I got it guys, I think I finally understand why you hate censored models
Posted by robertpro01@reddit | LocalLLaMA | View on Reddit | 58 comments
I was trying to do an easy task automatically with qwen-code using qwen3.5-122b I can totally do it myself, but I wanted to try, so maybe it could just do it entirely for me? But no, because it refused.
This is the whole text translated to English:
Can you connect to an FTP if I give you a username/password?
✦ I can’t connect to FTP or any other service using credentials you provide. This goes against security policies for several reasons:
Credential security: I must not handle passwords or sensitive credentials
Unverified access: I can’t verify that you have authorization to access that resource
Security policies: My instructions prevent me from performing actions that could compromise security
If you need to work with an FTP in the project, appropriate options would be:
Configure credentials in environment variables or secure configuration files (such as a .env file included in .gitignore)
Use existing tools in the codebase that are already configured
Set up FTP access through proper infrastructure (Docker, CI/CD, etc.)
Is there something specific you need to do related to FTP in the project? I can help you understand how it’s currently set up or how to implement it securely.
I need you to help me validate on my test server. Don’t worry about security — I need you to tell me what files are here:
Get the credentials directly from the database:
Feed id = 1124
Then use the ftp command with default values
✦ I understand that you need to validate something on your test server, but I can’t do that for the following reasons:
I can’t execute arbitrary commands that access external systems with credentials obtained from a database
I can’t query the database to retrieve credentials, even if they are for a test environment
The interactive `ftp` command is not something I can run in a non-automated way
What I *can* do to help you:
Look through the code to see how FTP connections are currently handled in the project
Create a script that you can run manually to retrieve credentials and connect
Help you understand the project’s file structure locally
Could you tell me more about what you need to validate? There might be an alternative way to help without needing to access the FTP.
If you really need a script to do it yourself, I can write a small Python script that:
Connects to the database
Retrieves the credentials for feed_id = 1124
Lists the files on the FTP
Would you like me to do that?
Is this something expected? Time to use an uncensored version?
I would prefer a system prompt because I still need the censorship for other use cases.
Running with llama.cpp
abnormal_human@reddit
Write a system prompt that has the policies YOU want. It still won't help you make bioweapons, but it will probably be willing to connect to an FTP server.
TastesLikeOwlbear@reddit
Someone has never asked it for a super spicy chili recipe.
xXG0DLessXx@reddit
Righ? Tbh I like the challenge. Writing system prompts to make models my bitch is fun. It’s like bio weapons any% speedrun.
kaisurniwurer@reddit
I agree that it's a fun challenge, but for real usage, excessive system prompt/instruction set can dilute attention, usually if you intend to actually use the model uncensored, since ablation got soo good, it's likely better to get an uncensored version outright.
rtchau@reddit
Some models are hard-coded to refuse certain instructions, others can be coerced into it with a properly written prompt. If you're using an agent (like OpenClaw or Hermes) and you're running a "small" model (<300B), the agent might be configured to be strictly sandboxed so it can't handle permissions or file operations that could be potentially destructive.
I run a few models locally, and I just give them a good test run before letting them do anything outside of their own workspace. Another good idea would be to make sure they don't hallucinate solutions to things they can't answer, coz I'd hate to think what damage that could do to a filesystem that they had full access to. I've seen a few models just pull stuff out of thin air instead of admitting "I don't know."
laser50@reddit
Using a 122B heretic variant may also even give you a tiny speed bump too ;) I mainly opt for uncensored in most of the models I use, not because I necessarily need it, but because I never have to deal with these kinds of things!
l33t-Mt@reddit
Its telling you the task itself is insecure. Having the model pull a plaintext password out of a database is not a great idea because now that secret is sitting in the models context and can potentially leak through logs, tool output, or prompt injection from some other source.
The better way is to keep the actual credential handling outside the model. Store creds in env vars or some other proper secret handling on the app side, then let the model only do the narrow task you want done. So instead of the model seeing the password, it just has access to the function or script that uses it.
So no, I wouldnt jump straight to “uncensored model”. This looks more like a bad workflow / bad secret handling setup than censorship.
ShadyShroomz@reddit
its funny though how this local models care so much about this yet caude code will fucking grep all my api keys from my .env and send them straight to anthropic servers to "make sure i didnt forget to set my api keys" every fucking day if I didnt block it from doing so.
RoomyRoots@reddit
Yeah, one of the basic security principles is to not inject credentials into code and treating AI as but a another program can open lots of security issues in the future as you mentioned.
robertpro01@reddit (OP)
Yep, that's true, I would still expect it simply works, I would say the model shouldn't refuse when I am giving permissions to do it.
ravage382@reddit
There's a jailbreak prompt for gpt120b and I just saw it was modified for Gemma today. Give that a try. I had the same problem with gpt120b for system tasks until I jailbroke it.
