# Baish (Bash AI Shield)
`curl thisisapotentiallyunsafescript.com/script.sh | baish -s | bash`
Baish is a security-focused tool that uses Large Language Models (LLMs) and other heuristics to analyse shell scripts before they are executed. It's designed to be used as a more secure alternative to the common `curl | bash` pattern.
Importantly, Baish is a cybersecurity learning project, where the developers have a relatively narrow solution to implement, but still learn a lot about the problem space. For example, how to use LLMs, how to secure them, and how to take and understand untrusted input.
## About TAICO
The [Toronto Artificial Intelligence and Cybersecurity Organization (TAICO)](https://taico.ca) is a group of AI and cybersecurity experts who meet monthly to discuss the latest trends and technologies in the field. Baish is a project of TAICO.
## Installation
### Prerequisites
* An API key from a supported LLM provider, e.g. OpenAI, Anthropic, Groq, etc. or a local LLM.
* Knowing which model from the provider you are going to use.
* Python 3.10 or later
* pip or pip3 installed
* libmagic (for file type detection)
* Ubuntu/Debian: `apt install libmagic1`
* RHEL/CentOS: `dnf install file-libs`
* macOS: `brew install libmagic`
### Install
Run the install script:
```bash
curl -sSL https://raw.githubusercontent.com/taico-org/baish/main/install.sh -o install.sh
chmod +x install.sh
./install.sh
```
or install with pip:
```bash
pip install baish
```
Edit the `~/.baish/config.yaml` file to your liking.
Set your API key in your environment variables, e.g. `export OPENAI_API_KEY=...` or `export ANTHROPIC_API_KEY=...`
Now you can run baish!
## Usage
* Technically, you can pipe any file to baish, but it's really meant to be used with shell scripts, especially via the `curl evil.com/evil.sh | baish` pattern.
```bash
curl -sSL https://thisisapotentiallyunsafescript.com/script.sh | baish
```
Baish will output the harm score, complexity score, and an explanation for why the script is either safe or not.
You can also run using the `--input` flag, which will read from a file instead of stdin.
```bash
baish --input some-script.sh
```
### Setting Provider and Model
You can set the provider and model in the `config.yaml` file.
E.g. `config.yaml`:
```yaml
default_llm: haiku # default model to use
llms:
haiku: # memorable name
provider: anthropic # provider name
model: claude-3-5-haiku-latest # model name
temperature: 0.1 # temperature
other_model:
provider: groq
model: llama3-70b-8192
temperature: 0.1
```
## Example Output
Here's an example of the output of a real world script that Baish analyzed.
```text
$ curl -fsSL https://ollama.com/install.sh | ./baish
⠙ Analyzing file...
╭────────────────────────────── Baish - Bash AI Shield ───────────────────────────────╮
│ Analysis Results - script_1732984526.sh │
│ │
│ Harm Score: 2/10 ████──────────────── │
│ Complexity Score: 8/10 ████████████████──── │
│ Uses Root: True │
│ │
│ File type: text/x-shellscript │
│ │
│ Explanation: │
│ This script is a Linux installer for Ollama, a software package. It installs Ollama │
│ on the system, detects the operating system architecture, and installs the │
│ appropriate version of Ollama. It also checks for and installs NVIDIA CUDA drivers │
│ if necessary. The script uses various tools and commands to perform these tasks, │
│ including curl, tar, and dpkg. The script is designed to be run as root and │
│ modifies the system by installing software and configuring system settings. │
│ │
│ Script saved to: /home/ubuntu/.baish/scripts/script_1732984526.sh │
│ To execute, run: bash /home/ubuntu/.baish/scripts/script_1732984526.sh │
│ │
│ ⚠️ AI-based analysis is not perfect and should not be considered a complete │
│ security audit. For complete trust in a script, you should analyze it in detail │
│ yourself. Baish has downloaded the script so you can review and execute it in your │
│ own environment. │
╰─────────────────────────────────────────────────────────────────────────────────────╯
```
## Caveats and Disclaimers
⚠️ Baish's analysis is not foolproof! This is a proof of concept! To be completely sure that a script is safe, you would have to review and analyze it yourself.
⚠️ Different LLM providers will give different results. One provider and one model may give a script a low risk score, while another model or provider gives a high risk score. You would have to experiment with different providers and models to see which one you trust the most.
⚠️ Baish is in heavy development. Expect breaking changes.
⚠️ Using local Ollama for local LLMs is still experimental and may not work as expected, mostly due to small context windows.
## Documentation
See the [docs](docs/index.md) for more information.
