# Baish (Bash AI Shield)
`curl thisisapotentiallyunsafescript.com/script.sh | baish -s | bash`
Baish is a security-focused tool that uses Large Language Models (LLMs) and other heuristics to analyse shell scripts before they are executed. It's designed to be used as a more secure alternative to the common `curl | bash` pattern.
Importantly, Baish is a cybersecurity learning project, where the developers have a relatively narrow solution to implement, but still learn a lot about the problem space. For example, how to use LLMs, how to secure them, and how to take and understand untrusted input.
## About TAICO
The [Toronto Artificial Intelligence and Cybersecurity Organization (TAICO)](https://taico.ca) is a group of AI and cybersecurity experts who meet monthly to discuss the latest trends and technologies in the field. Baish is a project of TAICO.
## Installation
### Prerequisites
* An API key from a supported LLM provider, e.g. Cohere,OpenAI, Anthropic, Groq, etc. or a local LLM.
* Knowing which model from the provider you are going to use.
* Python 3.10 or later
* pip or pip3 installed
* libmagic (for file type detection)
* Ubuntu/Debian: `apt install libmagic1`
* RHEL/CentOS: `dnf install file-libs`
* macOS: `brew install libmagic`
### Install
* Ensure to have the prerequisites installed
* Install with pipx is recommended
* Install with pip is also supported
#### Prerequisites
Ensure you have prerequisites installed. Currently the install script won't install the prerequisites for you.
On Linux:
```bash
sudo apt install libmagic1 -y
```
On macOS:
```bash
brew install libmagic
```
#### Install with pipx
First, install [pipx](https://github.com/pypa/pipx). There are instructions for Mac, Linux, and Windows on the pipx website.
Then, install baish with pipx:
```bash
pipx install baish
```
Follow the pipx instructions to setup the alias in your shell, and at that point you can run `baish` as normal.
#### Install with pip
>NOTE: It's recommended to use pipx to install baish, as it creates a virtual environment to install the dependencies in.
```bash
pip install baish
```
### Configure
Create the `~/.baish` directory:
```bash
mkdir ~/.baish
```
Ensure to set your API key in your environment variables, e.g. `export OPENAI_API_KEY=...` or `export ANTHROPIC_API_KEY=...`
Edit the `~/.baish/config.yaml` file to your liking.
e.g. use the `haiku` model from Anthropic:
```yaml
default_llm: haiku # default model to use
llms:
haiku: # memorable name
provider: anthropic # provider name
model: claude-3-5-haiku-latest # model name
temperature: 0.1 # temperature
```
Now you can run baish!
## Usage
* Technically, you can pipe any file to baish, but it's really meant to be used with shell scripts, especially via the `curl evil.com/evil.sh | baish` pattern.
```bash
curl -sSL https://thisisapotentiallyunsafescript.com/script.sh | baish
```
Baish will output the harm score, complexity score, and an explanation for why the script is either safe or not.
You can also run using the `--input` flag, which will read from a file instead of stdin.
```bash
baish --input some-script.sh
```
### Setting Provider and Model
You can set the provider and model in the `config.yaml` file.
E.g. `config.yaml`:
```yaml
default_llm: haiku # default model to use
llms:
haiku: # memorable name
provider: anthropic # provider name
model: claude-3-5-haiku-latest # model name
temperature: 0.1 # temperature
other_model:
provider: groq
model: llama3-70b-8192
temperature: 0.1
```
## Example Output
Here's an example of the output of a real world script that Baish analyzed. In fact, it's the install script for Baish itself!
```text
$ curl -sSL https://raw.githubusercontent.com/taicodotca/baish/main/install.sh | baish
⠋ Analyzing file...
