Show HN: Apfel – The free AI already on your Mac

Posted by franze 11 hours ago

Show HN: Apfel – The free AI already on your Mac(apfel.franzai.com)

Github: https://github.com/Arthur-Ficial/apfel

594 points | 136 comments

convexly 8 hours ago|

I like the approach of running everything locally. I'm strongly of the opinion that the privacy angle for local models is going to keep getting stronger and more relevant. The amount of articles that come out about accidents happening because of people handing too much context to cloud models the more self reinforcing this will become.

cousin_it 6 hours ago||

It's only half of the solution though. If the models are trained in a closed way, they can prioritize values encoded during training even if that's not what you want (example: ask the open Chinese models about Tiananmen). It's not beyond imagining that these models would e.g. try to send your data to authorities or advertisers when their training says so, even if you run them locally.

So the full solution would be models trained in an open verifiable way and running locally.

wrxd 4 hours ago||

The model is only generating tokens without touching the network at all, right? How would it send data away?

procaryote 4 hours ago||

Theoretically, by taking the opportunity to inject an exfiltration mechanism if you ask it to write code for you

kg 3 hours ago||

Lots of people I know run models in "yolo" mode or the equivalent as well, which means it could just invoke curl or telnet to exfiltrate data.

hombre_fatal 5 hours ago|||

Another angle is when you're passing untrusted content to the AI service, e.g. anything from using it to crawl websites to spam-detection on new forum user posts.

You can trigger the the service's ToS violation or worse, get tipped off to law enforcement for something you didn't even write.

Xenoamorphous 2 hours ago|||

> I like the approach of running everything locally. I'm strongly of the opinion that the privacy angle for local models is going to keep getting stronger and more relevant.

In HN circles perhaps. Average Joes don’t care.

lukewarm707 7 hours ago|||

local is best for privacy, but i personally think you don't need to go local.

anthropic, google, openai etc, decided that their consumer ai plans would not be private. partly to collect training data, the other half to employ moderators to review user activity for safety.

we trust that human moderators will not review and flag our icloud docs, onedrive or gmail, or aggregate such documents into training data for llms. it became the norm that an llm is somehow not private. it became a norm that you can't opt out of training, even on paid plans (see meta and google); or if you can opt out of training, you can't opt out of moderation.

cloud models with a zero retention privacy policy are private enough for almost everyone, the subscriptions, google search, ai search engines are either 'buying' your digital life or covering themselves for legal reasons.

you can and should have private cloud services, and if legal agreement is not enough, cryptographic attestation is already used in compute, with AWS nitro enclaves and other providers.

inetknght 7 hours ago|||

> i personally think you don't need to go local.

I personally think everyone should default to using local resources. Cloud resources should only be used for expansion and be relatively bursty rather than the default.

mark_l_watson 6 hours ago|||

For about two years I experimented with writing local apps using local LLMs, but I often had to blend in a commercial web search API to make my little experiments useful.

Whyachi 4 hours ago|||

[dead]

sebastiennight 39 minutes ago||||

> anthropic, google, openai etc, decided that their consumer ai plans would not be private. partly to collect training data, the other half to employ moderators to review user activity for safety.

That's two halves of "why", sure.

Another interesting half would be that those companies have US military officers on their boards, and LLMs are the ultimate voluntary data collection platform, even better trojan horses than smartphones.

Yet another "half" could be how much enterprise value might be found by datamining for a minute or two... may I suggest reading a couple of Martha Wells books.

mark_l_watson 6 hours ago||||

I pay $13/month for Proton’s Lumo+ private chat LLM that contains an excellent built-in web search tool. I use it for everything non-technical, even just simple searching for local businesses, etc.

As an enthusiastic reader of books like Privacy is Power and Surveillance Capitalism, it feels good to have a private tool that is ready at hand.

djl0 6 hours ago|||

do you have any provider recommendations? I've experimented with this on runpod serverless, but I've been meaning to dig deeper before I feel comfortable with personal data.

I saw a service named Phala, which claims to be actually no-knowledge to server side (I think). It was significantly more expensive, but interesting to see it's out there. My thought was escaping the data-collection-hungry consumer models was a big win.

ge96 6 hours ago|||

The other thing, is encrypted inferencing a thing/service currently? I want to run my own models locally just because if I'm going to be chatting to it about my day to day life why send it to a server in plaintext.

lukewarm707 6 hours ago||

encrypted inferencing, meaning homomorphic encryption: no, it's not solved.

cryptographic confirmation of zero knowledge: yes.

the latter, based on trust in the hardware manufacturer and their root ca. so, encrypted if you trust intel/nvidia to sign it.

there are a few services, phala, tinfoil, near ai, redpill is an aggregator of those

aswanson 7 hours ago||

That's the way things have to go. Business risk is too high having everything ran over exposed networks.

lukewarm707 7 hours ago||

what i say about this, is that an llm is just a big file, there is nothing 'not private' about it.

if you are happy with off-prem then the llm is ok too, if you need on-prem this is when you will need local.

zahlman 7 hours ago||

> an llm is just a big file, there is nothing 'not private' about it.

The private thing is the prompt.

But also, a local LLM opens up the possibility of agentic workflows that don't have to touch the Internet.

karimf 4 hours ago||

The big question is whether Apple can keep shipping new models constantly.

AFAIK the current model is on par with with Qwen-3-4B, which is from a year ago [0]. There's a big leap going from last year Qwen-3-4B to Qwen-3.5-4B or to Gemma 4.

Apple model is nice since you don't need to download anything else, but I'd rather use the latest model than to use a model from a year ago.

https://machinelearning.apple.com/research/apple-foundation-...

dangus 2 hours ago|

I’m not sure why that’s a question, it’s just a downloaded file. You can even watch it download separately when you enable Apple Intelligence (it’s not tied to OS updates from what I can tell).

Of course I imagine Apple is not going to be the fastest mover in this regard. I’m not even sure they believe the product will be widely impactful anymore and may keep it relegated to a small list of popular use cases like photo touch ups and quick questions to Siri. For me the most useful parts of Apple’s AI don’t even require me to enable Apple Intelligence.

gherkinnn 7 hours ago||

Now this is a development I like.

With the Claude bug, or so it is known, burning through tokens at record speed, I gave alternative models a try and they're mostly ... interchangeable. I don't know how easy switching and low brand loyalty and fast markets will play out. I hope that local LLMs will become very viable very soon.

naravara 7 hours ago|

Yeah I don’t think the models are meaningfully differentiated outside of very specific edge cases. I suspect this was the thinking behind OpenAI and Facebook and all trying to lean hard into presenting their chatbots as friends and romantic partners. If they can’t maintain a technical moat they can try to cultivate an emotional one.

g-mork 4 hours ago||

Saw a comment here yesterday referencing the Attention Is All You Need paper title in a tongue in cheek way. Kinda fun to imagine the friend/romance angle is just a bunch of socially awkward folk at OpenAI misinterpreting the original paper

brians 8 hours ago||

I’ve seen several projects like this that offer a network server with access to these Apple models. The danger is when they expose that, even on a loop port, to every other application on your system, including the browser. Random webpages are now shipping with JavaScript that will post to that port. Same-origin restrictions will stop data flow back to the webpage, but that doesn’t stop them from issuing commands to make changes.

Some such projects use CORS to allow read back as well. I haven’t read Apfel’s code yet, but I’m registering the experiment before performing it.

brians 8 hours ago||

They offer it as an option but default it to false! This is still a --footgun option but it’s the least unsafe version I’ve seen yet! Well done, Apfel authors.

franze 7 hours ago||

thx for the report - a totally valid attack vector i was not aware of before, should be fixed https://github.com/Arthur-Ficial/apfel/releases/tag/v0.6.23 - see also new https://github.com/Arthur-Ficial/apfel/blob/main/docs/server...

stingraycharles 8 hours ago|||

I don’t think many browsers will allow posting to 127.0.0.1 from a random website. What’s the threat model here?

layer8 8 hours ago|||

Restricting such access it is still a work in progress: https://wicg.github.io/local-network-access/

brians 8 hours ago|||

I think any browser will allow it but not allow data read back.

btown 8 hours ago|||

FWIW this was the status quo (webpage could ping arbitrary ports but not read data, even with CORS protections) - but it is changing.

This is partially in response to https://localmess.github.io/ where Meta and Yandex pixel JS in websites would ping a localhost server run by their Android apps as a workaround to third-party cookie limits.

Chrome 142 launched a permission dialog: https://developer.chrome.com/blog/local-network-access

Edge 140 followed suit: https://support.microsoft.com/en-us/topic/control-a-website-...

And Firefox is in progress as well, though I couldn't find a clear announcement about rollout status: https://fosdem.org/2026/schedule/event/QCSKWL-firefox-local-...

So things are getting better! But there was a scarily long time where a rogue JS script could try to blindly poke at localhost servers with crafty payloads, hoping to find a common vulnerability and gain RCE or trigger exfiltration of data via other channels. I wouldn't be surprised if this had been used in the wild.

airza 8 hours ago||||

There is a CORS preflight check for POST requests that don't use form-encoding. It would be somewhat surprising if these weren't using JSON (though it wouldn't be that surprising if they were parsing submitted JSON instead of actually checking the MIME-type which would probably be bad anwyay)

mememememememo 8 hours ago|||

Isn't there a CORS preflight check for this? In most cases. I guess you could fashion an OG form to post form fields. But openai is probably a JSON body only.

The default scenario should be secure. If the local site sends permissive CORS headers bets may be off. I would need to check but https->http may be a blocker too even in that case. Unless the attack site is http.

robotswantdata 8 hours ago|||

Keep seeing similar mistakes with vibe coded AI & MCP projects. Even experienced engineers seem oblivious to this attack vector

snarkyturtle 7 hours ago||

Noting that there's an option to require a Bearer token to the API

zopf 15 minutes ago||

Wow - the model really hallucinates without hesitation. I asked a number of "What do you know about [person, company, etc]?" questions and rather than realizing that it didn't know about them, it just made up an answer for every one of them.

newman314 53 minutes ago||

Saw this in an another thread previously and immediately installed it.

I have a new prompt to test LLMs much like simonw's pelican test.

"What is 9:30am Taiwan time in US, Pacific?" For some reason, the answers are quite inconsistent but all wrong.

  ./apfel "what is 9:30am Taiwan time in US, Pacific?"
  Taiwan is 12 hours ahead of the Pacific Time Zone. Therefore, 9:30 AM Taiwan time would be 9:30 PM Pacific Time.
  Taiwan is 13 hours ahead of the Pacific Time Zone. Therefore, 9:30 AM in Taiwan is 10:30 PM in the Pacific Time Zone.
  Taiwan is in the China Standard Time (CST) zone, which is 12 hours ahead of the Pacific Standard Time (PST) zone. Therefore, 9:30 AM in Taiwan is 9:30 PM in the Pacific.
  Taiwan is typically 11 hours ahead of the Pacific Time Zone. Therefore, 9:30 AM in Taiwan is 8:30 PM in the Pacific Time Zone.
  Taiwan is 13 hours ahead of the Pacific Time Zone. Therefore, 9:30 AM in Taiwan is 10:30 PM the previous day in the Pacific Time Zone.

Multiplayer 6 hours ago||

Started using this earlier this week. I built a backtesting benchmark tool to compare a mix of frontier and open-source models on a fairly heavy data analysis workflow I’d been running in the cloud.

The task is basically predicting pricing and costs.

Apple’s model came out on top—best accuracy in 6 out of 10 cases in the backtest. That surprised me.

It also looks like it might be fast enough to take over the whole job. If I ran this on Sonnet, we’re talking thousands per month. With DeepSeek, it’s more like hundreds.

So far, the other local models I’ve tried on my 64GB M4 Max Studio haven’t been viable - either far too slow or not accurate enough. That said, I haven’t tested a huge range yet.

frontsideair 5 hours ago||

> Apple locked it behind Siri. apfel sets it free

This doesn't feel truthful, it sounds like this tool is a hack that unlocks something. If I understand it correctly, it's using the same FoundationModels framework that powers Apple Intelligence, but for CLI and OpenAI compatible REST endpoint. Which is fine, just the marketing goes hard a bit.

> Runs on Neural Engine

Also unsure if this runs on ANE, when I tried Apple Intelligence I saw that it ran on the GPU (Metal).

reaperducer 5 hours ago|

This doesn't feel…

Also unsure…

Thank you for sharing your feelings and uncertainty.

Perhaps resist the urge to post until you have something to contribute.

halJordan 1 hour ago|||

Using soft or unsure wording doesn't obviate the factualness of the contribution. The op is correct on both accounts- it's ok to be unsure when putting it forward.

You on the other hand contributed literally nothing to the topic

malcolmgreaves 4 hours ago||||

Please read the guidelines: https://news.ycombinator.com/newsguidelines.html

The poster said:

> Also unsure if this runs on ANE, when I tried Apple Intelligence I saw that it ran on the GPU (Metal).

They added something of some substance here.

Your post expressing your feelings did not.

gurjeet 5 hours ago||

Thank you for making it open source!

Submitted a PR to prevent its installation on macos versions older than Tahoe(26), since I was able to install it on my older macos 15, but it aborted on execution.

https://github.com/Arthur-Ficial/homebrew-tap/pull/1

millionclicks 15 minutes ago|

Awesome idea. You should launch this on Buildfeed.co.

More comments...