I was asking ChatGPT for anaysis and table generation on some data and I noticed when it wants to provide the output of analysis (output of code execution) in some cases it uses a library called ace_tools (specifically while showing the table from pandas dataframe).I copy-pasted the code to regenerate the table but it did not run because I did not have the aformentioned library. The immediate go-to is to install the library by using pip install ace-tools but it did not work.

What is Ace Tools?

I have never seen this library before and I thought it is a new library that might need to be installed in a different way. I searched for it in PyPI and I could not find it there either. I found out that it is an internal library of OpenAI and it is not available in public. It is maybe just showing the output for to be displayed in the chat and it is not meant to be used outside of OpenAI. There is thread here about it: ChatGPT recommends the use of the Open AI internal library ace_tools

Here is an example of how it is used in the code generated by ChatGPT:

import pandas as pd
from ace_tools import display_dataframe_to_user

# doing some analysis and creating the data variable.
data = {...}

df = pd.DataFrame(data)

# Display to user
display_dataframe_to_user(name="Table Title", dataframe=df)

Security Risks

Currently, some one have gotten the library name on PyPI and it does nothing but a placeholder. I do do not know who is the person who registered the library name but I think they can easily push some code to do something malicious.

If you are using ChatGPT and copying the code it generates, be careful about the libraries it uses. If you see a lib that is not familiar search about it first. It might be an internal library of OpenAI or any other company and using publicly available libraries that resemble the name might be a security risk.

Waht a library like ace_tools can do?

I just did a simple search and found some libraries that have been pushed to PyPI which are doing malicious things. For example, a library that can steal your cookies or passwords. Here is a blog post from Fortinet that describes some of the malicious packages hidden in PyPI: Malicious packages hidden in PyPI

Conclusion

In conclusion, be careful about the libraries that are used in the code generated by ChatGPT. Do not blindly trust the code and install the libraries that are used in the code.

– Ali