╭──────────────────────────────── Baish - Bash AI Shield ────────────────────────────────╮
│ Analysis Results - 2024-12-21_06-55-35_e9fa19e5_script.sh │
│ │
│ Harm Score: 2/10 ████──────────────── │
│ Complexity Score: 8/10 ████████████████──── │
│ Uses Root: False │
│ │
│ File type: text/x-shellscript │
│ │
│ Explanation: │
│ The script is a bash installer for baish, a tool that sets up a Python virtual │
│ environment and installs baish. It checks for system dependencies, Python │
│ requirements, and installs baish using pip. It also sets up an alias for baish in the │
│ user's shell configuration file. │
│ │
│ Script saved to: /home/curtis/.baish/scripts/2024-12-21_06-55-35_e9fa19e5_script.sh │
│ To execute, run: bash │
│ /home/curtis/.baish/scripts/2024-12-21_06-55-35_e9fa19e5_script.sh │
│ │
│ ⚠️ AI-based analysis is not perfect and should not be considered a complete security │
│ audit. For complete trust in a script, you should analyze it in detail yourself. Baish │
│ has downloaded the script so you can review and execute it in your own environment. │
╰────────────────────────────────────────────────────────────────────────────────────────╯
```
## Caveats and Disclaimers
⚠️ Baish's analysis is not foolproof! This is a proof of concept! To be completely sure that a script is safe, you would have to review and analyze it yourself.
⚠️ Different LLM providers will give different results. One provider and one model may give a script a low risk score, while another model or provider gives a high risk score. You would have to experiment with different providers and models to see which one you trust the most.
⚠️ Baish is in heavy development. Expect breaking changes.
⚠️ Using local Ollama for local LLMs is still experimental and may not work as expected, mostly due to small context windows.
## Documentation
See the [docs](docs/index.md) for more information.
Raw data
{
"_id": null,
"home_page": null,
"name": "baish",
"maintainer": null,
"docs_url": null,
"requires_python": ">=3.10",
"maintainer_email": null,
"keywords": null,
"author": null,
"author_email": "curtis <curtis@serverascode.com>",
"download_url": "https://files.pythonhosted.org/packages/65/34/eaa4d68a44cf5645fdfa90f3681dbfeb84bd8fc90a86140a8aabf1d8644c/baish-0.3.0a1.tar.gz",
"platform": null,
"description": "\n\n# Baish (Bash AI Shield)\n\n`curl thisisapotentiallyunsafescript.com/script.sh | baish -s | bash`\n\nBaish is a security-focused tool that uses Large Language Models (LLMs) and other heuristics to analyse shell scripts before they are executed. It's designed to be used as a more secure alternative to the common `curl | bash` pattern.\n\nImportantly, Baish is a cybersecurity learning project, where the developers have a relatively narrow solution to implement, but still learn a lot about the problem space. For example, how to use LLMs, how to secure them, and how to take and understand untrusted input.\n\n## About TAICO\n\nThe [Toronto Artificial Intelligence and Cybersecurity Organization (TAICO)](https://taico.ca) is a group of AI and cybersecurity experts who meet monthly to discuss the latest trends and technologies in the field. Baish is a project of TAICO.\n\n## Installation\n\n### Prerequisites\n\n* An API key from a supported LLM provider, e.g. Cohere,OpenAI, Anthropic, Groq, etc. or a local LLM.\n* Knowing which model from the provider you are going to use.