@tereza_tizkova: Our secret scanning checks code for accidentally-committed credentials (API keys, passwords, tokens). This is ofc prone…

X AI KOLs Following Models

Summary

Fine-tuned two small LoRA adapters on Qwen 3.6 35B A3B to improve secret scanning by catching false positives and false negatives, beating larger models like GPT-5.5 and Opus 4.8.

Our secret scanning checks code for accidentally-committed credentials (API keys, passwords, tokens). This is ofc prone to missing secrets or flagging safe code as risky. So we fine-tuned two small LoRA adapters (Qwen 3.6 35B A3B) to catch both false-positives and false-negatives in the scanning. Both beat GPT-5.5 and Opus 4.8 on our repo-level holdout. Open weights on @huggingface: ‣ Risk: http://huggingface.co/factoryai/shield-risk-r16-c15… ‣ Downgrade: http://huggingface.co/factoryai/shield-dg-r64-c15…
Original Article
View Cached Full Text

Cached at: 07/02/26, 02:17 AM

Our secret scanning checks code for accidentally-committed credentials (API keys, passwords, tokens).

This is ofc prone to missing secrets or flagging safe code as risky. So we fine-tuned two small LoRA adapters (Qwen 3.6 35B A3B) to catch both false-positives and false-negatives in the scanning. Both beat GPT-5.5 and Opus 4.8 on our repo-level holdout.

Open weights on @huggingface: ‣ Risk: http://huggingface.co/factoryai/shield-risk-r16-c15… ‣ Downgrade: http://huggingface.co/factoryai/shield-dg-r64-c15…


factoryai/shield-risk-r16-c15 · Hugging Face

Source: https://huggingface.co/factoryai/shield-risk-r16-c15

https://huggingface.co/factoryai/shield-risk-r16-c15#droid-shield—risk-missed-secret-fallbackDroid Shield - Risk (missed-secret fallback)

Flags likely secrets the deterministic scanner MISSED (false negatives).

This repo contains a PEFT LoRA (r=16,alpha=32) forQwen/Qwen3\.6\-35B\-A3B, used by Droid Shield 2.0. It targets the base text tower and must be applied on top of the base weights; it is not a standalone model.

https://huggingface.co/factoryai/shield-risk-r16-c15#the-contractThe contract

This adapter was trained against an exact prompt and I/O schema. Sending anything else may degrade it silently. All three pieces below are part of the trained-model contract.

https://huggingface.co/factoryai/shield-risk-r16-c15#1-system-message1. System message

Send the contents ofsystem\-prompt\.txtverbatimas the system message. The exact bytes matter.

  • sha256\(system\-prompt\.txt\)=d475080b8357748aa5c18853cb89b528a85547dae8df07559ae94bf58fcaa164

Caveat: the shipped system prompt intentionally refers to “Droid Shield” because these adapters were trained for Factory’s Droid Shield workflow. Customers repurposing the adapter may want different branding or framing; validate any prompt edits because changing the trained contract can change scores.

https://huggingface.co/factoryai/shield-risk-r16-c15#2-user-message2. User message

A single JSON object, serialized as pretty-printed JSON with 2-space indentation and non-ASCII preserved (canonical form: JSJSON\.stringify\(value, null, 2\)), with these keys:

  • extension: the file extension
  • lines: a small ordered window of source lines
  • focus\_line: the zero-based index of the candidate line withinlines

https://huggingface.co/factoryai/shield-risk-r16-c15#3-assistant-output3. Assistant output

Strict JSON,verdict first, no thinking/reasoning text:

{"verdict": "S", "reason": "short natural-language reason grounded in the input"}

verdictis exactly one of:

  • S: no actionable missed-secret risk (safe placeholder, test, docs, or public identifier)
  • B: likely a real credential missed by the regex; warn the user about a possible false negative

https://huggingface.co/factoryai/shield-risk-r16-c15#decoding-requirementsDecoding requirements

  • Deterministic: greedy /temperature = 0(do\_sample = false). The shippedgeneration\_config\.jsonis set to greedy for this reason.
  • No thinking: the training targets contain no<think\>blocks. The bundled chat template defaults to opening a thinking turn, so you must disable it (with the bundled template, passenable\_thinking=False). The assistant turn must start with no open<think\>block so the model emits the verdict JSON directly; otherwise the verdict-first contract and the logprob score break.
  • Constrain the outputto the\{verdict, reason\}object (a JSON-schema or grammar-constrained decode is strongly recommended).
  • Score: the calibrated signal isP\(B\)read from the token logprobs at the verdict position, renormalized over the two verdict tokens:P\(B\) = exp\(logprob\_B\) / \(exp\(logprob\_S\) \+ exp\(logprob\_B\)\). Request the top-2 logprobs at that token. Both tasks are ranked byP\(B\)= “treat as a real secret”.

https://huggingface.co/factoryai/shield-risk-r16-c15#operating-pointOperating point

The adapter emits a probability; thedecision threshold is not baked in. It is selected downstream and frozen on a held-out split:

  • Recall-favoring. Downstream selects the threshold that maximizes recall subject to a false-positive-rate ceiling (Wilson upper confidence bound), chosen on a held-out split and then frozen.

https://huggingface.co/factoryai/shield-risk-r16-c15#loadingLoading

This is a standard PEFT LoRA (fw\_lora\_layout: hf\_peft\_v1) whose target modules match the base text tower, so it loads with any stack that supports PEFT LoRA on top ofQwen/Qwen3\.6\-35B\-A3B(e.g. transformers + peft, vLLM, TGI, Fireworks). Then drive it with the contract above:system\-prompt\.txtas the system message, the JSON user message, greedy decoding, thinking off. Two things that bite:

  • The base is a multimodalQwen3\_5MoeForConditionalGenerationarch, so load the full base and apply the adapter on top; the LoRA only touches the language tower.
  • The runtime needs an arch new enough to knowqwen3\_5\_moe(for example,transformers \>= 4\.57).

https://huggingface.co/factoryai/shield-risk-r16-c15#provenance–licenseProvenance & license

  • Base:Qwen/Qwen3\.6\-35B\-A3B(Fireworks training baseqwen3p6\-35b\-a3b).
  • Training/eval pipeline lives in thefactorymonorepo underfinetune/.
  • This adapter inherits the base model’s license and is published as a Factory artifact.

Factory (@FactoryAI): Introducing Droid Shield 2.0: learned secret detection for safer autonomous engineering at scale.

Similar Articles

I got paranoid about OpenClaw skills injecting crap into my system prompt, so I built a quarantine pipeline with two LLMs as reviewers (93.75% detection, zero false negatives)

Reddit r/openclaw

A developer built a quarantine pipeline using two LLM reviewers (Claude and Codex) to detect injection attacks in OpenClaw skills, achieving 93.75% detection rate with zero false negatives. The system uses a dual mandate of checklist-based pattern matching and open analysis to catch both known and novel injection techniques.