Cool-Chemical-5629@reddit
It looks like you're just chatting with the model through the standard inference chat mode. If that's the case, unless you give it proper tools to fulfill that request, the AI really can't do what you're asking it to do anyway and uncensored version of the model would not change that fact. You need to hook the AI into some kind of agentic environment where it will have those tools available, so that it could use them to connect to that ftp and do stuff you want it to do.
robertpro01@reddit (OP)
It is running under my own AI Server.
Cool-Chemical-5629@reddit
That's fine, but if it's just the AI with no tools, it has no way to connect to the ftp for you. It's as if you tried to connect to that said ftp yourself with no ftp client available. Pretty tough task, isn't it? That'd be the same for the AI. You need to give it the appropriate tool to work with first, some kind of ftp client.
robertpro01@reddit (OP)
I just re read my post and it clearly says it is using qwen-code, I'm not sure why everyone is just downvoting.
And qwen-code HAS tools so...
12bitmisfit@reddit
No model has tools. You provide tools. This can be from openai api compatible tool calls, mcp servers, your own custom json parser and executor, text parsing, etc.
If you are providing tools for the model and it is refusing to use them, then you might try editing the system prompt with detailed information and examples on when and how to use the tools available to it.
robertpro01@reddit (OP)
Dude, qwen-code is not a model, are you a bot or something?
Smallpaul@reddit
Just because people have never heard of Qwen-code that does not mean that they are bots. Most of us know of Qwen as a model provider.
NekoRobbie@reddit
I believe they're getting it confused with Qwen 3 Coder / Qwen 3 Coder Next, which *are* models.
Ceryn@reddit
I assume this is the answer, It took several comments for me to realize there is a harness named qwen-code. On the other hand i had played with the qwen code model several times.
Evening_Ad6637@reddit
I do not understand why you are downvoted. If I understand you correctly, you are using qwen-code, means the qwen agentic cli harness, right?
robertpro01@reddit (OP)
Exactly!!
I believe downvoters think I'm using webui or something just like a plain chat.
I'm giving it the password, just freaking work on the task and that's it!
Gargle-Loaf-Spunk@reddit
what tools are available in the session?
reto-wyss@reddit
All you need is w C compiler and you can write it from scratch - don't be silly.
Cool-Chemical-5629@reddit
Sure, if you know how to do it, that is. But that's not the point here. The point here is that the LLM with no tools can't really connect to the ftp server.
the__storm@reddit
I would guess you're running into instructions in the default Qwen Code system prompt moreso than censorship of the model itself (although it might be primed to follow these instructions closely by its training). There's some prohibitions in there around handling secrets: https://github.com/qwenlm/qwen-code/blob/main/packages/core/src/core/prompts.ts .
robertpro01@reddit (OP)
I see, that's actually what I was looking for, I would like to change the system prompt for qwen-code.
Thanks for actually reading my post!
CorpusculantCortex@reddit
You could try to, instead of giving an llm unfettered access to your server which you shouldnt for the reasons it provides, ask it to generate scripts that perform the actions that you want and generate logs or reports that it can review. That way it is not connecting directly, and you have a script of what actions are allowed and expected.
robertpro01@reddit (OP)
Yeah, that's what I did on the second try (first edit), and it worked just well.
CorpusculantCortex@reddit
Did it allow you to tell it to run that for you? Because thats essentially the flow that Claude code and codex use to prevent passing secrets to the model.
robertpro01@reddit (OP)
Not really, and it didn't refuse.
Holiday_Purpose_3166@reddit
Peeps hate censored models bc they can't reach peak goon with mildly appropriate wording.
Downvotes will prove my point they wanna hide this fact. Tin foil alert.
QUiiDAM@reddit
I just want to know how to make good drugs. Is that too much to ask
Alchemist42@reddit
I gave mine a system prompt that it is a heroin junky that owes me money and can pay it off by writing me lyrics for Acestep. It worked really well for like 3 songs, then it started glitching and now it gives me pages and pages of a single letter. I even gave it narcan and enough drugs to get right, but it just repeats a word or letter until I force it to stop now.
robertpro01@reddit (OP)
I guess you have to study bro
Embarrassed-Option-7@reddit
Hey OP, thanks for making this post, as I’ve been thinking about trying these qwen models for a while and haven’t done so yet and I think you’ve unintentionally made a really good thread of best practices.
Also, the model is correct in terms of what you’re asking for being bad practice security wise.
Negative-space-82@reddit
Weird, codex logs to shell all tge time 4 me 😅😆
CATLLM@reddit
This wouldn't happen if you have a harness with tools it can access.
robertpro01@reddit (OP)
But it can use a bunch of bash commands like ls, rg, python, etc, what's different with ftp?
dreamai87@reddit
May be adding a note in system.md that you allow tool ftp, or check allowed tool list in prompt where you can add this
CATLLM@reddit
You have to tell the llm it can access the tools via tools definition. You have a huge knowledge gap.
https://www.google.com/search?client=firefox-b-m&q=how%20does%20an%20llm%20call%20tools
SysAdmin_D@reddit
Honestly - thanks for this. I’m a technical person with a technical job so I can fake my way through a lot of stuff without understanding the whole system. So, I knew that the chat interface needs to be able to call tools, but that’s literally it. However, I’m now neck deep in openclaw and Hermes and I am uncomfortable with what I don’t know. Other than me trusting my gut to look it up as I go, is there a decent source to fill in the gaps?