Raw data
{
"_id": null,
"home_page": null,
"name": "baish",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.10",
"maintainer_email": null,
"keywords": null,
"author": null,
"author_email": "curtis <curtis@serverascode.com>",
"download_url": "https://files.pythonhosted.org/packages/1d/a5/6ec742d348ec564da3e10720abfd4c268e66fcea8138eea29334f4ff49c1/baish-0.2.0a1.tar.gz",
"platform": null,
"description": "\n\n# Baish (Bash AI Shield)\n\n`curl thisisapotentiallyunsafescript.com/script.sh | baish -s | bash`\n\nBaish is a security-focused tool that uses Large Language Models (LLMs) and other heuristics to analyse shell scripts before they are executed. It's designed to be used as a more secure alternative to the common `curl | bash` pattern.\n\nImportantly, Baish is a cybersecurity learning project, where the developers have a relatively narrow solution to implement, but still learn a lot about the problem space. For example, how to use LLMs, how to secure them, and how to take and understand untrusted input.\n\n## About TAICO\n\nThe [Toronto Artificial Intelligence and Cybersecurity Organization (TAICO)](https://taico.ca) is a group of AI and cybersecurity experts who meet monthly to discuss the latest trends and technologies in the field. Baish is a project of TAICO.\n\n## Installation\n\n### Prerequisites\n\n* An API key from a supported LLM provider, e.g. OpenAI, Anthropic, Groq, etc. or a local LLM.\n* Knowing which model from the provider you are going to use.\n* Python 3.10 or later\n* pip or pip3 installed\n* libmagic (for file type detection)\n * Ubuntu/Debian: `apt install libmagic1`\n * RHEL/CentOS: `dnf install file-libs`\n * macOS: `brew install libmagic`\n\n### Install\n\nRun the install script:\n\n```bash\ncurl -sSL https://raw.githubusercontent.com/taico-org/baish/main/install.sh -o install.sh\nchmod +x install.sh\n./install.sh\n```\n\nor install with pip:\n\n```bash\npip install baish\n```\n\nEdit the `~/.baish/config.yaml` file to your liking.\n\nSet your API key in your environment variables, e.g. `export OPENAI_API_KEY=...` or `export ANTHROPIC_API_KEY=...`\n\nNow you can run baish!\n\n## Usage\n\n* Technically, you can pipe any file to baish, but it's really meant to be used with shell scripts, especially via the `curl evil.com/evil.sh | baish` pattern.\n\n```bash\ncurl -sSL https://thisisapotentiallyunsafescript.com/script.sh | baish\n```\n\nBaish will output the harm score, complexity score, and an explanation for why the script is either safe or not.\n\nYou can also run using the `--input` flag, which will read from a file instead of stdin.\n\n```bash\nbaish --input some-script.sh\n```\n\n### Setting Provider and Model\n\nYou can set the provider and model in the `config.yaml` file. \n\nE.g. `config.yaml`:\n\n```yaml\ndefault_llm: haiku # default model to use\nllms:\n haiku: # memorable name\n provider: anthropic # provider name\n model: claude-3-5-haiku-latest # model name\n temperature: 0.1 # temperature\n\n other_model:\n provider: groq\n model: llama3-70b-8192\n temperature: 0.1\n```\n\n## Example Output\n\nHere's an example of the output of a real world script that Baish analyzed.\n\n```text\n$ curl -fsSL https://ollama.com/install.sh | ./baish\n\u2819 Analyzing file...