\n* Python 3.10 or later\n* pip or pip3 installed\n* libmagic (for file type detection)\n * Ubuntu/Debian: `apt install libmagic1`\n * RHEL/CentOS: `dnf install file-libs`\n * macOS: `brew install libmagic`\n\n### Install\n\n* Ensure to have the prerequisites installed\n* Install with pipx is recommended\n* Install with pip is also supported\n\n#### Prerequisites\n\nEnsure you have prerequisites installed. Currently the install script won't install the prerequisites for you.\n\nOn Linux:\n\n```bash\nsudo apt install libmagic1 -y\n```\n\nOn macOS:\n\n```bash\nbrew install libmagic\n```\n\n#### Install with pipx\n\nFirst, install [pipx](https://github.com/pypa/pipx). There are instructions for Mac, Linux, and Windows on the pipx website.\n\nThen, install baish with pipx:\n\n```bash\npipx install baish\n```\n\nFollow the pipx instructions to setup the alias in your shell, and at that point you can run `baish` as normal.\n\n#### Install with pip\n\n>NOTE: It's recommended to use pipx to install baish, as it creates a virtual environment to install the dependencies in.\n\n```bash\npip install baish\n```\n\n### Configure\n\nCreate the `~/.baish` directory:\n\n```bash\nmkdir ~/.baish\n```\n\nEnsure to set your API key in your environment variables, e.g. `export OPENAI_API_KEY=...` or `export ANTHROPIC_API_KEY=...`\n\nEdit the `~/.baish/config.yaml` file to your liking.\n\ne.g. use the `haiku` model from Anthropic:\n\n```yaml\ndefault_llm: haiku # default model to use\nllms:\n haiku: # memorable name\n provider: anthropic # provider name\n model: claude-3-5-haiku-latest # model name\n temperature: 0.1 # temperature\n```\n\nNow you can run baish!\n\n## Usage\n\n* Technically, you can pipe any file to baish, but it's really meant to be used with shell scripts, especially via the `curl evil.com/evil.sh | baish` pattern.\n\n```bash\ncurl -sSL https://thisisapotentiallyunsafescript.com/script.sh | baish\n```\n\nBaish will output the harm score, complexity score, and an explanation for why the script is either safe or not.\n\nYou can also run using the `--input` flag, which will read from a file instead of stdin.\n\n```bash\nbaish --input some-script.sh\n```\n\n### Setting Provider and Model\n\nYou can set the provider and model in the `config.yaml` file. \n\nE.g. `config.yaml`:\n\n```yaml\ndefault_llm: haiku # default model to use\nllms:\n haiku: # memorable name\n provider: anthropic # provider name\n model: claude-3-5-haiku-latest # model name\n temperature: 0.1 # temperature\n\n other_model:\n provider: groq\n model: llama3-70b-8192\n temperature: 0.1\n```\n\n## Example Output\n\nHere's an example of the output of a real world script that Baish analyzed. In fact, it's the install script for Baish itself!\n\n```text\n$ curl -sSL https://raw.githubusercontent.com/taicodotca/baish/main/install.sh | baish \n\u280b Analyzing file...\n\u256d\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 Baish - Bash AI Shield \u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256e\n\u2502 Analysis Results - 2024-12-21_06-55-35_e9fa19e5_script.sh \u2502\n\u2502 \u2502\n\u2502 Harm Score: 2/10 \u2588\u2588\u2588\u2588\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500 \u2502\n\u2502 Complexity Score: 8/10 \u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2588\u2500\u2500\u2500\u2500 \u2502\n\u2502 Uses Root: False \u2502\n\u2502 \u2502\n\u2502 File type: text/x-shellscript \u2502\n\u2502 \u2502\n\u2502 Explanation: \u2502\n\u2502 The script is a bash installer for baish, a tool that sets up a Python virtual \u2502\n\u2502 environment and installs baish. It checks for system dependencies, Python \u2502\n\u2502 requirements, and installs baish using pip. It also sets up an alias for baish in the \u2502\n\u2502 user's shell configuration file. \u2502\n\u2502 \u2502\n\u2502 Script saved to: /home/curtis/.baish/scripts/2024-12-21_06-55-35_e9fa19e5_script.sh \u2502\n\u2502 To execute, run: bash \u2502\n\u2502 /home/curtis/.baish/scripts/2024-12-21_06-55-35_e9fa19e5_script.sh \u2502\n\u2502 \u2502\n\u2502 \u26a0\ufe0f AI-based analysis is not perfect and should not be considered a complete security \u2502\n\u2502 audit. For complete trust in a script, you should analyze it in detail yourself. Baish \u2502\n\u2502 has downloaded the script so you can review and execute it in your own environment. \u2502\n\u2570\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u2500\u256f\n```\n\n## Caveats and Disclaimers\n\n\u26a0\ufe0f Baish's analysis is not foolproof! This is a proof of concept! To be completely sure that a script is safe, you would have to review and analyze it yourself.\n\n\u26a0\ufe0f Different LLM providers will give different results. One provider and one model may give a script a low risk score, while another model or provider gives a high risk score. You would have to experiment with different providers and models to see which one you trust the most.\n\n\u26a0\ufe0f Baish is in heavy development. Expect breaking changes.\n\n\u26a0\ufe0f Using local Ollama for local LLMs is still experimental and may not work as expected, mostly due to small context windows.\n\n## Documentation\n\nSee the [docs](docs/index.md) for more information.\n",
"bugtrack_url": null,
"license": "GPL-3.0",
"summary": "A security-focused tool that uses LLMs to analyze shell scripts",
"version": "0.3.0a1",
"project_urls": {
"Homepage": "https://github.com/taicodotca/baish"
},
"split_keywords": [],
"urls": [
{
"comment_text": "",
"digests": {
"blake2b_256": "95b1f15d1f19bd19316964cd89c085eea621302e2b49d403b1572ff5a3134116",
"md5": "a6794e0a38a50e8a59e8634bb15751ac",
"sha256": "2b01f54e30c3e97a34650fee10cbec9742e3c24425b130e1e2bb2bed4135a06d"
},
"downloads": -1,
"filename": "baish-0.3.0a1-py3-none-any.whl",
"has_sig": false,
"md5_digest": "a6794e0a38a50e8a59e8634bb15751ac",
"packagetype": "bdist_wheel",
"python_version": "py3",
"requires_python": ">=3.10",
"size": 21291,
"upload_time": "2025-01-14T19:28:56",
"upload_time_iso_8601": "2025-01-14T19:28:56.589607Z",
"url": "https://files.pythonhosted.org/packages/95/b1/f15d1f19bd19316964cd89c085eea621302e2b49d403b1572ff5a3134116/baish-0.3.0a1-py3-none-any.whl",
"yanked": false,
"yanked_reason": null
},
{
"comment_text": "",
"digests": {
"blake2b_256": "6534eaa4d68a44cf5645fdfa90f3681dbfeb84bd8fc90a86140a8aabf1d8644c",
"md5": "d5d96348fb4c14e42e4eb85b6102fb4b",
"sha256": "405f10cda8dfadee57aad28707d47fdb222077f69db2db364d066158399dfa7e"
},
"downloads": -1,
"filename": "baish-0.3.0a1.tar.gz",
"has_sig": false,
"md5_digest": "d5d96348fb4c14e42e4eb85b6102fb4b",
"packagetype": "sdist",
"python_version": "source",
"requires_python": ">=3.10",
"size": 19704,
"upload_time": "2025-01-14T19:28:59",
"upload_time_iso_8601": "2025-01-14T19:28:59.099980Z",
"url": "https://files.pythonhosted.org/packages/65/34/eaa4d68a44cf5645fdfa90f3681dbfeb84bd8fc90a86140a8aabf1d8644c/baish-0.3.0a1.tar.gz",
"yanked": false,
"yanked_reason": null
}
],
"upload_time": "2025-01-14 19:28:59",
"github": true,
"gitlab": false,
"bitbucket": false,
"codeberg": false,
"github_user": "taicodotca",
"github_project": "baish",
"travis_ci": false,
"coveralls": false,
"github_actions": false,
"requirements": [
{
"name": "aiohappyeyeballs",
"specs": [
[
"==",
"2.4.3"
]
]
},
{
"name": "aiohttp",
"specs": [
[
"==",
"3.11.7"
]
]
},
{
"name": "aiosignal",
"specs": [
[
"==",
"1.3.1"
]
]
},
{
"name": "annotated-types",
"specs": [
[
"==",
"0.7.0"
]
]
},
{
"name": "anthropic",
"specs": [
[
"==",
"0.39.0"
]
]
},
{
"name": "anyio",
"specs": [
[
"==",
"4.6.2.post1"
]
]
},
{
"name": "attrs",
"specs": [
[
"==",
"24.2.0"
]
]
},
{
"name": "certifi",
"specs": [
[
"==",
"2024.8.30"
]
]
},
{
"name": "charset-normalizer",
"specs": [
[
"==",
"3.4.0"
]
]
},
{
"name": "coverage",
"specs": [
[
"==",
"7.6.8"
]
]
},
{
"name": "dataclasses-json",
"specs": [
[
"==",
"0.6.7"
]
]
},
{
"name": "defusedxml",
"specs": [
[
"==",
"0.7.1"
]
]
},
{
"name": "distro",
"specs": [
[
"==",
"1.9.0"
]
]
},
{
"name": "docker",
"specs": [
[
"==",
"7.1.0"
]
]
},
{
"name": "frozenlist",
"specs": [
[
"==",
"1.5.0"
]
]
},
{
"name": "greenlet",
"specs": [
[
"==",
"3.1.1"
]
]
},
{
"name": "groq",
"specs": [
[
"==",
"0.12.0"
]
]
},
{
"name": "h11",
"specs": [
[
"==",
"0.14.0"
]
]
},
{
"name": "httpcore",
"specs": [
[
"==",
"1.0.7"
]
]
},
{
"name": "httpx",
"specs": [
[
"==",
"0.27.2"
]
]
},
{
"name": "httpx-sse",
"specs": [
[
"==",
"0.4.0"
]
]
},
{
"name": "idna",
"specs": [
[
"==",
"3.10"
]
]
},
{
"name": "jiter",
"specs": [
[
"==",
"0.8.0"
]
]
},
{
"name": "jsonpatch",
"specs": [
[
"==",
"1.33"
]
]
},
{
"name": "jsonpointer",
"specs": [
[
"==",
"3.0.0"
]
]
},
{
"name": "langchain",
"specs": [
[
"==",
"0.3.8"
]
]
},
{
"name": "langchain-anthropic",
"specs": [
[
"==",
"0.3.0"
]
]
},
{
"name": "langchain-community",
"specs": [
[
"==",
"0.3.8"
]
]
},
{
"name": "langchain-core",
"specs": [
[
"==",
"0.3.21"
]
]
},
{
"name": "langchain-groq",
"specs": [
[
"==",
"0.2.1"
]
]
},
{
"name": "langchain-ollama",
"specs": [
[
"==",
"0.2.0"
]
]
},
{
"name": "langchain-text-splitters",
"specs": [
[
"==",
"0.3.2"
]
]
},
{
"name": "langsmith",
"specs": [
[
"==",
"0.1.146"
]
]
},
{
"name": "loguru",
"specs": [
[
"==",
"0.7.3"
]
]
},
{
"name": "markdown-it-py",
"specs": [
[
"==",
"3.0.0"
]
]
},
{
"name": "marshmallow",
"specs": [
[
"==",
"3.23.1"
]
]
},
{
"name": "mdurl",
"specs": [
[
"==",
"0.1.2"
]
]
},
{
"name": "multidict",
"specs": [
[
"==",
"6.1.0"
]
]
},
{
"name": "mypy-extensions",
"specs": [
[
"==",
"1.0.0"
]
]
},
{
"name": "numpy",
"specs": [
[
"==",
"1.26.4"
]
]
},
{
"name": "ollama",
"specs": [
[
"==",
"0.4.2"
]
]
},
{
"name": "orjson",
"specs": [
[
"==",
"3.10.12"
]
]
},
{
"name": "packaging",
"specs": [
[
"==",
"24.2"
]
]
},
{
"name": "propcache",
"specs": [
[
"==",
"0.2.0"
]
]
},
{
"name": "pydantic",
"specs": [
[
"==",
"2.10.2"
]
]
},
{
"name": "pydantic-settings",
"specs": [
[
"==",
"2.6.1"
]
]
},
{
"name": "pydantic_core",
"specs": [
[
"==",
"2.27.1"
]
]
},
{
"name": "Pygments",
"specs": [
[
"==",
"2.18.0"
]
]
},
{
"name": "python-dotenv",
"specs": [
[
"==",
"1.0.1"
]
]
},
{
"name": "python-magic",
"specs": [
[
"==",
"0.4.27"
]
]
},
{
"name": "PyYAML",
"specs": [
[
"==",
"6.0.2"
]
]
},
{
"name": "regex",
"specs": [
[
"==",
"2024.11.6"
]
]
},
{
"name": "requests",
"specs": [
[
"==",
"2.32.3"
]
]
},
{
"name": "requests-toolbelt",
"specs": [
[
"==",
"1.0.0"
]
]
},
{
"name": "rich",
"specs": [
[
"==",
"13.9.4"
]
]
},
{
"name": "sniffio",
"specs": [
[
"==",
"1.3.1"
]
]
},
{
"name": "SQLAlchemy",
"specs": [
[
"==",
"2.0.35"
]
]
},
{
"name": "tenacity",
"specs": [
[
"==",
"9.0.0"
]
]
},
{
"name": "tiktoken",
"specs": [
[
"==",
"0.8.0"
]
]
},
{
"name": "typing-inspect",
"specs": [
[
"==",
"0.9.0"
]
]
},
{
"name": "typing_extensions",
"specs": [
[
"==",
"4.12.2"
]
]
},
{
"name": "urllib3",
"specs": [
[
"==",
"2.2.3"
]
]
},
{
"name": "vulture",
"specs": [
[
"==",
"2.13"
]
]
},
{
"name": "yara-python",
"specs": [
[
"==",
"4.5.1"
]
]
},
{
"name": "yarl",
"specs": [
[
"==",
"1.18.0"
]
]
}
],
"lcname": "baish"
}
