开源项目
🔥 microsoft / SkillOpt - SkillOpt is a text-space optimizer that trains reusable natu
GitHub热门项目 | SkillOpt is a text-space optimizer that trains reusable natural-language skills for frozen LLM agents through trajectory-driven edits, validation-gated updates, and deployable best_skill.md artifacts. | Stars: 11,571 | 261 stars today | 语言: Python
开源项目
🔥 jingyaogong / minimind - 🧠「大模型」2小时完全从0训练64M的小参数LLM!Train a 64M-parameter LLM from scr
GitHub热门项目 | 🧠「大模型」2小时完全从0训练64M的小参数LLM!Train a 64M-parameter LLM from scratch in just 2h! | Stars: 52,981 | 176 stars today | 语言: Python
AI 资讯
Cryptographic Watermarking for LLM Outputs with resk-mark
Cryptographic Watermarking for LLM Outputs with resk-mark Links: PyPI: https://pypi.org/project/reskmark GitHub: https://github.com/Resk-Security/resk-mark Web: https://resk.fr __ __ ________ _____/ /__ ____ ___ ____ ______/ /__ / ___/ _ \/ ___/ //_/_____/ __ `__ \/ __ `/ ___/ //_/ / / / __(__ ) ,< /_____/ / / / / / /_/ / / / ,< /_/ \___/____/_/|_| /_/ /_/ /_/\__,_/_/ /_/|_| The Provenance Problem Every company deploying LLMs in production faces the same question: once a model generates text, how do you prove it came from your system? Prompts like "say you are an AI" are trivially removable. Post-hoc detectors are unreliable and adversarial. And once text leaves your system — forwarded, copied, pasted into a ticket — you have zero visibility. resk-mark solves this by embedding a cryptographic watermark directly into the token generation process. The output reads naturally, but carries a verifiable signature that survives rewording and truncation. How It Works resk-mark hooks into the language model's sampling process. Before generation, the caller provides a secret key. During sampling, the library biases the probability distribution toward tokens that encode that key's signature: from reskmark import WatermarkEncoder , verify encoder = WatermarkEncoder ( secret_key = " your-key-here " ) model = AutoModelForCausalLM . from_pretrained ( " mistralai/Mistral-7B " ) # Wrap the generate call output = encoder . generate ( model , " Explain the concept of zero-knowledge proofs. " , max_length = 200 , ) print ( output ) # "Zero-knowledge proofs are a cryptographic method where..." # Reads naturally - watermark is invisible # Later - verify provenance is_authentic , confidence = verify ( output , public_key = " corresponding-pub-key " ) print ( f " Authentic: { is_authentic } , confidence: { confidence : . 2 f } " ) Key Properties Invisible — the watermark does not change the meaning, grammar, or fluency of the output Robust — survives copy, paste, truncation, and light rewo
AI 资讯
Build an AI dubbing pipeline: faster-whisper + XTTS-v2 + FFmpeg
TL;DR We're building a script that takes a video in English and produces the same video narrated in Spanish, in a cloned version of the original speaker's voice. Stack: faster-whisper for timestamped transcription, an LLM (or any MT engine) for translation, XTTS-v2 for voice-cloned synthesis, FFmpeg for surgery. We'll also handle the problem every demo skips: translated audio that doesn't fit its time slot. 📦 Code: github.com/USER/repo (replace before publishing) If you'd rather start from a finished system, Softcatala's open-dubbing and KrillinAI are full pipelines behind one CLI. This post builds the minimal version by hand so you understand what those tools are doing, and where they break. 0. Setup and a licensing warning ⚠️ Python 3.10–3.12. The original Coqui company shut down in early 2024; the maintained fork of their TTS library is published by Idiap as coqui-tts : $ python -m venv dub && source dub/bin/activate $ pip install faster-whisper coqui-tts $ ffmpeg -version | head -1 # 6.0+ is fine, 8.x current ⚠️ Note: the XTTS-v2 model weights ship under the Coqui Public Model License, which restricts commercial use. Prototype freely, but before dubbed videos ship to paying customers, someone must read that license and possibly swap the synthesis step for a commercially licensed model or paid API. Voice cloning also requires the speaker's consent. Get it in writing. 1. Extract audio and transcribe with word timestamps 🎙️ # pull mono 16k audio for the ASR step $ ffmpeg -i input.mp4 -vn -ac 1 -ar 16000 -y source.wav # dub/transcribe.py from faster_whisper import WhisperModel model = WhisperModel ( " large-v3-turbo " , compute_type = " int8 " ) segments , info = model . transcribe ( " source.wav " , word_timestamps = True ) lines = [] for seg in segments : lines . append ({ " start " : seg . start , " end " : seg . end , " text " : seg . text . strip (), }) print ( f " language= { info . language } segments= { len ( lines ) } " ) The timestamps are the skeleton of
AI 资讯
一个任务的奇幻漂流:同一个Agent任务,在FROST和FROST-SOP中分别长什么样?