\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 Baish - Bash AI Shield \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Analysis Results - script_1732984526.sh \u2502\n\u2502 \u2502\n\u2502 Harm Score: 2/10 \u2588\u2588\u2588\u2588\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \u2502\n\u2502 Complexity Score: 8/10 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2500\u2500\u2500\u2500 \u2502\n\u2502 Uses Root: True \u2502\n\u2502 \u2502\n\u2502 File type: text/x-shellscript \u2502\n\u2502 \u2502\n\u2502 Explanation: \u2502\n\u2502 This script is a Linux installer for Ollama, a software package. It installs Ollama \u2502\n\u2502 on the system, detects the operating system architecture, and installs the \u2502\n\u2502 appropriate version of Ollama. It also checks for and installs NVIDIA CUDA drivers \u2502\n\u2502 if necessary. The script uses various tools and commands to perform these tasks, \u2502\n\u2502 including curl, tar, and dpkg. The script is designed to be run as root and \u2502\n\u2502 modifies the system by installing software and configuring system settings. \u2502\n\u2502 \u2502\n\u2502 Script saved to: /home/ubuntu/.baish/scripts/script_1732984526.sh \u2502\n\u2502 To execute, run: bash /home/ubuntu/.baish/scripts/script_1732984526.sh \u2502\n\u2502 \u2502\n\u2502 \u26a0\ufe0f AI-based analysis is not perfect and should not be considered a complete \u2502\n\u2502 security audit. For complete trust in a script, you should analyze it in detail \u2502\n\u2502 yourself. Baish has downloaded the script so you can review and execute it in your \u2502\n\u2502 own environment. \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n```\n\n## Caveats and Disclaimers\n\n\u26a0\ufe0f Baish's analysis is not foolproof! This is a proof of concept! To be completely sure that a script is safe, you would have to review and analyze it yourself.\n\n\u26a0\ufe0f Different LLM providers will give different results. One provider and one model may give a script a low risk score, while another model or provider gives a high risk score. You would have to experiment with different providers and models to see which one you trust the most.\n\n\u26a0\ufe0f Baish is in heavy development. Expect breaking changes.\n\n\u26a0\ufe0f Using local Ollama for local LLMs is still experimental and may not work as expected, mostly due to small context windows.\n\n## Documentation\n\nSee the [docs](docs/index.md) for more information.\n",
"bugtrack_url": null,
"license": "GPL-3.0",
"summary": "A security-focused tool that uses LLMs to analyze shell scripts",
"version": "0.2.0a1",
"project_urls": {
"Homepage": "https://github.com/taicodotca/baish"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "4b50b38f1dd707962bab5c93a67ac901d075d4c9a024b6ed7424840a16ea29dc",
"md5": "18c4aeb67ab5e6aaa3d3b89855c9791e",
"sha256": "174310c0a2c9f2476e72c5c9b5f790ceda08b484f77b29cadf6acd161a4ac5ff"
},
"downloads": -1,
"filename": "baish-0.2.0a1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "18c4aeb67ab5e6aaa3d3b89855c9791e",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.10",
"size": 20871,
"upload_time": "2024-12-21T11:37:38",
"upload_time_iso_8601": "2024-12-21T11:37:38.202319Z",
"url": "https://files.pythonhosted.org/packages/4b/50/b38f1dd707962bab5c93a67ac901d075d4c9a024b6ed7424840a16ea29dc/baish-0.2.0a1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "1da56ec742d348ec564da3e10720abfd4c268e66fcea8138eea29334f4ff49c1",
"md5": "98cbd7f3f58bce9a398ef443089bcb59",
"sha256": "a85627d9dde71614b747ba5ff9c0433d742ba334733269552326db2f623fb623"
},
"downloads": -1,
"filename": "baish-0.2.0a1.tar.gz",
"has_sig": false,
"md5_digest": "98cbd7f3f58bce9a398ef443089bcb59",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 19121,
"upload_time": "2024-12-21T11:37:40",
"upload_time_iso_8601": "2024-12-21T11:37:40.347098Z",
"url": "https://files.pythonhosted.org/packages/1d/a5/6ec742d348ec564da3e10720abfd4c268e66fcea8138eea29334f4ff49c1/baish-0.2.0a1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2024-12-21 11:37:40",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "taicodotca",
"github_project": "baish",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [
{
"name": "aiohappyeyeballs",
"specs": [
[
