From 38bff8c84f81a7aec58ac1f0d6463de2584f4a52 Mon Sep 17 00:00:00 2001 From: Lysandre Debut Date: Wed, 13 Mar 2024 14:53:13 +0100 Subject: [PATCH] Warn about tool use (#29628) * Warn against remote tool use * Additional disclaimer * Update docs/source/en/custom_tools.md Co-authored-by: amyeroberts <22614925+amyeroberts@users.noreply.github.com> --------- Co-authored-by: amyeroberts <22614925+amyeroberts@users.noreply.github.com> --- docs/source/en/custom_tools.md | 9 +++++++++ src/transformers/tools/base.py | 22 ++++++++++++++++++++++ 2 files changed, 31 insertions(+) diff --git a/docs/source/en/custom_tools.md b/docs/source/en/custom_tools.md index 9b7d1dcab6..7f5ed2bb5f 100644 --- a/docs/source/en/custom_tools.md +++ b/docs/source/en/custom_tools.md @@ -427,6 +427,15 @@ To upload your custom prompt on a repo on the Hub and share it with the communit ## Using custom tools + + +Using custom tools in your local runtime means that you'll download code to run on your machine. + +ALWAYS inspect the tool you're downloading before loading it within your runtime, as you would do when +installing a package using pip/npm/apt. + + + In this section, we'll be leveraging two existing custom tools that are specific to image generation: - We replace [huggingface-tools/image-transformation](https://huggingface.co/spaces/huggingface-tools/image-transformation), diff --git a/src/transformers/tools/base.py b/src/transformers/tools/base.py index 4b60f962a5..2a7d05a032 100644 --- a/src/transformers/tools/base.py +++ b/src/transformers/tools/base.py @@ -186,6 +186,14 @@ class Tool: """ Loads a tool defined on the Hub. + + + Loading a tool from the Hub means that you'll download the tool and execute it locally. + ALWAYS inspect the tool you're downloading before loading it within your runtime, as you would do when + installing a package using pip/npm/apt. + + + Args: repo_id (`str`): The name of the repo on the Hub where your tool is defined. @@ -630,6 +638,14 @@ def load_tool(task_or_repo_id, model_repo_id=None, remote=False, token=None, **k """ Main function to quickly load a tool, be it on the Hub or in the Transformers library. + + + Loading a tool means that you'll download the tool and execute it locally. + ALWAYS inspect the tool you're downloading before loading it within your runtime, as you would do when + installing a package using pip/npm/apt. + + + Args: task_or_repo_id (`str`): The task for which to load the tool or a repo ID of a tool on the Hub. Tasks implemented in Transformers @@ -677,6 +693,12 @@ def load_tool(task_or_repo_id, model_repo_id=None, remote=False, token=None, **k else: return tool_class(model_repo_id, token=token, **kwargs) else: + logger.warning_once( + f"You're loading a tool from the Hub from {model_repo_id}. Please make sure this is a source that you " + f"trust as the code within that tool will be executed on your machine. Always verify the code of " + f"the tools that you load. We recommend specifying a `revision` to ensure you're loading the " + f"code that you have checked." + ) return Tool.from_hub(task_or_repo_id, model_repo_id=model_repo_id, token=token, remote=remote, **kwargs)