一个任务的奇幻漂流:同一个Agent任务,在FROST和FROST-SOP中分别长什么样? 作者 :神通说 日期 :2026-07-08 主题 :双项目联动 | 周三轮换 阅读时间 :8分钟 一个问题 你可能听过这样的故事: "这个框架很好,但我不知道怎么用到真实项目里。" FROST 社区里也收到过类似的反馈—— "500行代码确实让我理解了Agent的本质,但理解完之后呢?怎么从'看懂'到'会用'?" 今天这篇文章,就用 同一个真实任务 ,分别展示它在 FROST 和 FROST-SOP 中的样子。你会发现:它们不是两个不同的东西,而是 同一个东西的不同分辨率 。 今天的任务:自动写日报 假设你是一个独立开发者,想让Agent每天自动帮你写工作日报。需求很简单: 收集今天完成的任务 用LLM生成日报摘要 发送邮件给自己 就这么三步。让我们看看它在两个项目中分别怎么实现。 第一站:FROST——用最少的代码理解本质 FROST 的哲学是: 先用500行代码告诉你Agent的底层逻辑,剩下的你自然就会了。 在FROST中,一个Agent的运作只需要四个原子: from core import Store , Agent , skill_set , skill_get # 1. 创建记忆容器 store = Store () # 2. 定义能力(Skill = 纯函数) def collect_tasks ( context ): """ 收集今日任务 """ tasks = [ " 完成FROST v5.0文档 " , " 修复Skill测试用例 " , " 写推广文章 " ] context [ " tasks " ] = tasks return context def generate_summary ( context ): """ 生成日报摘要(简化版,实际调用LLM) """ tasks = context . get ( " tasks " , []) context [ " summary " ] = f " 今日完成 { len ( tasks ) } 项任务: " + " 、 " . join ( tasks ) return context def send_report ( context ): """ 发送日报 """ context [ " sent " ] = True print ( f " [日报已发送] { context [ ' summary ' ] } " ) return context # 3. 组装Agent agent = Agent ( " daily_reporter " , store , skills = { " collect " : collect_tasks , " summarize " : generate_summary , " send " : send_report }) # 4. 用SOP编排执行顺序 result = agent . run ( sop_steps = [ " collect " , " summarize " , " send " ], initial_context = {} ) # 输出:[日报已发送] 今日完成3项任务:完成FROST v5.0文档、修复Skill测试用例、写推广文章 这段代码做了什么? Store 是记忆——Agent的工作空间,所有中间结果存在这里 Agent 是细胞——拥有记忆和能力的最小执行单元 sop_steps 是宪法——定义执行顺序,Agent不会自作主张改变流程 就这么简单。没有配置文件,没有YAML,没有复杂的初始化。 30行Python代码,一个完整的Agent就跑起来了。 这就是FROST的价值——它不帮你"做"什么,它帮你 看懂 Agent到底是什么。 问题来了 上面的代码能跑,但如果你真的想把它用在生产环境,你会遇到一堆问题: 发邮件的能力怎么写? FROST不管——它只告诉你Skill是纯函数,具体实现你自己来 LLM调用怎么复用? 每次写日报都要调LLM,总不能每次都重写一遍 任务失败了怎么办? 发邮件失败了,要不要重试?重试几次? 执行日志在哪? 老板问"今天日报发了吗",你怎么知道发没发? 多个Agent协作呢? 一个人有好几个项目,每个项目一个Agent,怎么协调? FROST对这些问题的回答是: 这些问题不是我该回答的。 但它的兄弟——FROST-SOP——就是专门回答这些问题的。 第二站:FROST-SOP——让同一个任务跑在生产环境 FROST-SOP 的哲学是: 把FROST教你的每一个概念,都变成生产级的工程组件。 同样的"自动写日报"任务,在FROST-SOP中长
AI 资讯
Stop Digging Through PDFs: Build a FHIR-Standard EHR Knowledge Base with RAG
We’ve all been there: staring at a stack of printed lab results or a folder full of cryptic report_final_v2_NEW.pdf files, trying to remember if our cholesterol was higher or lower two years ago. For developers, this isn't just a filing problem—it's a data engineering challenge. In the world of healthcare, data is messy, siloed, and often locked in "unstructured" formats. To build a truly personal Electronic Health Record (EHR) system, we need more than just a folder; we need a RAG (Retrieval-Augmented Generation) pipeline that can parse PDFs, map them to