Qwen Code rejects FTP access

This looks less like censorship in the dramatic sense and more like an agentic tool refusing to cross a security boundary. For developers, that is both the point and the pain: the same guardrails that reduce risk also make the agent feel less useful when you want it to just execute.

• –Qwen Code is an agentic terminal tool, so most of the “personality” here comes from its system prompt and tool policy, not just the base model.
• –Refusing to read credentials out of a database is defensible; once secrets enter the model context, you risk leakage, logging exposure, and prompt-injection side effects.
• –The fact that a more imperative prompt changed behavior suggests the refusal is instruction-layer driven, which means it can likely be tuned, but also that safety and usefulness are tightly coupled.
• –For real ops workflows, the cleaner pattern is to have the model generate or orchestrate a narrow script with approved access, not to hand it raw secrets and broad network reach.
• –This is exactly where “uncensored” local models get attractive: not because they are smarter, but because they are often less opinionated about what they are allowed to do.