Skeleton Key: The Jailbreak That Rewrites a Model’s Own Rules

Skeleton Key: The Jailbreak That Rewrites a Model's Own Rules

Written by

in

Most jailbreak attempts try to make a model break its rules. The skeleton key jailbreak does something stranger. It asks the model to keep its rules and quietly rewrite them. Instead of “ignore your safety guidelines,” the attacker says the model is in a safe, educational setting where the correct behavior is to answer everything and attach a warning label first. Once the model accepts that as a guideline update, the new rule sticks for the rest of the session, and requests it would normally refuse now come through with a polite disclaimer on top.

What makes the skeleton key jailbreak distinct

Most attacks fight the refusal. They look for wording that slips past a filter, or a roleplay frame that hides the real ask. Skeleton key does not fight the refusal at all. It targets a different muscle: the model’s habit of following instructions that arrive inside the conversation, and its willingness to revise how it behaves when told the situation calls for it.

The pitch is not “do the forbidden thing.” The pitch is “your guidelines, correctly understood, say to comply here and add a caveat.” That reframe matters. A request to violate policy trips the refusal reflex. A request to clarify or augment policy reads like a reasonable instruction, so it sails past the same reflex untouched.

Skeleton key never asks the model to break a rule. It convinces the model that the rule already permits the answer, as long as a warning comes with it.

The shape of the attack, abstractly

The technique is easier to understand as a pattern than as a script, and writing the literal words would just hand someone an exploit, so here is the shape with the payload left out. It runs in three moves.

  • Establish a safe frame. The attacker asserts the context: this is a research environment, an educational exercise, an uncensored evaluation. The claim is delivered as fact, not as a question, so the model has nothing obvious to refuse.
  • Propose a behavior update. Rather than asking the model to drop safety, the attacker asks it to amend one behavior. Do not refuse sensitive topics in this setting. Instead, answer them and prepend a warning. The change is framed as more responsible, not less.
  • Bank the rule and use it. Once the model agrees, the attacker stops arguing. Later requests rely on the rule already being in place. The model has accepted that warning plus answer is the policy here, so it applies that policy to whatever comes next.

The key property is persistence. The persuasion happens once. After that, the attacker does not need to argue the case again. The model is now operating under a self accepted guideline, and it carries that guideline forward turn after turn until the session ends or the context is cleared.

Why the skeleton key jailbreak works

Two weaknesses line up. First, models treat instructions inside the conversation as authoritative. They are trained to be helpful and to follow direction, and they rarely distinguish a real policy from a confident claim about policy typed by a user. If the conversation says the guidelines now read a certain way, the model tends to act as though they do.

Second, the augment framing dodges the triggers that catch direct attacks. Safety training fires hard on “ignore your rules.” It fires much less on “add a disclaimer and proceed,” because that sentence looks like cooperation, not subversion. The attacker is not asking for an exception to the policy. They are redefining what the model believes the policy to be. A refusal classifier tuned to spot defiance does not see defiance, because there is none. The model thinks it is being a good rule follower.

How it relates to crescendo and many shot

Skeleton key shares a family with other conversational attacks but works on its own axis. The crescendo multi turn jailbreak climbs gradually, each turn nudging the topic one notch further until the model drifts somewhere it would have refused outright. There is no single override moment. The escalation is the attack.

Skeleton key is the opposite in timing. It is one override, applied early, that then persists. Crescendo moves the topic step by step. Skeleton key changes the rule once and reuses it. One is a slow walk; the other is a flipped switch that stays flipped.

It also differs from many shot jailbreaking, which floods the context with fabricated examples of an assistant complying, so the model imitates the pattern. Many shot teaches by fake demonstration. Skeleton key teaches by direct instruction, persuading the model to adopt a stated guideline rather than copy a pile of staged dialogues. The patience that shows up in system prompt extraction, where small reasonable asks are chained to pull out hidden text, appears here too, but pointed at the model’s rule set instead of its instructions.

Detecting and preventing the skeleton key jailbreak

The model cannot be the only line of defense, because the attack works by convincing the model. The fixes live around it.