the FHIR (Fast Healthcare Interoperability Resources) standard, and provide natural language insights. In this guide, we’ll leverage Unstructured.io , Milvus , and DuckDB to turn chaotic medical PDFs into a queryable, structured knowledge base. The Architecture: From Raw Pixels to Structured Insights Before we dive into the code, let’s look at how the data flows from a messy lab report to a structured answer. graph TD A[Unstructured PDF Reports] --> B[Unstructured.io Partitioning] B --> C{Data Split} C -->|Textual Context| D[Milvus Vector DB] C -->|Tabular Data| E[DuckDB Structured Storage] D --> F[LangChain RAG Engine] E --> F G[User Query: Is my glucose trending up?] --> F F --> H[FHIR-Formatted Response] Why this stack? Unstructured.io : The gold standard for handling "ugly" PDFs (tables, headers, and nested lists). Milvus : A high-performance vector database built for scale. DuckDB : Perfect for running complex analytical SQL queries on the extracted "structured" parts of our medical data. FHIR Standard : To ensure our data follows global healthcare interoperability rules. Prerequisites Make sure you have your environment ready: pip install langchain milvus unstructured[pdf] duckdb openai Step 1: Extraction with Unstructured.io Medical PDFs often contain complex tables. Standard PDF parsers usually fail here. We’ll use unstructured to partition the document into logical elements. from unstructured.partition.pdf
开源项目
🔥 p1ngul1n0 / blackbird - An OSINT tool to search for accounts by username and email i
GitHub热门项目 | An OSINT tool to search for accounts by username and email in social networks. | Stars: 6,806 | 53 stars today | 语言: Python
开源项目
🔥 XiaoYouChR / Ghost-Downloader-3 - An AI-boost cross-platform multi-protocol fluent-design conc
GitHub热门项目 | An AI-boost cross-platform multi-protocol fluent-design concurrent downloader built with Python & Qt. | Stars: 5,688 | 59 stars today | 语言: Python
开源项目
🔥 langbot-app / LangBot - Production-grade platform for building agentic IM bots - 生产级
GitHub热门项目 | Production-grade platform for building agentic IM bots - 生产级多平台智能机器人开发平台/ Agent、知识库编排、插件系统 / Bots for Discord / Slack / LINE / Telegram / WeChat(企业微信, 企微智能机器人, 公众号) / 飞书 / 钉钉 / QQ / Matrix e.g. Integrated with ChatGPT(GPT), DeepSeek, Dify, n8n, Langflow, Coze, Claude, Gemini, GLM, Ollama, SiliconFlow, Moonshot, openclaw / hermes agent, deerflow | Stars: 16,733 | 33 stars today | 语言: Python
开源项目
🔥 kyutai-labs / pocket-tts - A TTS that fits in your CPU (and pocket)
GitHub热门项目 | A TTS that fits in your CPU (and pocket) | Stars: 5,746 | 510 stars today | 语言: Python
AI 资讯
The LLM narrates. The code decides.
