I think you might want to correct ChatGPT to just GPT. As far as I know, there is no public API access point for the ChatGPT. OpenAI davinci model that you're likely using is based on InstructGPT ( a different GPT based beast ). Also, I would be somewhat worried about this thing racking up massive bills for the larger files.
EDIT: okay, according to replies there is more than meets the eye
That package recommends using a ChatGPT proxy. This proxy has the ability to access ChatGPT in a way that OpenAI hasn’t been able to stop, but it requires a configuration file that is not open source.
Everyone using this proxy needs to provide an OpenAI ChatGPT access token to the server. Let me break this down:
Using the ChatGPT npm package enables an opaque third party access to your credentials to use ChatGPT — or exactly what a botnet / social media manipulation operation would need / want for a convincing bot. They just have to distribute load among all the active access tokens they’ve collected from users.
DO NOT use this library.
DO NOT trust code from authors who either don’t see this obvious vector or are in on it.
To recommend using an opaque third party proxy with no encryption is not acceptable. This lets someone peep into your conversations with the bot on top of the other malicious uses with credential hijacking. And while OpenAI is peeping as well, they are at least using the data to advance AI and most researchers have a deep relationship with the ethics of their field.
You are right. However, nothing is really secure. As Emails still operates on a store-and-forward model, where your message, jumps from server to server (akin to UUCP in the 60s). Even SMTP is not secure in itself without authentication layers.
And also HTTPS is still sent as plain-text. Cert authority in itself doesn't have the keys to decode the text, it just an authority to show the plain-text, but all along, it was a plain-text.
HTTPS is not plain text. Only the initial DNS resolution is (www.google.com). Everything after that is encrypted — address, payload, etc.
The cert authority simply signs a cert saying “this public key belongs and is controlled by the owner of this domain name”. Since we both trust the cert authority, that signature allows us to prevent mitm attacks.
From there, we can do a Diffie-Hellman key exchange and derive our secret key for encryption / decryption.
That is secure and is the backbone of the internet today. It allows all of us to send messages to an intended recipient without worrying about other parties prying into our business.
A proxy introduces an unnecessary and unvetted third party into an exchange. There is significant financial and political motivation for hijacking sessions for higher access to the chatbot & future versions of it. It is not a good pattern to make a habit of.
I am speaking from professional experience,
but I am not an expert.
I used to work professionally for a Cybersecurity company in the past for just 3 years, it was just a short tenure, so my views are plausible.
I have design MITMA boxes for WIFI and HTTPS (For capturing/understanding botnets in honeypots), so I've seen how plain-text HTTPS are. (But again, I am wrong, as I am speaking from experience.)
Maybe you’re talking about some of the headers? Idk.
It doesn’t matter in any case as OpenAI released the ChatGPT official API, so the original post is irrelevant. That package will transition to the official API and be should be usable.
While there is currently a waiting lists to use the official ChatGPT API, the package uses an unofficial ChatGPT API. Surprisingly, the unofficial libraries are much more stabler (not much dropping of requests or timeout issues) than the official libraries from OpenAI.
Author here: It currently uses ChatGPT. While ChatGPT is currently free, the use of REPLICATE API for describing images will have an incurred costs. At the moment, if you opt-out of this feature, you can skip Images for now.
However, future updates will have a configuration to be able to skip REPLICATE, or choose to use a paid OpenAI model.
The more words you sent, the better understanding the AI about the file.
HOWEVER, it also comes with privacy concerns. You can choose to rather sent a few words for AI to figure out your file.
Also, take note, the maximum payload for OpenAI is 4kb, so the app will just throw an error when it exceeds 4kb.
It should be noted that this tool uses a prompt [1] which does include the whole file, or in case of non textual content, the metadata of the image/video/audio file [2].
It should be feasible with GPT-J. You should be able to run it locally if you have GPU with more than 16gb of video memory. Output quality might not match OpenAI offerings though.
I won't describe it as malware. Your link describes prompt injection which applicable to any software that currently employs LLMs (including this package).
To successfully exploit it an attacker would need to place a file with malicious prompt on your hard drive. However, if it's the case then there will be a lot more easier ways to execute various attacks.
How will you know if a file is free from malicious prompt or not? The applications seems to be able to download any file and analyze it. So from my perspective, I think it is easier this way than to execute other attack? Because these files may seem benign but can still run instructions from the prompts. Just think that the next pdf you are downloading from the web has has no malware but only malicious prompt. What will you do?
If a user can be tricked into downloading files and then running them and why not trick a user into downloading and running actual malware?
With your pdf scenario it would be a possibility, but at the moment OpenAI davinci doesn't follow URLs. So, even you overtake the model with your malicious prompt what would you gain? The worst I can think of is that you can misdirect the summary which although amusing won't be that dangerous.
If you had a PDF reader which allowed arbitrary code execution on opening a file, would you argue the same?
You give arbitrary read/write to the LLM, right? So ransomware, causing network requests as side effects etc. could all be possible. Look at the paper to find more descriptions of what could go wrong: https://github.com/greshake/llm-security
PDF reader hack will be indeed dangerous. I've looked at your link and they suggest that LLMs will fetch random files of the internet. At the moment, no LLM will do that. Network requests are currently off limits. In the paper they seem to perform attack mainly against some library called "langchain". This library might be indeed vulnerable but it's more of a problem of this particular library.
Answering to myself as I can't edit my response any more. I've investigated a bit more and the attack as described by Greshake[1] seems to be much more realistic to me than I initially thought.
Yea that's me. It seems to be very difficult right now to get people's attention to this and make them take it seriously. On a side note, your project is also currently putting unfiltered model output straight into osascript sooooo a lot of the fancy gymnastics needed to make stuff work in the paper with only search abilities isn't required in this case.
Does this tool keep track of the categories it has used to build a directory structure over time, or does each file result in a new structure unrelated to the previous one?
That is actually in the TODO items. You can also pattern it to a curated folder (if you have one). This feature would be available on the next release.
I like to see that topic classifier! I was also thinking about it before on how to accomplish that, but now LLMs can classify and tag a text. GPT AI is really a huge jump in technological advancement. It will reshape this world we know today.
That's a good suggestion. At the moment, it uses several other applications to gather textual information about the file. In the future releases. You can choose not to use other applications, and just rely on the file-name, etc.
Basically, it curates your files automatically using AI based on the file naming convention you set in the configuration file.
And it suggests tags and summarizes/describes the file based on its contents, then finally attach those tags and comment to the file.
For example, if you have an unnamed file ‘document.doc’ that contains information about a parking ticket, then it will rename this file ‘ParkingTicket.doc’, you can add more organizational details like categories, etc.
EDIT: okay, according to replies there is more than meets the eye