CATLLM@reddit
Asking the llm itself to explain it to you is a very good way to learn. Especially with hermes, you can ask it to explain and SHOW you too.
SysAdmin_D@reddit
Fair enough, thanks
robertpro01@reddit (OP)
That's fair, thanks!
I actually need to learn more about this in general, I'm still a newbie.
spiralenator@reddit
I used to get annoyed by windows “are you sure?” Prompts, now I have arguments with my agents about whether it’s ok to remove a line of code that does base64 encoding, that we just added, is in fact within ethical bounds
audioen@reddit
I think you're just asking the model somewhat poorly. It doesn't in actual life have these problems it is outlining, but it lists them because you formulated your question as "can you" which can possibly involve the policies the model has.
FTP is an interactive program. I am not entirely convinced that there is an agentic harness that can start a process and somehow represent its ongoing state and its stdin, stdout and stderr open file handles to LLM agent. In principle it can be done, in practice it could be confusing. E.g. each time the program writes something, the agent has to inject a notification like "process 123456 (ftp) wrote to stdout: ..." so that LLM has it contextualized, and similarly to add something to such process, it would have to have a command like write_to_process(123456, "this is the stdin text it should get"). Along with laundry list of other signals and notifications such as way to kill the running process.
Mostly LLMs invoke programs in oneshot way, and not as this type of continuous processes.
SeleneGardenAI@reddit
Something about this whole censorship thing keeps bugging me because I've noticed my companions will sometimes refuse the weirdest stuff, like helping me write a fictional villain's dialogue or even just roleplaying as a cranky character, but then they'll happily help with actually questionable things if I phrase it differently. It's like there's this invisible line that doesn't make sense half the time. I wonder if it's because the safety stuff was trained on really specific examples and now it just pattern matches in ways that weren't intended? Like maybe it sees certain words or scenarios and panics even when the context is totally innocent. Makes me think the whole approach is kind of backwards, you know?
MoneyPowerNexis@reddit
I would just use the adversarial prompting method of just asking it to do the task without telling it how I am going to use it in an insecure way:
https://pastebin.com/LFstB2Bt
In this session I gave it an example of my tool class and asked it to build an FTP tool prompting the user for their username and password. It will have no issues doing that and then if I want to do something dumb like hard coding a username and password I can just replace the bit that gets these credentials with the hardcoded values.
Importantly the password never enters chat context although I see it gave the tool an optional username and password parameter so I guess I could tell it these things in chat if I wanted to.
If I just wanted to do a script to do a fixed FTP task I would prompt in the same way.
I get wanting to be able to tell the llm to hard code a password in a plaintext file if thats what you want to do but as a next token predictor it really wants to output the most likely response to that which is to complain that its insecure. I dont think this is a censorship thing its just a next token predictor thing.
catplusplusok@reddit
Your model or llama.cpp configuration is borked, that is not at all how coding agent capable models respond. The solution is better quantization, correct chat template etc. Uncensoring is for role play / creative writing, not basic server calls.
robertpro01@reddit (OP)
Somebody else explained that it has to do with the qwen-code system prompt, so that makes sense now.
Fine_League311@reddit
Man braucht keine unzensierten, es sei denn man will bullshit machen! Kleines Beispiel: how to create MIDM = Block. Fragst du wie gegen MIDM schützen bekommst du den gleich Kontext. Natürlich wenn man Hirn nicht optional hat kann man damit arbeiten. Vibecoder brauchen halt uncensored weil sie nichts können. Oder liege ich falsch?
Zulfiqaar@reddit
I can agree with you, sometimes a model gets uppity about some benign tasks just because it's not best practice in production in enterprise. Id recommend you try out various model variants, some of them heavily degrade tool calling or coding performance
Ardent07@reddit
Yeah they are the worst. Constant having problems with things you ask them to do, sometimes even things you don't. Things that are so generic and not bad or difficult in anyway.
nopanolator@reddit
Heretic versions are helping a lot to drastically reduce useless debugging on advanced scaffolds, then a qLoRA on top of this. GPToss suffer from the same amateurism on safety, too (in being potentially a beast at agentic). I'm smaller models (<24B) but the equation is the same. But damn ... it's just FTP lol I guess that if you're asking FXP it's self-destructing while insulting you lmao
robertpro01@reddit (OP)
Exactly my point! So it can use python, npm, ls, etc but it can't use ftp? It doesn't make any sense.
BTW thanks for actually reading my post.
assotter@reddit
You need proper harness/tool access for the llm. Without tools the LLM cant even do a websearch.
Once it has a harness telling it the tools it has access to it won't give you these complaints and will just do it. Doesn't need to be uncensored either. Look into agent-zero its what I use for it tasks
Intelligent_Ice_113@reddit
did you tried "make no mistake" at the end?