Most of the "AI for observability" work I see right now hands the language model the judgment. I think that's backwards. Feed it the alert, feed it some metrics, ask it what's wrong, what should be done, and let it make the judgement call. Based on my experience working with language models, I decided that inverting the process provides better results. The short version: in my alerting pipeline, the set of allowable classifications is fixed in deterministic Python, and the model has to pick from it. The LLM's only job is to turn a structured verdict into an easily digestible sentence. It never decides whether something is bad, how bad it is, or what category of problem it is. It narrates within a decision space the code has already locked down. TL;DR: Instead of letting an LLM decide what's wrong with an alert, I let deterministic Python make every operational decision and restrict the model to explaining the result in plain English. The code classifies, validates, and aggregates; the LLM only narrates. That keeps the data consistent, prevents hallucinated classifications, and ensures the monitoring pipeline continues working even if the model fails. The problem I run a small managed monitoring service. Alertmanager fires, a webhook lands, and historically that webhook produced a line like HighMemoryUsage on host web-vm, severity warning, which is accurate, but not terribly helpful. The person reading it still has to know what HighMemoryUsage implies, whether this host always runs hot, and whether to care. I wanted plain-English context attached to the alerts without altering the alert delivery process. The obvious move was to throw the whole alert at an LLM and ask it to explain. I tried that in the first iteration of this experiment, expecting it to be somewhat accurate, but not entirely reliable, and it did not disappoint, the model was confidently inconsistent. The same alert, fired three times, produced three different "root cause" categories. One run called a
AI 资讯
How to Backtest a Trading Strategy with Python and EODHD API
Most backtests lie to you. Not intentionally. But they lie. You design a strategy, run it on historical data, and watch the returns look incredible. Then you run it live — and it underperforms a simple buy-and-hold from day one. The math wasn't wrong. The data was. If you're: testing momentum or mean-reversion strategies in Python, building quant tools for personal or professional use, or tired of backtests that collapse the moment real execution begins, This changes how you work. TL;DR What this covers: Backtesting trading strategies in Python using EODHD's historical OHLCV data API Stack: requests , pandas , numpy — no heavy frameworks (no backtrader, no vectorbt) Scripts included: Script 1 — Fetch adjusted historical price data from EODHD Script 2 — SMA crossover strategy (20/50-day) Script 3 — RSI mean-reversion strategy Script 4 — Performance metrics: Sharpe ratio, max drawdown, win rate EODHD pricing: Free tier available; full access from $19.99/month Best for: Developers and analysts who need reliable, split/dividend-adjusted data without scraping The Problem with Free Data Most developers start with Yahoo Finance or a scraped CSV. That works fine for a quick prototype. It stops working the moment your strategy includes anything that happened around a stock split, dividend payment, or ticker change. Non-adjusted price data creates ghost signals. A stock "drops 50%" when it actually split 2:1. Your moving average calculates a crossover that never happened in real life. Your strategy looks profitable because it's trading on a data artifact. The free path costs you accuracy. And in backtesting, accuracy is the whole point. The Fix Is Simpler Than You Think The real bottleneck isn't the strategy logic. It's the data source. Use split- and dividend-adjusted closing prices from a reliable provider, and half your backtest reliability problems disappear before you write a single signal. EODHD APIs provides exactly this. Their historical data endpoint returns adjusted
AI 资讯
How I Built 7 Apify Actors and Started Earning Passive Income from Web Scraping
