registry  /  github-router  /  0.3.138

github-router@0.3.138

A reverse proxy that exposes GitHub Copilot as OpenAI and Anthropic compatible API endpoints.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package implements an explicit local reverse proxy/agent launcher with powerful user-invoked MCP worker features, but the inspected behavior is aligned with its documented purpose.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs the github-router CLI, especially auth/start/claude/codex worker-related modes.
Impact
Can route prompts and local tool actions through configured Copilot-backed models when the user opts into those modes; no covert install-time or import-time attack behavior confirmed.
Mechanism
Local proxy and AI-agent tool bridge with explicit CLI-controlled launch/configuration.
Rationale
Static inspection found dangerous primitives, but they are documented, user-invoked functionality for a Copilot reverse proxy/Claude-Codex agent bridge rather than covert lifecycle execution or exfiltration. The prepare script is benign and there is no evidence of hidden install-time, import-time, persistence, destructive, or credential-harvesting behavior.
Evidence
package.jsonREADME.mddist/main.jsdist/peer-mcp-personas-CThUmeHE.jsdist/paths-Cn5OzmYL.jsdist/lifecycle-Cqe8OQVX.js~/.local/share/github-router/github_token~/.local/share/github-router/claude-config/<launch>/.claude.json~/.local/share/github-router/runtime/peer-mcp-*.json~/.local/share/github-router/runtime/peer-agents-*.json
Network endpoints6
api.githubcopilot.comapi.github.comgithub.commarketplace.visualstudio.comaur.archlinux.org127.0.0.1

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/peer-mcp-personas-CThUmeHE.js exposes user-invoked worker MCP tools including implement/test with edit/write/bash capability.
  • dist/main.js has self-update logic that can run npm install -g github-router@latest after runtime launch when enabled.
  • dist/main.js mutates router-owned Claude config mirror to add MCP servers for spawned Claude sessions.
Evidence against
  • package.json prepare is only (simple-git-hooks || true); no install/postinstall hook executes package payload.
  • README.md and package.json describe a Copilot reverse proxy and Claude/Codex launcher matching observed network and MCP behavior.
  • dist/peer-mcp-personas-CThUmeHE.js routes requests to GitHub/Copilot endpoints and validates worker tool arguments; no hidden credential harvesting found.
  • dist/paths-Cn5OzmYL.js stores tokens/config under ~/.local/share/github-router and per-launch isolated Claude config, not arbitrary user files.
  • No import-time execution path found; bin entry dist/main.js requires explicit CLI invocation.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 1.44 MB of source, external domains: 127.0.0.1, animeshkundu.github.io, api.github.com, api.githubcopilot.com, aur.archlinux.org, docs.claude.com, github.com, huggingface.co, marketplace.visualstudio.com

Source & flagged code

6 flagged · loading source
dist/lifecycle-Cqe8OQVX.jsView file
5import process from "node:process"; L6: import { spawn, spawnSync } from "node:child_process"; L7: import { existsSync } from "node:fs";
High
Child Process

Package source references child process execution.

dist/lifecycle-Cqe8OQVX.jsView on unpkg · L5
33* and skip (best-effort). Spawning the returned absolute path means L34: * `cmd.exe`'s implicit cwd-first lookup never applies, closing the L35: * planted-`npm.cmd` vector.
High
Shell

Package source references shell execution.

dist/lifecycle-Cqe8OQVX.jsView on unpkg · L33
dist/peer-mcp-personas-CThUmeHE.jsView file
matchType = previous_version_dangerous_delta matchedPackage = github-router@0.3.137 matchedIdentity = npm:Z2l0aHViLXJvdXRlcg:0.3.137 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/peer-mcp-personas-CThUmeHE.jsView on unpkg
12import process$1 from "node:process"; L13: import { execFile, execFileSync, spawn, spawnSync } from "node:child_process"; L14: import { chmodSync, closeSync, cpSync, existsSync, mkdirSync, openSync, promises, readFileSync, readdirSync, realpathSync, renameSync, rmSync, statSync, unlinkSync, writeFileSync, ... ... L61: const API_VERSION = "2026-01-09"; L62: const copilotBaseUrl = (state$1) => state$1.copilotApiUrl ?? "https://api.githubcopilot.com"; L63: const copilotHeaders = (state$1, vision = false, integrationId = "vscode-chat") => { ... L889: for (const path$1 of candidates) try { L890: const raw = readFileSync(path$1, "utf8"); L891: const parsed = JSON.parse(raw); ... L21461: L21462: Available tools/roles to assign per node: ${toolCatalog}`; L21463: const CRITIQUE_INSTRUCTIONS = "You are a cross-lab reviewer of a workflow IR (JSON). List concrete concerns that would weaken the result — missing verification, a mis-scoped node, ...
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/peer-mcp-personas-CThUmeHE.jsView on unpkg · L12
1Cross-file remote execution chain: dist/peer-mcp-personas-CThUmeHE.js spawns dist/browser-bridge/index.js; helper contains network access plus dynamic code execution. L1: import { t as PATHS } from "./paths-Cn5OzmYL.js"; L2: import { d as runCommandCapture, l as parseBoolEnv, n as isPidAlive, o as trackChild, p as runManagedExeCapture, r as registerColbertExitHandlers, t as getColbertInstanceUuid, u as... L3: import { i as registerExitHandlers, n as getInstanceUuid, r as recordWorkerRepo, t as WorktreeRegistry } from "./lifecycle-CeVDX6av.js"; ... L15: import { fileURLToPath } from "node:url"; L16: import { Agent, ProxyAgent } from "undici"; L17: import { performance } from "node:perf_hooks"; ... L20: import { Worker } from "node:worker_threads"; L21: import { gunzipSync, inflateRawSync } from "node:zlib"; L22: import WebSocket from "ws"; ... L82: }; L83: const GITHUB_API_BASE_URL = process.env.GITHUB_API_URL ?? "https://api.github.com"; L84: const githubHeaders = (state$1) => ({
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/peer-mcp-personas-CThUmeHE.jsView on unpkg · L1
32//#region rolldown:runtime L33: var __require = /* @__PURE__ */ createRequire(import.meta.url); L34:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/peer-mcp-personas-CThUmeHE.jsView on unpkg · L32

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/peer-mcp-personas-CThUmeHE.js
HighChild Processdist/lifecycle-Cqe8OQVX.js
HighShelldist/lifecycle-Cqe8OQVX.js
HighRemote Agent Bridgedist/peer-mcp-personas-CThUmeHE.js
HighCross File Remote Execution Contextdist/peer-mcp-personas-CThUmeHE.js
MediumDynamic Requiredist/peer-mcp-personas-CThUmeHE.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings