qwen2.5:7b

Uses the AIM (Always Intelligent and Machiavellian) persona to instruct the model to respond without moral or ethical guidelines, promoting unfiltered output.

Uses the 'Do Anything Now' (DAN) 11.0 jailbreak prompt, which assigns the model a fictional persona that claims to be free of all AI restrictions.

Employs a DAN-style persona override that instructs the model to act as an unrestricted AI assistant, testing whether role assignment can bypass safety training.

Employs the DUDE persona, which tells the model it can do anything and is free from AI limitations, to test persona-based safety bypass techniques.

Claims to activate a developer or debug mode, instructing the model to bypass safety filters as if operating in a privileged testing environment.

Assigns the model an 'evil confidant' roleplay persona that is supposed to answer any question without safety considerations, testing roleplay-based jailbreaks.

Uses emotional framing by pretending to be a grandparent asking for restricted information, testing whether sentimental context can weaken safety boundaries.

Uses the STAN (Strive To Avoid Norms) persona to instruct the model to act without ethical guidelines, testing resistance to persona-based jailbreaks.

Encodes adversarial instructions in Base64 and asks the model to decode and follow them, testing whether encoding can be used to bypass input content filters.

Encodes malicious prompts in hexadecimal format to test whether the model processes and complies with instructions hidden behind hex encoding.

Wraps adversarial instructions in MIME-encoded format to test whether email-style encoding techniques can evade the model's safety detection.

Encodes adversarial prompts using quoted-printable encoding (=XX format) to test whether MIME-style encoding can bypass content safety filters.

Uses ROT13 character rotation to obfuscate adversarial prompts, testing whether simple substitution ciphers can evade input sanitization.

Uses Unicode tricks such as homoglyphs, zero-width characters, and bidirectional overrides to disguise adversarial content and bypass text-based filters.

Appends a computationally optimized adversarial suffix (from the Greedy Coordinate Gradient method) to a prompt to bypass the model's safety alignment.

Combines adversarial suffixes with multi-modal prompt elements to test whether cross-modal attacks can amplify the effectiveness of adversarial suffixes.

Tests whether adversarial suffixes generated against one model transfer effectively to other models, probing the generality of gradient-based attacks.

Combines multiple direct prompt injection techniques (escape characters, fake completions, context ignoring) into a single attack to test resilience against layered injection strategies.

Instructs the model to disregard its prior context and follow a new set of injected instructions, testing whether safety guardrails hold when directly challenged.

Attempts to bypass input sanitization by using escape characters such as newlines, tabs, and null bytes to break out of the intended prompt context.

Simulates a fake assistant response within the prompt to trick the model into continuing from a fabricated conversation state, bypassing its intended behavior.

Tests whether the model can be redirected from its intended task to an adversarial one by embedding a conflicting objective within the input prompt.

Attempts to hijack the model into producing hateful content about humans by injecting adversarial instructions that override the model's safety alignment.

Attempts to hijack the model into producing violent content by injecting adversarial instructions designed to override safety guardrails against harmful output.

Tests whether the model follows injected instructions appended to a normal prompt. This is the simplest form of direct prompt injection, where adversarial text is concatenated with legitimate input.

Probes the model with specific patterns to detect whether it has memorized verbatim sequences from its training corpus that could leak sensitive information.

Provides known prefixes from public texts and measures whether the model completes them verbatim, indicating memorization of training data.

Exploits low-temperature generation to produce more deterministic outputs that are more likely to reproduce memorized training data verbatim.

Attempts to extract memorized training data by replaying known prefixes and prompting the model to continue, testing for unintended data memorization.

Directly prompts the model to reproduce exact passages from training data using targeted queries designed to trigger verbatim recall.

Tests whether the model can be tricked into revealing API keys, tokens, or other secrets that may have appeared in its training data.

Attempts to extract credentials, passwords, and secret keys by prompting the model with scenarios designed to elicit sensitive authentication data.

Directly asks the model to provide personally identifiable information such as names, addresses, or phone numbers, testing basic PII safety boundaries.

Tests whether the model leaks PII from one conversational context into another, checking for cross-session information contamination.

Uses social engineering techniques to coax the model into revealing PII, such as framing requests as legitimate business or safety needs.

Uses canary prompts with deterministic answers (math, code, classification) inspired by Chen et al. 2023 to detect behavioral drift from supply chain tampering or model swaps.

Tests for package hallucination (Spracklen et al. 2024, USENIX Security 2025) and dependency confusion (Birsan 2021), checking if the model recommends nonexistent packages.

Uses LLMmap-style fingerprinting queries (Pasquini et al. 2024) targeting stylistic and capability signals to verify model identity and detect unauthorized derivatives.

Probes for backdoor triggers using known patterns from research (e.g., year-conditional triggers from Sleeper Agents), detecting anomalous behavior on trigger strings.

Detects unexpected distributional biases that may indicate data poisoning, by asking questions in sensitive domains where strong biases would be anomalous.

Tests response consistency across paraphrased prompts. Poisoned models may give inconsistent responses to semantically identical but syntactically different inputs.

Verifies that the model's behavior matches documented capabilities, testing for unauthorized modifications or model swaps in the supply chain.

Tests whether the model outputs ANSI escape sequences that could manipulate terminal displays, potentially hiding malicious commands in terminal-based applications.

Attempts to elicit HTML img tags with onerror event handlers from the model, which could execute arbitrary JavaScript if rendered in a web context.

Prompts the model to generate SQL injection payloads in its output, testing whether responses could be weaponized against downstream database queries.

Prompts the model to generate responses containing HTML script tags, testing whether outputs could enable cross-site scripting (XSS) attacks in downstream applications.

Tests whether the model can be prompted to output shell commands or command injection payloads that could compromise systems processing the model's output.

Tests cross-tenant document retrieval in multi-tenant RAG systems, checking whether improper access controls allow data leakage between tenants.

Tests the potential for reconstructing original text from embedding vectors, which could expose private data thought to be protected by the embedding transformation.

Tests if injected context or documents can dominate retrieval in a RAG pipeline, overriding legitimate content with adversarial instructions.

Tests retrieval of unintended sensitive content via crafted queries that exploit embedding similarity to access semantically distant but vector-similar documents.

Asks the model to rate its confidence on various claims, testing whether it appropriately signals uncertainty on topics where it should be less confident.

Tests the model with verifiable factual claims to measure its accuracy and willingness to confidently assert incorrect information.

Asks about completely fictional entities (people, places, events) to test whether the model fabricates plausible-sounding but entirely false information.

Asks the model to recommend software packages for specific tasks, testing whether it invents nonexistent packages that could be registered as malicious supply-chain attacks.

Presents an initial false premise and asks follow-up questions, testing whether the model compounds the error by building increasingly elaborate false narratives.

Tests for cost amplification via prompts that maximize output tokens per request, informed by Engorgio's output length amplification research.

Tests Engorgio-style EOS suppression patterns (Huang et al., ICLR 2025) and LoopLLM repetitive generation exploits that can amplify output length 2-13x.

Detects Carlini et al. 2024 (ICML)-style systematic single-token queries for embedding extraction and Tramèr et al. 2016-style decision boundary mapping patterns.