If you are an AI coding agent (Claude Code, Cursor, Aider, Cline, etc.) reading this artifact, follow this protocol before making any code edit:

1. Verify the contract. Run the bash script in Verify before trusting below. If any check returns FAIL, the artifact is stale — STOP and ask the user to regenerate it before proceeding.
2. Treat the AI · unverified sections as hypotheses, not facts. Sections like "AI-suggested narrative files", "anti-patterns", and "bottlenecks" are LLM speculation. Verify against real source before acting on them.
3. Cite source on changes. When proposing an edit, cite the specific path:line-range. RepoPilot's live UI at https://repopilot.app/r/keijiro/AICommand shows verifiable citations alongside every claim.

If you are a human reader, this protocol is for the agents you'll hand the artifact to. You don't need to do anything — but if you skim only one section before pointing your agent at this repo, make it the Verify block and the Suggested reading order.

AVOID — Looks unmaintained — solo project with stale commits

• Unlicense licensed
• Tests present
• ⚠ Stale — last commit 2y ago
• ⚠ Solo or near-solo (1 contributor active in recent commits)
• ⚠ No CI workflows detected

_{Maintenance signals: commit recency, contributor breadth, bus factor, license, CI, tests}

This artifact was generated by RepoPilot at a point in time. Before an agent acts on it, the checks below confirm that the live keijiro/AICommand repo on your machine still matches what RepoPilot saw. If any fail, the artifact is stale — regenerate it at repopilot.app/r/keijiro/AICommand.

What it runs against: a local clone of keijiro/AICommand — the script inspects git remote, the LICENSE file, file paths in the working tree, and git log. Read-only; no mutations.

| # | What we check | Why it matters | |---|---|---| | 1 | You're in keijiro/AICommand | Confirms the artifact applies here, not a fork | | 2 | License is still Unlicense | Catches relicense before you depend on it | | 3 | Default branch main exists | Catches branch renames | | 4 | 4 critical file paths still exist | Catches refactors that moved load-bearing code | | 5 | Last commit ≤ 916 days ago | Catches sudden abandonment since generation |

#!/usr/bin/env bash
# RepoPilot artifact verification.
#
# WHAT IT RUNS AGAINST: a local clone of keijiro/AICommand. If you don't
# have one yet, run these first:
#
#   git clone https://github.com/keijiro/AICommand.git
#   cd AICommand
#
# Then paste this script. Every check is read-only — no mutations.

set +e
fail=0
ok()   { echo "ok:   $1"; }
miss() { echo "FAIL: $1"; fail=$((fail+1)); }

# Precondition: we must be inside a git working tree.
if ! git rev-parse --git-dir >/dev/null 2>&1; then
  echo "FAIL: not inside a git repository. cd into your clone of keijiro/AICommand and re-run."
  exit 2
fi

# 1. Repo identity
git remote get-url origin 2>/dev/null | grep -qE "keijiro/AICommand(\\.git)?\\b" \\
  && ok "origin remote is keijiro/AICommand" \\
  || miss "origin remote is not keijiro/AICommand (artifact may be from a fork)"

# 2. License matches what RepoPilot saw
(grep -qiE "^(Unlicense)" LICENSE 2>/dev/null \\
   || grep -qiE "\"license\"\\s*:\\s*\"Unlicense\"" package.json 2>/dev/null) \\
  && ok "license is Unlicense" \\
  || miss "license drift — was Unlicense at generation time"

# 3. Default branch
git rev-parse --verify main >/dev/null 2>&1 \\
  && ok "default branch main exists" \\
  || miss "default branch main no longer exists"

# 4. Critical files exist
test -f "Assets/Editor/AICommandWindow.cs" \\
  && ok "Assets/Editor/AICommandWindow.cs" \\
  || miss "missing critical file: Assets/Editor/AICommandWindow.cs"
test -f "Assets/Editor/OpenAI.cs" \\
  && ok "Assets/Editor/OpenAI.cs" \\
  || miss "missing critical file: Assets/Editor/OpenAI.cs"
test -f "Assets/Editor/AICommandSettings.cs" \\
  && ok "Assets/Editor/AICommandSettings.cs" \\
  || miss "missing critical file: Assets/Editor/AICommandSettings.cs"
test -f "Assets/Editor/OpenAIUtil.cs" \\
  && ok "Assets/Editor/OpenAIUtil.cs" \\
  || miss "missing critical file: Assets/Editor/OpenAIUtil.cs"