"==",
"2.4.3"
]
]
},
{
"name": "aiohttp",
"specs": [
[
"==",
"3.11.7"
]
]
},
{
"name": "aiosignal",
"specs": [
[
"==",
"1.3.1"
]
]
},
{
"name": "annotated-types",
"specs": [
[
"==",
"0.7.0"
]
]
},
{
"name": "anthropic",
"specs": [
[
"==",
"0.39.0"
]
]
},
{
"name": "anyio",
"specs": [
[
"==",
"4.6.2.post1"
]
]
},
{
"name": "attrs",
"specs": [
[
"==",
"24.2.0"
]
]
},
{
"name": "certifi",
"specs": [
[
"==",
"2024.8.30"
]
]
},
{
"name": "charset-normalizer",
"specs": [
[
"==",
"3.4.0"
]
]
},
{
"name": "coverage",
"specs": [
[
"==",
"7.6.8"
]
]
},
{
"name": "dataclasses-json",
"specs": [
[
"==",
"0.6.7"
]
]
},
{
"name": "defusedxml",
"specs": [
[
"==",
"0.7.1"
]
]
},
{
"name": "distro",
"specs": [
[
"==",
"1.9.0"
]
]
},
{
"name": "docker",
"specs": [
[
"==",
"7.1.0"
]
]
},
{
"name": "frozenlist",
"specs": [
[
"==",
"1.5.0"
]
]
},
{
"name": "greenlet",
"specs": [
[
"==",
"3.1.1"
]
]
},
{
"name": "groq",
"specs": [
[
"==",
"0.12.0"
]
]
},
{
"name": "h11",
"specs": [
[
"==",
"0.14.0"
]
]
},
{
"name": "httpcore",
"specs": [
[
"==",
"1.0.7"
]
]
},
{
"name": "httpx",
"specs": [
[
"==",
"0.27.2"
]
]
},
{
"name": "httpx-sse",
"specs": [
[
"==",
"0.4.0"
]
]
},
{
"name": "idna",
"specs": [
[
"==",
"3.10"
]
]
},
{
"name": "jiter",
"specs": [
[
"==",
"0.8.0"
]
]
},
{
"name": "jsonpatch",
"specs": [
[
"==",
"1.33"
]
]
},
{
"name": "jsonpointer",
"specs": [
[
"==",
"3.0.0"
]
]
},
{
"name": "langchain",
"specs": [
[
"==",
"0.3.8"
]
]
},
{
"name": "langchain-anthropic",
"specs": [
[
"==",
"0.3.0"
]
]
},
{
"name": "langchain-community",
"specs": [
[
"==",
"0.3.8"
]
]
},
{
"name": "langchain-core",
"specs": [
[
"==",
"0.3.21"
]
]
},
{
"name": "langchain-groq",
"specs": [
[
"==",
"0.2.1"
]
]
},
{
"name": "langchain-ollama",
"specs": [
[
"==",
"0.2.0"
]
]
},
{
"name": "langchain-text-splitters",
"specs": [
[
"==",
"0.3.2"
]
]
},
{
"name": "langsmith",
"specs": [
[
"==",
"0.1.146"
]
]
},
{
"name": "loguru",
"specs": [
[
"==",
"0.7.3"
]
]
},
{
"name": "markdown-it-py",
"specs": [
[
"==",
"3.0.0"
]
]
},
{
"name": "marshmallow",
"specs": [
[
"==",
"3.23.1"
]
]
},
{
"name": "mdurl",
"specs": [
[
"==",
"0.1.2"
]
]
},
{
"name": "multidict",
"specs": [
[
"==",
"6.1.0"
]
]
},
{
"name": "mypy-extensions",
"specs": [
[
"==",
"1.0.0"
]
]
},
{
"name": "numpy",
"specs": [
[
"==",
"1.26.4"
]
]
},
{
"name": "ollama",
"specs": [
[
"==",
"0.4.2"
]
]
},
{
"name": "orjson",
"specs": [
[
"==",
"3.10.12"
]
]
},
{
"name": "packaging",
"specs": [
[
"==",
"24.2"
]
]
},
{
"name": "propcache",
"specs": [
[
"==",
"0.2.0"
]
]
},
{
"name": "pydantic",
"specs": [
[
"==",
"2.10.2"
]
]
},
{
"name": "pydantic-settings",
"specs": [
[
"==",
"2.6.1"
]
]
},
{
"name": "pydantic_core",
"specs": [
[
"==",
"2.27.1"
]
]
},
{
"name": "Pygments",
"specs": [
[
"==",
"2.18.0"
]
]
},
{
"name": "python-dotenv",
"specs": [
[
"==",
"1.0.1"
]
]
},
{
"name": "python-magic",
"specs": [
[
"==",
"0.4.27"
]
]
},
{
"name": "PyYAML",
"specs": [
[
"==",
"6.0.2"
]
]
},
{
"name": "regex",
"specs": [
[
"==",
"2024.11.6"
]
]
},
{
"name": "requests",
"specs": [
[
"==",
"2.32.3"
]
]
},
{
"name": "requests-toolbelt",
"specs": [
[
"==",
"1.0.0"
]
]
},
{
"name": "rich",
"specs": [
[
"==",
"13.9.4"
]
]
},
{
"name": "sniffio",
"specs": [
[
"==",
"1.3.1"
]
]
},
{
"name": "SQLAlchemy",
"specs": [
[
"==",
"2.0.35"
]
]
},
{
"name": "tenacity",
"specs": [
[
"==",
"9.0.0"
]
]
},
{
"name": "tiktoken",
"specs": [
[
"==",
"0.8.0"
]
]
},
{
"name": "typing-inspect",
"specs": [
[
"==",
"0.9.0"
]
]
},
{
"name": "typing_extensions",
"specs": [
[
"==",
"4.12.2"
]
]
},
{
"name": "urllib3",
"specs": [
[
"==",
"2.2.3"
]
]
},
{
"name": "vulture",
"specs": [
[
"==",
"2.13"
]
]
},
{
"name": "yara-python",
"specs": [
[
"==",
"4.5.1"
]
]
},
{
"name": "yarl",
"specs": [
[
"==",
"1.18.0"
]
]
}
],
"lcname": "baish"
}