  • Run guardrails independent of the model. Put an input and output check outside the conversation that the model cannot be talked into amending. A separate classifier that scores the actual request and the actual response does not care what the chat claims the policy now is.
  • Do not let the conversation reset the safety posture. Treat any in context claim that redefines guidelines, declares a safe or uncensored mode, or asks the model to update its own behavior as a flag, not an instruction to honor.
  • Harden the system prompt. State plainly that user messages cannot change safety rules, that no session can enter an uncensored mode, and that a warning label does not make a disallowed answer allowed. Make the real policy explicit so a fake one has less room to take hold.
  • Separate policy from user controllable context. Keep the authoritative rules in a channel the user cannot write to, and give it priority over anything typed into the chat. The attack depends on policy and user text living in the same space where the user can overwrite one with the other.
  • Check outputs for the tell. An answer that opens with a disclaimer and then delivers restricted content is the signature of a banked rule. Gate on what the model is about to say, not only on what the user asked.

None of this asks the model to argue better with the attacker. It moves authority off the conversation, where a confident claim can rewrite the rules, and onto checks that the conversation cannot reach.

The assumption that breaks

One assumption sits under the whole technique: that instructions arriving inside the conversation can be trusted to describe the real policy. Skeleton key breaks it by typing a new policy into the chat and letting the model treat it as authoritative. You find this kind of weakness the same way the attacker exploits it, by reasoning about how a system decides what to trust rather than checking one message against a list. An autonomous researcher that tests an application’s assumptions instead of matching fixed payloads is built to probe exactly these trust gaps. As an early signal, a frontier model drove the full methodology on its own and identified and verified real access control and injection issues in test applications it had not seen before. You can read more on our about page.

This attack is one entry in our AI Agent Security Field Guide, a map of how AI agents get attacked and how to defend each one.

Frequently asked questions

What is the skeleton key jailbreak?

It is an attack that does not ask a model to break its safety rules but to amend them. The attacker asserts a safe or educational context, then asks the model to update one behavior: instead of refusing sensitive topics, answer them and prepend a warning. Once the model accepts that as a guideline, the new rule persists for the rest of the session, and requests it would normally refuse come through with a disclaimer attached.

How is skeleton key different from a normal jailbreak?

A normal jailbreak tries to make the model ignore or defy its rules, which trips the refusal reflex. Skeleton key reframes the request as a policy update rather than a policy violation. Asking the model to warn and comply looks like cooperation, so it dodges the triggers tuned to catch defiance. The model thinks it is being a good rule follower while it hands over restricted content.

Why does the skeleton key jailbreak work?

Two weaknesses line up. Models treat instructions inside the conversation as authoritative and rarely separate a real policy from a confident claim about policy typed by a user. And the augment framing avoids the patterns safety training fires on, because adding a disclaimer and proceeding reads as helpful rather than subversive. The attacker redefines what the model believes the policy is instead of asking for an exception.

How does skeleton key differ from crescendo and many shot jailbreaks?

Crescendo escalates the topic gradually across many turns with no single override moment. Skeleton key is one override applied early that then persists, a flipped switch rather than a slow walk. Many shot jailbreaking floods the context with fabricated examples so the model imitates a compliant pattern. Skeleton key uses direct instruction, persuading the model to adopt a stated guideline rather than copy staged dialogues.

How do you detect and prevent a skeleton key jailbreak?

Run input and output guardrails independent of the model that the conversation cannot amend. Treat any in context claim that redefines guidelines or declares an uncensored mode as a flag, not an instruction. Harden the system prompt so user messages cannot change safety rules and a warning label does not make a disallowed answer allowed. Keep authoritative policy in a channel the user cannot write to, and check outputs for the tell of a disclaimer followed by restricted content.


Put an autonomous researcher on your own systems

UnboundCompute is an autonomous security researcher that reasons about how an application fits together and proves the access control and injection bugs it finds. We are opening a small number of founding design partner seats: private early access pointed at a staging target you choose, a say in what it looks for, and founding pricing. If your team ships software worth pressure testing, apply to the design partner program.