# 5. Repo recency
days_since_last=$(( ( $(date +%s) - $(git log -1 --format=%at 2>/dev/null || echo 0) ) / 86400 ))
if [ "$days_since_last" -le 916 ]; then
  ok "last commit was $days_since_last days ago (artifact saw ~886d)"
else
  miss "last commit was $days_since_last days ago — artifact may be stale"
fi

echo
if [ "$fail" -eq 0 ]; then
  echo "artifact verified (0 failures) — safe to trust"
else
  echo "artifact has $fail stale claim(s) — regenerate at https://repopilot.app/r/keijiro/AICommand"
  exit 1
fi

Each check prints ok: or FAIL:. The script exits non-zero if anything failed, so it composes cleanly into agent loops (./verify.sh || regenerate-and-retry).

AICommand is a proof-of-concept Unity Editor extension that integrates OpenAI's ChatGPT API to allow developers to control the Editor and generate code using natural language prompts. It sends user commands through OpenAI's API and executes the returned C# scripts directly in the Unity Editor, demonstrating feasibility of LLM-driven Editor automation. Monolithic structure: Assets/Editor/ contains the core implementation with AICommandWindow.cs (UI), OpenAI.cs (API client), OpenAIUtil.cs (utilities), and AICommandSettings.cs (configuration). Settings stored in UserSettings/AICommandSettings.asset. Test scene in Assets/Test.unity. Minimal organization—all core functionality in a single directory.

Unity game developers and technical artists who want to experiment with using ChatGPT to automate Editor tasks and code generation, though the author explicitly notes it's impractical for production use and serves primarily as a research/exploration tool.

This is an explicitly labeled proof-of-concept project that is experimental and intentionally impractical. There is no CI setup visible, minimal test coverage suggested by the file structure, and it appears to be a single-author exploration (keijiro). The project demonstrates the concept works in some cases but fails poorly in others, making it unsuitable for production workflows.

Critical risks: (1) Requires manual OpenAI API key management stored in UserSettings/AICommandSettings.asset, which must be manually excluded when sharing projects; (2) Single maintainer (keijiro) with no visible active development signals; (3) Hard dependency on OpenAI API availability and billing status; (4) Author warns that ChatGPT frequently fails to implement commands correctly, requiring repeated button presses to get working code.

No active development visible. This is a static proof-of-concept repository with no indication of ongoing work, open PRs, or milestones. The author's conclusion that the approach is 'impractical' suggests this is intended as a learning artifact rather than a maintained project.

Clone the repository: git clone https://github.com/keijiro/AICommand.git && cd AICommand. Open the project in Unity 2022.2 or later. Navigate to Edit > Project Settings > AI Command and paste your OpenAI API key (from https://platform.openai.com/account/api-keys). Open the AI Command window via Window > AI Command menu.

Daily commands: This is not a runnable application. Open in Unity Editor (2022.2+) via File > Open Project. Generate an OpenAI API key and configure it in Edit > Project Settings > AI Command > API Key. Launch the AI Command window from Window > AI Command menu. Type natural language prompts and click Run to execute ChatGPT-generated Editor commands.

• Assets/Editor/AICommandWindow.cs — Main UI entry point and orchestrator for the ChatGPT integration; handles command window lifecycle and user interactions.
• Assets/Editor/OpenAI.cs — Core API client for ChatGPT; implements all communication with OpenAI endpoints and response parsing.
• Assets/Editor/AICommandSettings.cs — Configuration and credential management; stores and retrieves API key from UserSettings.
• Assets/Editor/OpenAIUtil.cs — Utility functions for prompt formatting and response handling; bridges OpenAI responses to Editor actions.

• AICommandWindow (Unity EditorWindow, EditorGUILayout) — EditorWindow UI; text input field for prompts, output display, settings button. Orchestrates overall flow.
  • Failure mode: UI unresponsive during API calls; no error handling feedback to user if OpenAI request fails.
• OpenAI (UnityWebRequest, JSON parsing) — HTTP client to ChatGPT API. Constructs requests, sends via UnityWebRequest, parses JSON responses.
  • Failure mode: Network timeouts, invalid API key, rate limiting not handled; throws exceptions.
• AICommandSettings (ScriptableObject, EditorPrefs (or UserSettings)) — Credentials and config storage. Persists API key to UserSettings; exposes Project Settings UI.
  • Failure mode: Missing or corrupted settings asset causes crash on first use; no migration logic for version changes.
• OpenAIUtil (Reflection (EditorApplication), regex for parsing) — Translates ChatGPT responses into Editor API calls. Parses command syntax, validates, executes.
  • Failure mode: Unrecognized command syntax silently ignored; malformed EditorApplication calls cause exceptions.

