I was asking ChatGPT for analysis and table generation on some data, and I noticed that when it wants to provide the output of the analysis (output of code execution), in some cases, it uses a library called ace_tools (specifically while showing a table from a pandas DataFrame). I copy-pasted the code to regenerate the table, but it did not run because I did not have the aforementioned library. My immediate thought was to install the library using pip install ace-tools, but that did not work.

What is Ace Tools?

I had never seen this library before, and I thought it was a new library that might need to be installed in a different way. I searched for it on PyPI, but I could not find it there either. I found out that it is an internal library of OpenAI and is not publicly available. It is perhaps just showing the output to be displayed in the chat and is not meant to be used outside of OpenAI. There is a thread about it here: ChatGPT recommends the use of the Open AI internal library ace_tools

Here is an example of how it is used in the code generated by ChatGPT:

import pandas as pd
from ace_tools import display_dataframe_to_user

# doing some analysis and creating the data variable.
data = {...}

df = pd.DataFrame(data)

# Display to user
display_dataframe_to_user(name="Table Title", dataframe=df)

Security Risks

Currently, someone has gotten the library name on PyPI, and it does nothing but act as a placeholder. I do not know who registered the library name, but I think they could easily push some malicious code.

If you are using ChatGPT and copying the code it generates, be careful about the libraries it uses. If you see a library that is not familiar, search for information about it first. It might be an internal library of OpenAI or any other company, and using publicly available libraries that resemble the name could be a security risk.

What can a library like ace_tools do?

I just did a simple search and found some libraries that have been pushed to PyPI which are doing malicious things. For example, a library that can steal your cookies or passwords. Here is a blog post from Fortinet that describes some of the malicious packages hidden in PyPI: Malicious packages hidden in PyPI

Conclusion

In conclusion, be careful about the libraries used in the code generated by ChatGPT. Do not blindly trust the code and install the libraries used in the code.

– Ali