registry  /  @thxp/llms  /  3.2.26

@thxp/llms@3.2.26

A universal LLM API transformation server

AI Security Review

scanned 2h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a universal LLM API transformation/router server with provider-aligned outbound requests, optional Google Vertex auth, optional webhook reporting, and local config/cache/stat files.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User imports the module or explicitly starts the server with npm start/node dist entrypoint and configures providers/plugins.
Impact
Expected proxying of user LLM requests to configured provider endpoints; optional local stats/config writes and user-configured webhook output.
Mechanism
LLM request routing and transformation with optional telemetry reporters
Rationale
Static inspection of package-owned sourcemap sources found expected LLM router behavior, not credential exfiltration or install/import-time compromise. Environment/credential reads and outbound requests are tied to user-configured providers, Vertex auth, tokenizers, or explicit webhook plugins.
Evidence
package.jsonREADME.mddist/esm/server.mjs.mapdist/cjs/server.cjsdist/esm/server.mjs~/.claude-code-router/config.json~/.claude-code-router/daily_usage.json~/.claude-code-router/.huggingface/*temporary token-speed output under configured temp directory
Network endpoints4
configured provider api_base_url valuesconfigured webhook URL<location>-aiplatform.googleapis.comHugging Face tokenizer URLs derived from modelId

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no preinstall/install/postinstall hooks and only exports dist/cjs/server.cjs and dist/esm/server.mjs.
    • Source map shows package-owned network calls are LLM/router functionality: src/utils/request.ts posts user requests to configured provider URLs.
    • Vertex transformers read GOOGLE_* env and credential file only to obtain Google access tokens for user-selected Vertex AI providers.
    • Webhook/temp-file output handlers are plugin/config driven; webhook URL must be supplied and temp files store token-speed stats under claude-code-router paths.
    • No child_process spawn/exec in package-owned sources; broad scanner hits came from bundled dependencies/source-map noise.
    • Server start is explicit via start script or Server.start(); importing package exports classes/services and does not run npm lifecycle mutation.
    Behavioral surface
    Source
    ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetwork
    Supply chain
    HighEntropyStringsMinifiedUrlStrings
    ManifestNo manifest risk signals triggered.
    scanned 2 file(s), 956 KB of source, external domains: 169.254.169.254, cloud.google.com, github.com, metadata.google.internal, oauth2.googleapis.com, www.googleapis.com

    Source & flagged code

    7 flagged · loading source
    dist/esm/server.mjsView file
    7`:case"\u2028":case"\u2029":return W(),"";case"\r":return W(),mr()===` L8: `&&W(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw je(W());case void 0:throw je(W())}return W()}function P_(){let t="",e=mr();if(!ze.isHexDigit... L9: `+i;A=D.join(v),b=`{ ... L13: `+i+A+`, L14: `+_+"]"}return s.pop(),i=_,D}}});var ku=J((OT,Mf)=>{var B_=Nf(),j_=jf(),M_={parse:B_,stringify:j_};Mf.exports=M_});var Fu=J((Tv,sh)=>{"use strict";var Yo=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};Et.GaxiosError=Iu;functio... L16: `).join(` ... L49: `+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "E
    Critical
    Credential Exfiltration

    Source appears to send environment or credential material to an external endpoint.

    dist/esm/server.mjsView on unpkg · L7
    60${k} L61: `+await t.crypto.sha256DigestHex(g),y=await WA(t.crypto,t.securityCredentials.secretAccessKey,u,t.region,n),_=await Gs(t.crypto,y,E),m=`${Ig} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
    High
    Child Process

    Package source references child process execution.

    dist/esm/server.mjsView on unpkg · L60
    49`+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: ... L60: ${k} L61: `+await t.crypto.sha256DigestHex(g),y=await WA(t.crypto,t.securityCredentials.secretAccessKey,u,t.region,n),_=await Gs(t.crypto,y,E),m=`${Ig} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
    High
    Same File Env Network Execution

    A single source file combines environment access, network access, and code or shell execution; review context before blocking.

