by pmbstyle
Alice is a voice-first desktop AI assistant application built with Vue.js, Vite, and Electron. Advanced memory system, function calling, MCP support, optional fully local use, and more.
# Add to your Claude Code skills
git clone https://github.com/pmbstyle/AliceLast scanned: 5/30/2026
{
"issues": [
{
"type": "npm-audit",
"message": "@electron/node-gyp: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@electron/rebuild: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@protobufjs/utf8: protobufjs has overlong UTF-8 decoding",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "@ricky0123/vad-web: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "@tootallnate/once: @tootallnate/once vulnerable to Incorrect Control Flow Scoping",
"severity": "low"
},
{
"type": "npm-audit",
"message": "@xmldom/xmldom: xmldom: XML injection via unsafe CDATA serialization allows attacker-controlled markup insertion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ajv: ajv has ReDoS when using `$data` option",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "app-builder-lib: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "axios: axios's shouldBypassProxy does not recognize IPv4-mapped IPv6 addresses, allowing NO_PROXY bypass (incomplete fix for CVE-2025-62718)",
"severity": "high"
},
{
"type": "npm-audit",
"message": "brace-expansion: brace-expansion: Zero-step sequence causes process hang and memory exhaustion",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "cacache: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "dmg-builder: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "dompurify: DOMPurify contains a Cross-site Scripting vulnerability",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "electron: Electron has ASAR Integrity Bypass via resource modification",
"severity": "high"
},
{
"type": "npm-audit",
"message": "electron-builder: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "electron-builder-squirrel-windows: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "follow-redirects: follow-redirects leaks Custom Authentication Headers to Cross-Domain Redirect Targets",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "glob: glob CLI: Command injection via -c/--cmd executes matches with shell:true",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ip-address: ip-address has XSS in Address6 HTML-emitting methods",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "js-yaml: js-yaml has prototype pollution in merge (<<)",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "jws: auth0/node-jws Improperly Verifies HMAC Signature",
"severity": "high"
},
{
"type": "npm-audit",
"message": "lodash: Lodash has Prototype Pollution Vulnerability in `_.unset` and `_.omit` functions",
"severity": "high"
},
{
"type": "npm-audit",
"message": "make-fetch-happen: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "minimatch: minimatch has a ReDoS via repeated wildcards with non-matching literal in pattern",
"severity": "high"
},
{
"type": "npm-audit",
"message": "onnx-proto: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "onnxruntime-web: Vulnerability found",
"severity": "high"
},
{
"type": "npm-audit",
"message": "picomatch: Picomatch: Method Injection in POSIX Character Classes causes incorrect Glob Matching",
"severity": "high"
},
{
"type": "npm-audit",
"message": "postcss: PostCSS has XSS via Unescaped </style> in its CSS Stringify Output",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "protobufjs: Arbitrary code execution in protobufjs",
"severity": "critical"
},
{
"type": "npm-audit",
"message": "qs: qs's arrayLimit bypass in comma parsing allows denial of service",
"severity": "medium"
},
{
"type": "npm-audit",
"message": "rollup: Rollup 4 has Arbitrary File Write via Path Traversal",
"severity": "high"
},
{
"type": "npm-audit",
"message": "tar: node-tar Vulnerable to Arbitrary File Creation/Overwrite via Hardlink Path Traversal",
"severity": "high"
},
{
"type": "npm-audit",
"message": "tmp: tmp has Path Traversal via unsanitized prefix/postfix that enables directory escape",
"severity": "high"
},
{
"type": "npm-audit",
"message": "underscore: Underscore has unlimited recursion in _.flatten and _.isEqual, potential for DoS attack",
"severity": "high"
},
{
"type": "npm-audit",
"message": "undici: Undici has an unbounded decompression chain in HTTP responses on Node.js Fetch API via Content-Encoding leads to resource exhaustion",
"severity": "high"
},
{
"type": "npm-audit",
"message": "vite: Vite Vulnerable to Path Traversal in Optimized Deps `.map` Handling",
"severity": "high"
},
{
"type": "npm-audit",
"message": "ws: ws: Uninitialized memory disclosure",
"severity": "medium"
}
],
"status": "FAILED",
"scannedAt": "2026-05-30T15:08:56.675Z",
"npmAuditRan": true,
"pipAuditRan": true
}No comments yet. Be the first to share your thoughts!
Requires a passing catalog security scan. Resolve the flagged issues and resubmit to enable featuring.
Say "Hi" to Alice π, your open-source AI companion designed to live on your desktop.
Alice brings together voice interaction, intelligent context awareness, powerful tooling, and a friendly personality to assist you with everything from daily tasks to deeper creative work. Alice is more than a chatbot; sheβs built to feel present, responsive, emotionally engaging, and deeply useful.
Alice is designed to work with Cloud(OpenAI / Codex subscription, OpenRouter, Z.ai, Minimax, Deepseek) and Local LLMs (Ollama/LM Studio). Has built-in speech-to-text, text-to-speech, and embedding services. While the OpenAI cloud API is preferred and provides the best user experience, Alice can also operate fully locally (experimental).
gpt-4o-transcribe, google-tts-voice or whisper-large-v3)gpt-image-2Alice can interact with your local system with user-approved permissions:
π File system browsing (e.g., listing folders)
π» Shell command execution (ls, mv, mkdir, etc)
π Granular command approvals:
π§ Settings tab "Permissions" lets you review and manage all approved commands
With the local STT model, you can set a wake-up word (like "Hey, Siri").
Fully customizable settings interface:
Alice supports custom tools that are defined in JSON and backed by local scripts.
custom-tool-scripts/)custom-tools.jsonSwap Alice's appearance with your own video loops:
user-customization/custom-avatars/<AvatarName>/.speaking.mp4, thinking.mp4, and standby.mp4 into that folder (all required).π Download the latest release
| Platform | Download |
|---|---|
| Windows | Alice-AI-App-Windows-1.4.4-Setup.exe |
| macOS | Alice-AI-App-Mac-1.4.4-Installer.dmg |
| Linux | Alice-AI-App-Linux-1.4.4.AppImage |
| ArchLinux(community build) | AUR Package |
Follow the Setup Instructions to configure your API keys and environment.
Other tools:
# 1. Clone the repo
$ git clone https://github.com/pmbstyle/Alice.git
# 2. Install dependencies
$ npm install
# 3. Set up your .env file (see .env.example for reference)
Follow setup instructions to obtain required API credentials.
# 4. Compile backend
npm run build:go
# 5. Run dev environment
$ npm run dev
Optionally, create an app-config.json file in the root directory for Google integration:
{
"VITE_GOOGLE_CLIENT_ID": "",
"VITE_GOOGLE_CLIENT_SECRET": ""
}
# Build the app
$ npm run build
Install the output from the release/ directory.
Ideas, bug reports, feature requests - all welcome! Open an issue or PR, or drop by to share your thoughts. Your input helps shape Alice into something wonderful π