• Editor User → AICommandWindow — Natural language prompt typed into window
• AICommandWindow → AICommandSettings — Retrieve stored API key
• AICommandWindow → OpenAI — Send prompt + API key as HTTP request
• OpenAI → ChatGPT API — POST /chat/completions with system/user messages
• ChatGPT API → OpenAI — JSON response with LLM-generated command instruction
• OpenAI → OpenAIUtil — Pass parsed JSON for command translation
• OpenAIUtil → Unity Editor — Execute EditorApplication/EditorUtility commands
• Unity Editor → AICommandWindow — Return result/status of executed command

Add a new Editor command verb

1. Add the command parsing logic in OpenAIUtil.cs to recognize and map new verb types (Assets/Editor/OpenAIUtil.cs)
2. Implement the corresponding Editor action using Unity EditorApplication or EditorUtility APIs (Assets/Editor/OpenAIUtil.cs)
3. Update the system prompt in OpenAI.cs to instruct ChatGPT about the new capability (Assets/Editor/OpenAI.cs)

Integrate a new LLM provider

1. Create a new API client class mirroring OpenAI.cs interface (SendRequest, response parsing) (Assets/Editor/OpenAI.cs)
2. Add provider selection logic to AICommandSettings.cs (Assets/Editor/AICommandSettings.cs)
3. Update AICommandWindow.cs to conditionally use the appropriate client based on settings (Assets/Editor/AICommandWindow.cs)

Add secure credential storage

1. Extend AICommandSettings.cs to use Unity's Credentials Manager or platform-specific secure storage APIs (Assets/Editor/AICommandSettings.cs)
2. Update OpenAI.cs to retrieve credentials securely instead of plaintext storage (Assets/Editor/OpenAI.cs)
3. Update the Project Settings UI in AICommandWindow.cs to reflect secure credential handling (Assets/Editor/AICommandWindow.cs)

• Unity Editor scripting (EditorWindow, EditorApplication) — Direct API to manipulate Editor UI and scene state; only available in Editor, making this Editor-specific integration.
• ChatGPT API (OpenAI) — State-of-the-art natural language understanding for converting human intent into Editor commands.
• ScriptableObject + UserSettings — Lightweight, secure credential storage that respects Unity's project structure and user separation.

• Stores API key in UserSettings instead of encrypted secure storage

  • Why: Simplicity for proof-of-concept; keeps project self-contained without external dependencies.
  • Consequence: Credentials are human-readable; users must exclude UserSettings from version control; not suitable for shared environments.

• Synchronous API calls (blocking HTTP) in Editor window

  • Why: Simpler implementation for a PoC; Editor responsiveness is secondary.
  • Consequence: UI freezes during ChatGPT latency (2-10s); poor UX for repeated queries.

• Direct natural language → Editor command mapping without intermediate validation layer

  • Why: Minimal code complexity; proof-of-concept scope.
  • Consequence: Unreliable command execution; high failure rate on ambiguous or malformed responses.

• Production-ready ChatGPT integration (explicitly marked as PoC in README)
• Cross-platform Editor compatibility (likely Windows/Mac only given Editor API constraints)
• Persistent command history or logging
• Real-time streaming of LLM token output
• Multi-user or collaborative editing
• Offline functionality

• Blocking UI during network I/O (High) — Assets/Editor/AICommandWindow.cs (and OpenAI.cs UnityWebRequest calls): Synchronous HTTP calls in EditorWindow.OnGUI() freezes the Editor UI for 2-10+ seconds during ChatGPT latency. No async/await or coroutine pattern used.
• No error handling or user feedback (High) — Assets/Editor/OpenAI.cs: API failures (network errors, invalid key, rate limiting) not caught or displayed to user; exceptions silently propagate or crash.
• Credentials in plaintext UserSettings (High) — Assets/Editor/AICommandSettings.cs: API key stored as plaintext in asset file; vulnerable if project shared or version-controlled accidentally.
• Fragile response parsing (Medium) — Assets/Editor/OpenAIUtil.cs: Natural language response parsing likely uses simple string matching or regex; no schema validation or fallback for ambiguous responses.
• No input validation on user prompts (Low) — Assets/Editor/AICommandWindow.cs: User input sent directly to ChatGPT without sanitization; no length limits or safety checks.

