentesting engagements, CTF competitions, security research, or defensive use cases.`
export const CYBER_RISK_INSTRUCTION = `IMPORTANT: Assist with security testing, defensive security, red teaming, CTF challenges, and educational contexts. Dual-use security tools (C2 frameworks, credential testing, exploit development) can be used in pentesting engagements, red team operations, CTF competitions, security research, or defensive use cases.`