Comments (4)
My only suggestion here is to add a preview step for every execution, like a pull request.
from aicommand.
Thanks for the question. It's an essential question if I go further in this direction. It should have security checking or sandboxing to defend the user's environment from malicious attempts.
I don't plan to go further in this project, so I won't implement any security features, but I keep this issue open because it's an important missing feature. Any input is welcomed.
from aicommand.
I briefly looked at the code. This doesn't seem any different than if someone were to write their own CS that posts to a remote server.
A brief thought is that the returned values, if malicious (I.e. you crafted something to receive/parse out a malicious payload from GPT), maybe could be executed locally. Usually when we code against a remote server, the server is trusted (Do we trust GPT returned values 100%?).
This could be mitigated either at the Unity Editor level or in the users CS itself. But overall it seems tame, and a problem that already would exist in a normal, custom crafted CS script that a user could create in Unity that queries and returns values from a remote source.
Again, I only looked at the code briefly.
from aicommand.
is that the returned values, if malicious, maybe could be executed locally
It's not just malicious returned values, but imprecise returned value. The RCE here is a piece of text that an LLM, a parrot, who has no ability to determine intent, be precise, or have confidence, that generates code that is dangerous.
from aicommand.
Related Issues (20)
- Question. HOT 1
- Cannot Run AI command HOT 2
- Getting two errors upon startup HOT 4
- Suggestion: use GPT itself to fix compilation bugs HOT 4
- [Suggestion] you can use langchain.js in Unity HOT 1
- AICommandSettings.asset HOT 4
- NullReferenceException HOT 2
- Unity errors when opening up the project HOT 2
- MenuItem not found HOT 2
- How to Install on Linux, Ubuntu? HOT 3
- console error HOT 2
- How does this differ vs https://create.unity.com/ai-beta ? HOT 1
- Can we create Visual Graph with this HOT 1
- Errors HOT 2
- Safe Mode right off the bat HOT 2
- packages.jason file is missing HOT 8
- File may be corrupted or was serialized with a newer version of Unity. error HOT 1
- Error on Unity 3D version 2022.3.0f.1 HOT 2
- Have you tried to use gpt-4 model? HOT 1
Recommend Projects
-
React
A declarative, efficient, and flexible JavaScript library for building user interfaces.
-
Vue.js
🖖 Vue.js is a progressive, incrementally-adoptable JavaScript framework for building UI on the web.
-
Typescript
TypeScript is a superset of JavaScript that compiles to clean JavaScript output.
-
TensorFlow
An Open Source Machine Learning Framework for Everyone
-
Django
The Web framework for perfectionists with deadlines.
-
Laravel
A PHP framework for web artisans
-
D3
Bring data to life with SVG, Canvas and HTML. 📊📈🎉
-
Recommend Topics
-
javascript
JavaScript (JS) is a lightweight interpreted programming language with first-class functions.
-
web
Some thing interesting about web. New door for the world.
-
server
A server is a program made to process requests and deliver data to clients.
-
Machine learning
Machine learning is a way of modeling and interpreting data that allows a piece of software to respond intelligently.
-
Visualization
Some thing interesting about visualization, use data art
-
Game
Some thing interesting about game, make everyone happy.
Recommend Org
-
Facebook
We are working to build community through open source technology. NB: members must have two-factor auth.
-
Microsoft
Open source projects and samples from Microsoft.
-
Google
Google ❤️ Open Source for everyone.
-
Alibaba
Alibaba Open Source for everyone
-
D3
Data-Driven Documents codes.
-
Tencent
China tencent open source team.
from aicommand.