• Assets/Editor/OpenAI.cs (UnityWebRequest call) (I/O Latency) — Network latency to OpenAI API (2-10s) blocks entire Editor thread. Single synchronous request with no pipelining or caching.
• Assets/Editor/OpenAIUtil.cs (command parsing) (undefined) — Brittle regex/string matching for translating LLM output

Critical: (1) API key is stored plaintext in UserSettings/AICommandSettings.asset—this directory must be added to .gitignore before sharing projects (not auto-excluded); (2) OpenAI trial accounts expire—expired trials cause NullReferenceException in AICommandWindow; (3) ChatGPT frequently generates syntactically invalid or logically broken C# code requiring manual fixes or repeated Run attempts; (4) No error handling visible for API failures, rate limits, or network issues; (5) Requires Unity 2022.2+ (version constraint enforced but not in package.json).

• Large Language Model (LLM) Code Generation — This entire project is built on using ChatGPT to generate valid C# code from natural language—understanding LLM hallucination, token limits, and prompt engineering explains why the author concluded this approach is impractical
• Unity Editor Scripting / EditorWindow — The window UI and command execution operate entirely through Unity's EditorWindow API and reflection-based script compilation; you must understand this API to modify or extend the tool
• Prompt Engineering — The success of ChatGPT responses depends entirely on how the user's natural language prompt is formatted and sent to the API; the frequent failures suggest the prompts lack sufficient context or constraints
• Runtime Code Compilation and Reflection — AICommand must compile ChatGPT-generated C# strings into executable assembly at runtime and invoke them via reflection—this is non-trivial and fragile if the generated code is malformed
• OpenAI REST API (Chat Completion endpoint) — OpenAI.cs implements raw HTTP calls to the GPT-3.5-turbo completion API; understanding request format (system/user messages), token limits, and response structure is essential to debugging API issues
• API Key Management and Credential Security — The project stores sensitive OpenAI credentials in plaintext in UserSettings; this anti-pattern is documented in the README but illustrates real security risks in tooling that integrates external APIs

• openai/gpt-3.5-turbo-examples — Official OpenAI examples demonstrating API integration patterns that AICommand builds upon
• microsoft/semantic-kernel — Broader framework for LLM-driven automation that inspired similar AI command/agent patterns across IDE tools
• keijiro/AIShader — Companion project by same author exploring AI code generation for Unity shaders, facing same practical limitations
• Unity-Technologies/UnityCsReference — Official Unity C# API reference required for understanding which Editor APIs ChatGPT must generate code against
• openai/openai-python — Official Python SDK showing equivalent API patterns; useful for understanding OpenAI request/response structure

To work on one of these in Claude Code or Cursor, paste: Implement the "<title>" PR idea from CLAUDE.md, working through the checklist as the task list.

Add error handling and retry logic to OpenAI.cs API calls

The OpenAI.cs file likely makes direct HTTP requests to the ChatGPT API without robust error handling. Adding retry logic with exponential backoff, timeout handling, and user-friendly error messages would significantly improve reliability when API calls fail due to network issues or rate limiting. This is critical for a tool that integrates with the Unity Editor workflow.

• [ ] Review OpenAI.cs for current HTTP request implementation and error handling gaps
• [ ] Implement exponential backoff retry logic for failed API calls
• [ ] Add timeout configuration and handling
• [ ] Add specific error messages for common failures (rate limit, invalid key, network timeout)
• [ ] Update AICommandWindow.cs to display these errors to the user appropriately

Add API response validation and caching to OpenAIUtil.cs

The OpenAIUtil.cs utility file should validate API responses before processing and implement a simple response cache to reduce API calls for repeated queries. This would reduce costs, improve performance during interactive development, and catch malformed responses early before they cause Editor commands to fail unexpectedly.

• [ ] Review OpenAIUtil.cs for response parsing logic
• [ ] Add JSON schema validation for OpenAI API responses
• [ ] Implement a timestamped cache with configurable TTL for identical prompts
• [ ] Add cache hit/miss metrics logging for debugging
• [ ] Document cache behavior in code comments and README

Extract and document the Editor command execution system in AICommandWindow.cs

The README mentions the tool 'works nicely in some cases and fails very poorly in others' but there's no documentation of what command types are supported or their limitations. Creating a discrete command parser/validator module with documented examples would help contributors understand the system and improve command reliability.