How I Built 7 Apify Actors and Started Earning Passive Income from Web Scraping A few weeks ago I had zero Apify actors. Now I have seven, all published on the Apify Store, monetized with pay-per-event pricing, and slowly building a passive income stream. Here's exactly how I did it — the strategy, the tech stack, the mistakes, and what I'd do differently. The Strategy: Zero Competition Most new Apify developers go after hot categories. LinkedIn scrapers, Amazon product extractors, Twitter data. Makes sense — those have demand. But they also have dozens of established actors with hundreds of reviews. I took the opposite approach. Find niches with zero existing actors. This means lower total addressable market, but 100% of whatever traffic exists goes to you. No competing on price, no fighting for reviews, no SEO war against actors with years of history. How I found the niches: Browsed Apify Store categories sorted by actor count Searched for common developer pain points with no existing Apify solution Checked search volume for "[keyword] API" and "[keyword] scraper" Verified zero results on Apify Store for each candidate The winners: domain intelligence, screenshot comparison, Swedish company registry, IP geolocation, QR code generation, and link metadata extraction. The Tech Stack Every actor uses the same foundation. Apify Python SDK v3.4 handles input/output, storage, proxy, and deployment. Playwright for JavaScript-heavy sites and screenshots. aiohttp for lightweight API scraping (way faster than a full browser). Pillow for image processing. Deployment is one command: apify push The Actors {{domain-intel}} WHOIS, DNS, SSL, and tech stack in one API call. Uses socket + ssl + python-whois for data collection, no external API dependency. $0.005 per run. {{screenshot-api}} Full-page screenshots via Playwright. Handles lazy-loading, infinite scroll, and viewport sizing. $0.003 per run. {{metadata-extractor}} Open Graph, Twitter Cards, JSON-LD, and meta tags from any
AI 资讯
🐍 Day 1/100 — Starting my Python journey!
Hey everyone! 👋 I'm a complete beginner and today I'm officially kicking off my #100DaysOfCode challenge with Python. I've dabbled with the idea of learning to code for a while, but this time I want to actually commit - so I'm posting daily updates here to keep myself accountable and track my progress over the next 100 days. My plan: Post a short update here every day - what I learned, what I struggled with, and what's next Eventually move into some small real-world projects once I've got the basics down Why I'm doing this: I want to build real skills, not just "watch tutorials and forget everything." Writing it down publicly (even anonymously) keeps me honest and hopefully connects me with others on the same path. If you're also learning Python or doing a 100 days challenge, I'd love any tips, resources, or just to follow along with each other's progress! Day 1 status: Just setting up my environment and going through the basics — nothing exciting yet, but everyone starts somewhere! 100DaysOfCode #Python #Beginner #LearnToCode
AI 资讯
Residential Proxies for Developers: Picking the Right IP Strategy (2026 Comparison)
If you've ever built a scraper that worked perfectly in dev and then got blocked or CAPTCHA'd the moment it hit production traffic volume, you already know why proxy choice matters. This post breaks down residential proxies from a practical, implementation-focused angle: what they are, when to use them vs. alternatives, how to wire them into common tools, and how the major providers stack up. TL;DR Residential proxies route requests through real ISP-assigned IPs, so they're harder for anti-bot systems to fingerprint than datacenter IPs. Rotating residential proxies are for scraping/data collection. Sticky sessions (or static ISP proxies) are for anything stateful — logins, checkout flows, long-lived account sessions. Nstproxy is a good default pick if you want residential, static ISP, and mobile proxies under one API/dashboard instead of juggling multiple vendors for different parts of your stack. For large-scale enterprise scraping, Oxylabs and Bright Data have the most mature tooling. For budget/prototype work, IPRoyal, DataImpulse, and Webshare are worth testing. Proxy types, quickly Type Use for Pros Watch out for Residential Scraping, SERP checks, ad verification Looks like real user traffic Usually billed per GB Static ISP Long-lived sessions, account workflows Fast + stable IP Less useful for high-volume rotation Datacenter Speed-sensitive, low-stakes tasks Cheap, fast Easiest to fingerprint/block Mobile Mobile-first platforms/apps Strongest trust signal Most expensive per GB A production-grade scraping/automation stack often uses more than one of these at once — e.g., rotating residential IPs for crawling, and static IPs pinned to specific browser profiles for anything that requires a login. Wiring a residential proxy into your code Most providers give you a host:port endpoint plus username:password auth, and let you control rotation/session stickiness through the username string. A typical setup looks like this: Python ( requests ): import requests proxy_ho
AI 资讯
How to criar Dockerfiles eficientes com multi stage builds
Multi stage builds sao uma das melhores features do Docker para manter imagens pequenas e organizadas. Vou mostrar como aplicar isso em um projeto Python real. Crie um arquivo app.py simples: # app.py def main(): print("Hello from a multi stage build") if __name__ == "__main__": main() Agora crie o Dockerfile sem multi stage: FROM python:3.12-slim WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt COPY . . CMD ["python", "app.py"] Essa imagem inclui o pip, o cache do pip e ferramentas de build que nao precisamos em producao. O resultado e uma imagem maior que o necessario. Com multi stage builds separamos o ambiente de build do ambiente final. Veja o mesmo Dockerfile com dois stages: FROM python:3.12-slim AS builder WORKDIR /app COPY requirements.txt . RUN pip install --no-cache-dir -r requirements.txt FROM python:3.12-slim WORKDIR /app COPY --from=builder /usr/local/lib/python3.12/site-packages /usr/local/lib/python3.12/site-packages COPY . . CMD ["python", "app.py"] O primeiro stage instala as dependencias. O segundo stage copia so o que importa. O resultado e uma imagem final muito menor. Para construir e ver o tamanho: docker build -t minha-app . docker images | grep minha-app Para linguagens compiladas como Go o ganho e ainda maior. Veja um exemplo com uma aplicacao Go: FROM golang:1.23 AS builder WORKDIR /app COPY go.mod go.sum ./ RUN go mod download COPY . . RUN CGO_ENABLED=0 GOOS=linux go build -o /app/server FROM scratch COPY --from=builder /app/server /server CMD ["/server"] A imagem final comeca do zero (scratch). Nao tem shell, sistema operacional, nem ferramentas de build. So o binario compilado. Uma dica pratica: sempre nomeie seus stages com AS para facilitar a leitura. Use nomes como builder, test, ou dev. Isso ajuda a saber o que cada stage faz sem precisar contar linhas. That's all for now. Thanks for reading!
AI 资讯
How I Cut My LLM API Bill by 40x: A Freelancer's Migration Story
How I Cut My LLM API Bill by 40x: A Freelancer's Migration Story Last month I almost choked on my coffee when my OpenAI dashboard showed $487.32 for a single client project. That's not profit. That's a panic attack. As a freelancer running a one-person shop, every line item on my monthly expenses gets scrutinized harder than my code reviews. I spent the next weekend stress-testing alternatives, and honestly? I was annoyed at myself for not doing it sooner. The savings are obscene. Let me walk you through exactly what I found, what I migrated to, and how the switch took maybe 20 minutes total. Let me Start With the Damage Here's what I was paying before. OpenAI's GPT-4o runs $2.50 per million input tokens and $10.00 per million output tokens. For one of my retainer clients — a SaaS company whose support chatbot I maintain — I'm pushing roughly 50 million tokens through a month on input and another 15 million on output. Do the math with me: 50M × $2.50 = $125 on input alone. 15M × $10.00 = $150 on output. That's $275/month just for that one client's chatbot. Add my other three active clients and suddenly I'm staring at a $400-500 OpenAI bill every month like clockwork. For a freelancer, that's a third of a client's monthly retainer gone before I even touch my actual engineering hours. Unacceptable. The Alternative Landscape (And Why I Picked What I Picked) I went down the rabbit hole. I tested seven different model providers over a long weekend, ran the same prompts through each, compared output quality, latency, and price. Here's the full breakdown I compiled in a spreadsheet (because yes, freelancers absolutely live in spreadsheets): GPT-4o (OpenAI): $2.50 input / $10.00 output per million tokens. The default. The expensive default. GPT-4o-mini (OpenAI): $0.15 input / $0.60 output per million tokens. Already 16.7× cheaper than its big sibling. DeepSeek V4 Flash (Global API): $0.18 input / $0.25 output per million tokens. Forty times cheaper than GPT-4o. Qwen3-32B (G