    dist/esm/server.mjsView on unpkg · L49
    49`+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: ... L60: ${k} L61: `+await t.crypto.sha256DigestHex(g),y=await WA(t.crypto,t.securityCredentials.secretAccessKey,u,t.region,n),_=await Gs(t.crypto,y,E),m=`${Ig} Credential=${t.securityCredentials.acc... L62: To learn more about authentication and Google APIs, visit:
    High
    Command Output Exfiltration

    Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

    dist/esm/server.mjsView on unpkg · L49
    7`:case"\u2028":case"\u2029":return W(),"";case"\r":return W(),mr()===` L8: `&&W(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw je(W());case void 0:throw je(W())}return W()}function P_(){let t="",e=mr();if(!ze.isHexDigit... L9: `+i;A=D.join(v),b=`{ ... L13: `+i+A+`, L14: `+_+"]"}return s.pop(),i=_,D}}});var ku=J((OT,Mf)=>{var B_=Nf(),j_=jf(),M_={parse:B_,stringify:j_};Mf.exports=M_});var Fu=J((Tv,sh)=>{"use strict";var Yo=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};Et.GaxiosError=Iu;functio... L16: `).join(` ... L49: `+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof Mp.stringify!="function"&&(Mp.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "HS512", "RS256", "RS384", "RS512", "PS256", "PS384", "PS512", "E
    High
    Cloud Metadata Access

    Source reaches cloud instance metadata or link-local credential endpoints.

    dist/esm/server.mjsView on unpkg · L7
    dist/cjs/server.cjsView file
    7Trigger-reachable chain: manifest.main -> dist/cjs/server.cjs L7: `:case"\u2028":case"\u2029":return W(),"";case"\r":return W(),yr()===` L8: `&&W(),"";case"1":case"2":case"3":case"4":case"5":case"6":case"7":case"8":case"9":throw Be(W());case void 0:throw Be(W())}return W()}function X_(){let t="",e=yr();if(!ze.isHexDigit... L9: `+i;A=D.join(v),b=`{ ... L13: `+i+A+`, L14: `+_+"]"}return s.pop(),i=_,D}}});var ju=J((yT,Xf)=>{var eb=Vf(),tb=Yf(),rb={parse:eb,stringify:tb};Xf.exports=rb});var Hu=J((ov,Eh)=>{"use strict";var ui=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};St.GaxiosError=Gu;functio... L16: `).join(` ... L49: `+y+"}":"{"+_.join(",")+"}",n=y,k}}typeof rm.stringify!="function"&&(rm.stringify=function(d,h,p){var g;if(n="",s="",typeof p=="number")for(g=0;g<p;g+=1)s+=" ";else typeof p=="stri... L50: `,r:"\r",t:" "},i,u=function(y){throw{name:"SyntaxError",message:y,at:r,text:i}},c=function(y){return y&&y!==n&&u("Expected '"+y+"' instead of '"+n+"'"),n=i.charAt(r),r+=1,n},l=fun... L51: Supported algorithms are: L52: "HS256", "HS384", "H…
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/cjs/server.cjsView on unpkg · L7
    14`+_+"]"}return s.pop(),i=_,D}}});var ju=J((yT,Xf)=>{var eb=Vf(),tb=Yf(),rb={parse:eb,stringify:tb};Xf.exports=rb});var Hu=J((ov,Eh)=>{"use strict";var ui=Object.prototype.hasOwnPro... L15: `)||n,code:i,status:s},e.data.error)}return Object.assign({message:n,code:i,status:s},e.data.error)}}return{message:n,code:e.status,status:e.statusText}}};St.GaxiosError=Gu;functio... L16: `).join(`
    Medium
    Dynamic Require

    Package source references dynamic require/import behavior.

    dist/cjs/server.cjsView on unpkg · L14

    Findings

    2 Critical4 High4 Medium4 Low
    CriticalCredential Exfiltrationdist/esm/server.mjs
    CriticalTrigger Reachable Dangerous Capabilitydist/cjs/server.cjs
    HighChild Processdist/esm/server.mjs
    HighSame File Env Network Executiondist/esm/server.mjs
    HighCommand Output Exfiltrationdist/esm/server.mjs
    HighCloud Metadata Accessdist/esm/server.mjs
    MediumDynamic Requiredist/cjs/server.cjs
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowFilesystem
    LowHigh Entropy Strings
    LowUrl Strings