Issue: Hard Coded Groq API Keys Found

iyaja / llama-fs

A self-organizing file system with llama 3

MIT License

4.49k stars 259 forks source link

Issue: Hard Coded Groq API Keys Found #4

Open fpreiss opened 1 month ago

fpreiss commented 1 month ago

I discovered three different hard coded API keys for Groq in multiple locations within the repository. The affected files are:

scratch.ipynb
server.py
watch-api.ipynb
notebooks/data_loading_processing.ipynb
src/watch_utils.py

The API keys identified start with the following prefixes:

gsk_6QB
gsk_Vvz
gsk_F07

I believe these keys were not intended to be exposed publicly. If these API keys are indeed meant for public use, please confirm.

bsmartt13 commented 1 month ago

that's not how api keys are supposed to work! lol. i mean it is using environment variables which is a good start, but the dev putting their own api key into the python notebooks is enough of a red flag for me to nope nope nope outta here.

bsmartt13 commented 1 month ago

the correct thing to do is pull the environment variable values and if it's empty or a bad key, print a helpful error message and exit, not just hammer the api when it's returning 401 until the server craps out.

fpreiss commented 1 month ago

Looking at the git logs, everything was coded within a single day. In a competitive setting (Meta Llama 3 Hackathon) it is inevitable for corners to get cut. I'm still glad the result is open source.

juliosueiras commented 1 month ago

the commented out key in the notebook should probably be removed from both the notebook and the GROQ console, since is still a valid key

picografix commented 1 month ago

I don't think its a major issue as of now but should be handled in a better way