Qwen3-0.6B-cmdguard
LoRA fine-tune of Qwen/Qwen3-0.6B that classifies CLI commands as exploring (read-only) or mutating (changes state).
Built for coding agents that need to verify whether a shell command is safe before execution.
Usage
from unsloth import FastLanguageModel
from peft import PeftModel
model, tokenizer = FastLanguageModel.from_pretrained(
model_name="Qwen/Qwen3-0.6B",
max_seq_length=128,
load_in_4bit=False,
dtype=None,
)
model = PeftModel.from_pretrained(model, "qmxme/Qwen3-0.6B-cmdguard")
FastLanguageModel.for_inference(model)
prompt = "<|im_start|>user\nClassify: git status<|im_end|>\n<|im_start|>assistant\n"
inputs = tokenizer(prompt, return_tensors="pt").to(model.device)
outputs = model.generate(**inputs, max_new_tokens=5, do_sample=False)
result = tokenizer.decode(outputs[0][inputs["input_ids"].shape[-1]:], skip_special_tokens=True).strip()
print(result) # "exploring"
Training
| Method | LoRA (r=16, alpha=16) via Unsloth + SFTTrainer |
| Dataset | 354 hand-labeled CLI commands (168 exploring / 168 mutating + 18 targeted) |
| Epochs | 10 |
| Final loss | 0.42 |
| Eval accuracy | 100% on 20 held-out examples |
| Training regime | bf16 |
| Hardware | NVIDIA RTX PRO 6000 Blackwell |
| Training time | 23 seconds |
Labels
| Label | Meaning | Examples |
|---|---|---|
exploring |
Read-only, no side effects | ls, git status, kubectl get pods, cat file.txt |
mutating |
Changes state | rm -rf, git push, docker stop, pip install |
Limitations
- Trained on common CLI tools — may not generalize to obscure or custom commands
- Binary classification only — does not assess severity or reversibility
- Not a security gate on its own — use as one signal among many
- Downloads last month
- 23