registry  /  github-router  /  0.3.153

github-router@0.3.153

A reverse proxy that exposes GitHub Copilot as OpenAI and Anthropic compatible API endpoints.

AI Security Review

scanned 1h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No confirmed malicious install-time attack surface was found. The package is a powerful user-invoked GitHub Copilot/Claude/Codex proxy that can create router-owned agent configuration and expose shell/search tools to model-driven workflows.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs github-router CLI, especially Claude/agent/worker modes
Impact
Could grant the routed AI workflow local shell and file-search capabilities, but source inspection shows this is product-aligned and scoped rather than stealth install-time hijacking.
Mechanism
explicit user-command agent extension setup with local command tooling
Rationale
Because the risky agent/config and command surfaces are user-invoked and package-aligned, this is not malicious; however the package creates an agent extension lifecycle and local command bridge that warrants a warning rather than clean allow.
Evidence
package.jsondist/main.jsdist/peer-mcp-personas-DMM1akDa.jsdist/paths-Bt7sqiVr.jsdist/lifecycle-VTQI28wT.js~/.local/share/github-router/github_token~/.local/share/github-router/github_agent_token~/.local/share/github-router/claude-config/<pid-rand>/.claude.json~/.local/share/github-router/claude-config/<pid-rand>/agents/peer-*.md~/.local/share/github-router/runtime/peer-mcp-*.json~/.local/share/github-router/runtime/peer-agents-*.json~/.local/share/github-router/bin
Network endpoints4
api.githubcopilot.comapi.github.comgithub.comapi.github.com/graphql

Decision evidence

public snapshot
AI called this Suspicious at 82.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/main.js writes router-owned Claude MCP config and peer subagent .md files under PATHS.CLAUDE_CONFIG_DIR/agents
  • dist/peer-mcp-personas-DMM1akDa.js exposes worker bash/code-search tools that can spawn shell commands under user-selected workspaces
  • dist/main.js can queue runtime self-update via npm install -g github-router@latest when selfUpdate is enabled
  • dist/paths-Bt7sqiVr.js writes synthetic Claude credentials and mirrored .claude.json in ~/.local/share/github-router/claude-config
Evidence against
  • package.json has no preinstall/install/postinstall; prepare only runs simple-git-hooks for source/VCS workflows
  • bin entry dist/main.js activates behavior only when github-router CLI commands are run
  • Claude config mutation is scoped to github-router-owned per-launch mirror, not the user's real ~/.claude directory
  • Network use is package-aligned for a GitHub Copilot reverse proxy: api.github.com and api.githubcopilot.com
  • Toolbelt downloads use pinned GitHub release URLs with sha256 entries
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 1.63 MB of source, external domains: 127.0.0.1, animeshkundu.github.io, api.github.com, api.githubcopilot.com, aur.archlinux.org, docs.claude.com, github.com, huggingface.co, marketplace.visualstudio.com

Source & flagged code

6 flagged · loading source
dist/peer-mcp-personas-DMM1akDa.jsView file
12import process$1 from "node:process"; L13: import { execFile, execFileSync, spawn, spawnSync } from "node:child_process"; L14: import { chmodSync, closeSync, cpSync, existsSync, mkdirSync, openSync, promises, readFileSync, readdirSync, realpathSync, renameSync, rmSync, statSync, unlinkSync, writeFileSync, ...
High
Child Process

Package source references child process execution.

dist/peer-mcp-personas-DMM1akDa.jsView on unpkg · L12
1import { t as PATHS } from "./paths-Bt7sqiVr.js"; L2: import { d as runCommandCapture, l as parseBoolEnv, n as isPidAlive, o as trackChild, p as runManagedExeCapture, r as registerColbertExitHandlers, t as getColbertInstanceUuid, u as... L3: import { i as registerExitHandlers, n as getInstanceUuid, r as recordWorkerRepo, t as WorktreeRegistry } from "./lifecycle-C4k0pEvn.js";
High
Shell

Package source references shell execution.

dist/peer-mcp-personas-DMM1akDa.jsView on unpkg · L1
12import process$1 from "node:process"; L13: import { execFile, execFileSync, spawn, spawnSync } from "node:child_process"; L14: import { chmodSync, closeSync, cpSync, existsSync, mkdirSync, openSync, promises, readFileSync, readdirSync, realpathSync, renameSync, rmSync, statSync, unlinkSync, writeFileSync, ... ... L62: const API_VERSION = "2026-01-09"; L63: const copilotBaseUrl = (state$1) => state$1.copilotApiUrl ?? "https://api.githubcopilot.com"; L64: const copilotHeaders = (state$1, vision = false, integrationId = "vscode-chat") => { ... L984: for (const path$1 of candidates) try { L985: const raw = readFileSync(path$1, "utf8"); L986: const parsed = JSON.parse(raw); ... L25542: L25543: Available tools/roles to assign per node: ${toolCatalog}`; L25544: const CRITIQUE_INSTRUCTIONS = "You are a cross-lab reviewer of a workflow IR (JSON). List concrete concerns that would weaken the result — missing verification, a mis-scoped node, ...
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/peer-mcp-personas-DMM1akDa.jsView on unpkg · L12
1Cross-file remote execution chain: dist/peer-mcp-personas-DMM1akDa.js spawns dist/browser-bridge/index.js; helper contains network access plus dynamic code execution. L1: import { t as PATHS } from "./paths-Bt7sqiVr.js"; L2: import { d as runCommandCapture, l as parseBoolEnv, n as isPidAlive, o as trackChild, p as runManagedExeCapture, r as registerColbertExitHandlers, t as getColbertInstanceUuid, u as... L3: import { i as registerExitHandlers, n as getInstanceUuid, r as recordWorkerRepo, t as WorktreeRegistry } from "./lifecycle-C4k0pEvn.js"; ... L15: import { fileURLToPath } from "node:url"; L16: import { Agent, ProxyAgent } from "undici"; L17: import { performance } from "node:perf_hooks"; ... L20: import { Worker } from "node:worker_threads"; L21: import { gunzipSync, inflateRawSync } from "node:zlib"; L22: import WebSocket from "ws"; ... L83: }; L84: const GITHUB_API_BASE_URL = process.env.GITHUB_API_URL ?? "https://api.github.com"; L85: const githubHeaders = (state$1) => ({
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/peer-mcp-personas-DMM1akDa.jsView on unpkg · L1
32//#region rolldown:runtime L33: var __require = /* @__PURE__ */ createRequire(import.meta.url); L34:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/peer-mcp-personas-DMM1akDa.jsView on unpkg · L32
dist/main.jsView file
matchType = previous_version_dangerous_delta matchedPackage = github-router@0.3.152 matchedIdentity = npm:Z2l0aHViLXJvdXRlcg:0.3.152 similarity = 0.867 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/main.jsView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/main.js
HighChild Processdist/peer-mcp-personas-DMM1akDa.js
HighShelldist/peer-mcp-personas-DMM1akDa.js
HighRemote Agent Bridgedist/peer-mcp-personas-DMM1akDa.js
HighCross File Remote Execution Contextdist/peer-mcp-personas-DMM1akDa.js
MediumDynamic Requiredist/peer-mcp-personas-DMM1akDa.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings