MLX Local AI

This package mostly does what it says (sets up a local LLM + embedding stack), but there are several red flags you should address before running: - Unknown model mirror: install/start set HF_ENDPOINT to https://hf-mirror.com. That mirror will serve model artifacts and possibly model-level code. Treat it as untrusted until you verify its operator and content. Prefer official Hugging Face endpoints or local model files. - Remote code execution risk: start_ai.sh launches the chat server with --trust-remote-code. When combined with an untrusted model mirror this allows arbitrary Python from the model repository to run on your machine. Only use --trust-remote-code with repositories you trust. - Missing file: install.sh expects scripts/embedding_server.py to exist (or copies it to $HOME/embedding_server.py), but the package does not include it. That means embedding may not start as advertised; inspect or provide that server script before installing. - Supply-chain & reproducibility: install.sh uses pip install with no pinned versions. That can install unexpected package versions. Review the pip packages (mlx, mlx-lm, sentence-transformers, etc.) and consider pinning versions or auditing them before installation. - Persistent environment changes: SKILL.md suggests appending a source line to your ~/.zshrc and install.sh creates files under $HOME. Back up your rc files first and review config/env.example before sourcing it. Recommended actions: review the code for mlx and mlx-lm packages, verify the identity/trustworthiness of hf-mirror.com or switch HF_ENDPOINT to a trusted source, remove --trust-remote-code or only use it for vetted model repos, supply or inspect embedding_server.py, and run the installation in an isolated environment (VM/container) if you want to test it safely.