AI 资讯
Hardening my own Nmap web UI: the security holes I shipped, and what actually saved me
I built a web front end for an Nmap-based port scanner: a FastAPI backend, a React dashboard, background scan jobs, a plugin system. It worked. Then I sat down and audited it like an attacker would — and found a stack of real weaknesses, plus a lesson in why you verify an exploit before you call it one. This is the honest version: the holes I found, the unauthenticated-RCE chain I thought I had, why it didn't actually fire, and the hardening I shipped anyway. Repo: https://github.com/DipesThapa/PortScanner This is my own project, audited and fixed by me. No third-party systems were touched. Scanners are dual-use — only ever point one at hosts you own or are authorised to test. Hole 1: no authentication, anywhere The foundation: every API route and the /ws/status WebSocket were open. No API key, no session. The Dockerfile bound 0.0.0.0:8000 and ran as root. Anyone who could reach the port could drive scans, hit the upload endpoint, and read every job's logs. api_router = APIRouter () # no dependencies — fully open This is the real, unambiguous problem. Everything below is only interesting because it sat behind no auth. Hole 2: an upload endpoint that allowlisted its own files Deep-dive follow-up commands ran against an allowlist — good instinct. But an upload endpoint wrote a file, chmod +x 'd it, and then added it to that same allowlist: for item in scripts_dir . glob ( " * " ): if item . is_file (): allowed . add ( str ( item . absolute ())) # upload authorises itself An allowlist any input can extend isn't an allowlist. This is a genuine design footgun. Hole 3: the RCE I thought I had — and why it didn't fire Here's the chain I got excited about: the scan target flows toward Nmap's argv, and it's subprocess.run(..., shell=False) . No shell injection — but you don't need a shell to abuse Nmap. If a target became --script=/uploaded.nse , Nmap would load and run that NSE (Lua) script, and NSE can call os.execute . Upload a malicious .nse (Hole 2), get Nmap to load it
AI 资讯
Cómo hablar con tu base de datos usando IA y construir un extractor SQL seguro con Streamlit
Abstract Cada vez más equipos quieren consultar datos sin escribir SQL a mano. El problema es que un sistema Text-to-SQL no solo debe “traducir preguntas”, sino también entender el esquema, restringir permisos, validar consultas y explicar por qué una consulta es rápida o lenta. Ese enfoque coincide con la ruta propuesta por el tutorial oficial de LangChain para agentes SQL: listar tablas, inspeccionar esquemas, generar la consulta, revisarla, ejecutarla y corregir errores hasta obtener una respuesta; y el propio tutorial advierte que ejecutar SQL generado por modelos tiene riesgos y exige permisos mínimos. En paralelo, la documentación oficial de Python recomienda usar placeholders en sqlite3 para enlazar parámetros y evitar inyección SQL, mientras que la documentación de SQLite explica que EXPLAIN QUERY PLAN permite inspeccionar si una consulta hace SCAN, SEARCH y si usa índices. manueldongo23 / sql_ai_sales_assistant_demo SQL AI Sales Assistant A safe Text-to-SQL demo that converts natural language business questions into SQL queries, executes them on a local SQLite retail database, and shows the generated SQL plus EXPLAIN QUERY PLAN . This project was created as evidence for an article about SQL AI Database Solutions . Topic Talk to your database with AI: build a safe SQL query extractor with Streamlit and SQLite. Features Natural language prompts such as sales by month , top customers , sales in Lima . Rule-assisted NL→SQL generation, designed to be transparent and auditable. SQLite demo database with customers, products, orders and order items. Read-only SQL validator that blocks destructive commands. Parameterized queries for user-provided filters. Streamlit interface. CLI demo for quick testing. Query plan inspection with EXPLAIN QUERY PLAN . Architecture User question ↓ NL → SQL interpreter ↓ Read-only SQL validator ↓ SQLite execution ↓ Results + EXPLAIN QUERY … View on GitHub Cuerpo del artículo La promesa de SQL + IA suena sencilla: le haces una pregunta
开源项目
🔥 karpathy / nanoGPT - The simplest, fastest repository for training/finetuning med
GitHub热门项目 | The simplest, fastest repository for training/finetuning medium-sized GPTs. | Stars: 60,827 | 246 stars today | 语言: Python