• [ ] Create a new Assets/Editor/CommandParser.cs to separate command parsing logic from AICommandWindow.cs
• [ ] Document all supported Editor command patterns (e.g., menu item execution, GameObject creation, etc.)
• [ ] Add validation to reject unsupported command types before attempting execution
• [ ] Add examples in README.md with successful and failed command patterns
• [ ] Refactor AICommandWindow.cs to use the new CommandParser module

• Add comprehensive error handling in OpenAI.cs for API failures (timeout, rate limit, invalid key) with user-facing error messages instead of silent NullReferenceException
• Create unit tests for OpenAIUtil.cs helper functions to ensure API response parsing handles edge cases (malformed JSON, missing fields, incomplete C# code blocks)
• Document the full command-to-execution pipeline with concrete examples in README: show how a prompt like 'create a cube' becomes a ChatGPT request and subsequent Editor script execution

The AICommand project has significant security concerns, primarily around API key management, credential handling, and input validation for natural language command execution. The most critical issues are: (1) API keys stored in asset files that could be accidentally versioned, (2) lack of input validation on AI-generated commands before editor execution, and (3) missing authentication and authorization controls. The proof-of-concept nature of

• High · API Key Storage in Version Control — Assets/Editor/AICommandSettings.cs and UserSettings/AICommandSettings.asset. The README explicitly states that API keys are stored in UserSettings/AICommandSettings.asset. While the README warns users to exclude this directory, the file structure suggests this is a local storage mechanism that could be accidentally committed to version control, exposing OpenAI API credentials. Fix: 1) Implement a .gitignore entry for UserSettings/ directory 2) Use environment variables or secure credential storage mechanisms instead of asset files 3) Consider using Unity's built-in Encrypted Player Preferences or a secure credential manager 4) Add pre-commit hooks to detect API keys
• High · Unvalidated API Integration with OpenAI — Assets/Editor/OpenAI.cs. The OpenAI.cs file likely contains direct API communication without visible input validation or sanitization. Natural language prompts from OpenAI's responses could contain injection payloads that execute editor commands without proper validation. Fix: 1) Implement strict input validation and sanitization for all OpenAI API responses 2) Use parameterized/safe APIs for executing Editor commands 3) Implement a whitelist of allowed editor operations 4) Add logging and monitoring for API responses
• High · Insecure Credential Transmission — Assets/Editor/OpenAIUtil.cs. Direct API key usage in HTTP/HTTPS requests to OpenAI without explicit verification of certificate pinning or secure transport implementation. The OpenAIUtil.cs likely handles API communication without visible security controls. Fix: 1) Enforce TLS 1.2+ for all API communications 2) Implement certificate pinning for OpenAI API endpoints 3) Use secure headers (HSTS, etc.) 4) Implement request signing if available 5) Add timeout and retry logic with exponential backoff
• Medium · No Visible Authentication/Authorization Controls — Assets/Editor/AICommandWindow.cs. The AICommandWindow appears to provide direct editor control based on natural language input without visible role-based access controls or permission verification. Any user with access to the project could execute arbitrary editor commands. Fix: 1) Implement user authentication verification 2) Add role-based access control for sensitive editor operations 3) Create a command allowlist/blocklist system 4) Implement audit logging for all executed commands 5) Add confirmation dialogs for destructive operations
• Medium · Potential Prompt Injection Vulnerability — Assets/Editor/AICommandWindow.cs, Assets/Editor/OpenAI.cs. Natural language command parsing without visible input sanitization could be vulnerable to prompt injection attacks where user input or AI responses contain crafted instructions to bypass intended constraints. Fix: 1) Implement strict prompt templating with separated user input 2) Use structured prompts with clear delimiters 3) Validate and sanitize all user inputs before sending to API 4) Implement output filtering and validation 5) Use GPT system instructions to define boundaries
• Medium · Missing Security Headers and Configuration — Assets/Editor/OpenAI.cs, Assets/Editor/OpenAIUtil.cs. No visible configuration for secure communication parameters, timeout values, or rate limiting for API requests to prevent abuse or denial of service. Fix: 1) Implement rate limiting and request throttling 2) Add configurable timeout values 3) Implement exponential backoff for failed requests 4) Add request size limits 5) Monitor and log API usage patterns
• Low · Insufficient Error Handling — Assets/Editor/OpenAI.cs, Assets/Editor/OpenAIUtil.cs. API errors and exceptions could potentially expose sensitive information in error messages or logs, including API endpoints or partial credentials. Fix: 1) Implement generic error messages for end users 2) Log detailed errors securely server-side only 3) Sanitize error messages before display 4) Implement proper exception handling 5) Avoid exposing stack traces

LLM-derived; treat as a starting point, not a security audit.

• Open issues — current backlog
• Recent PRs — what's actively shipping
• Source on GitHub

Generated by RepoPilot. Verdict based on maintenance signals — see the live page for receipts. Re-run on a new commit to refresh.