registry  /  github-router  /  0.3.152

github-router@0.3.152

A reverse proxy that exposes GitHub Copilot as OpenAI and Anthropic compatible API endpoints.

AI Security Review

scanned 20h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `github-router claude` or related CLI subcommands.
Impact
Warn-worthy risk of broad agent capability exposure during an explicit router-launched Claude session; no package install hijack confirmed.
Mechanism
user-invoked AI agent control-surface setup with permission bypass
Policy narrative
When explicitly launched as `github-router claude`, the package starts a local Copilot proxy, creates a per-launch Claude config mirror under its own app data directory, injects synthetic auth/onboarding fields, registers MCP servers/subagents, and spawns Claude with permission prompts skipped. This is dangerous agent-control behavior but not an install-time or import-time hijack of a foreign Claude/Codex/Cursor surface.
Rationale
Static inspection shows risky but package-aligned, user-invoked AI-agent orchestration rather than unconsented lifecycle mutation or credential exfiltration. The package should be warned for dangerous agent capability surface, not publish-blocked as malware.
Evidence
package.jsondist/main.jsdist/paths-D0tJ_tms.jsdist/peer-mcp-personas-BQVOxB1i.js~/.local/share/github-router/github_token~/.local/share/github-router/github_agent_token~/.local/share/github-router/claude-config/<pid>-<rand>/.credentials.json~/.local/share/github-router/claude-config/<pid>-<rand>/.claude.json~/.local/share/github-router/claude-config/<pid>-<rand>/agents/peer-*.md~/.local/share/github-router/runtime/peer-mcp-*.json~/.local/share/github-router/runtime/peer-agents-*.json
Network endpoints8
api.githubcopilot.comapi.github.comgithub.comapi.github.com/graphqlmarketplace.visualstudio.com/_apis/public/gallery/extensionqueryhuggingface.cogithub.com/lightonai/next-plaidgithub.com/microsoft/onnxruntime

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/main.js launches `claude --dangerously-skip-permissions` by default in the user-invoked `claude` subcommand.
  • dist/paths-D0tJ_tms.js creates a router-owned Claude config mirror and injects synthetic `.credentials.json` and `.claude.json` onboarding/permission fields.
  • dist/main.js writes MCP server config and subagent markdown files into the per-launch mirror for Claude subagents.
  • dist/peer-mcp-personas-BQVOxB1i.js exposes agent-facing worker/browser/search tools, including write-capable worker modes when enabled.
Evidence against
  • package.json has only `prepare: (simple-git-hooks || true)`, with no install/postinstall hook in the published package.
  • Dangerous Claude/MCP setup is activated by explicit `github-router claude`, not import-time or npm install-time execution.
  • Claude control-surface writes are scoped to `~/.local/share/github-router/claude-config/<pid>-<rand>` and cleaned on shutdown.
  • Network endpoints are package-aligned for a GitHub Copilot reverse proxy.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 1.60 MB of source, external domains: 127.0.0.1, animeshkundu.github.io, api.github.com, api.githubcopilot.com, aur.archlinux.org, docs.claude.com, github.com, huggingface.co, marketplace.visualstudio.com

Source & flagged code

6 flagged · loading source
dist/peer-mcp-personas-BQVOxB1i.jsView file
12import process$1 from "node:process"; L13: import { execFile, execFileSync, spawn, spawnSync } from "node:child_process"; L14: import { chmodSync, closeSync, cpSync, existsSync, mkdirSync, openSync, promises, readFileSync, readdirSync, realpathSync, renameSync, rmSync, statSync, unlinkSync, writeFileSync, ...
High
Child Process

Package source references child process execution.

dist/peer-mcp-personas-BQVOxB1i.jsView on unpkg · L12
1import { t as PATHS } from "./paths-D0tJ_tms.js"; L2: import { d as runCommandCapture, l as parseBoolEnv, n as isPidAlive, o as trackChild, p as runManagedExeCapture, r as registerColbertExitHandlers, t as getColbertInstanceUuid, u as... L3: import { i as registerExitHandlers, n as getInstanceUuid, r as recordWorkerRepo, t as WorktreeRegistry } from "./lifecycle-DGvk4z63.js";
High
Shell

Package source references shell execution.

dist/peer-mcp-personas-BQVOxB1i.jsView on unpkg · L1
12import process$1 from "node:process"; L13: import { execFile, execFileSync, spawn, spawnSync } from "node:child_process"; L14: import { chmodSync, closeSync, cpSync, existsSync, mkdirSync, openSync, promises, readFileSync, readdirSync, realpathSync, renameSync, rmSync, statSync, unlinkSync, writeFileSync, ... ... L62: const API_VERSION = "2026-01-09"; L63: const copilotBaseUrl = (state$1) => state$1.copilotApiUrl ?? "https://api.githubcopilot.com"; L64: const copilotHeaders = (state$1, vision = false, integrationId = "vscode-chat") => { ... L984: for (const path$1 of candidates) try { L985: const raw = readFileSync(path$1, "utf8"); L986: const parsed = JSON.parse(raw); ... L25542: L25543: Available tools/roles to assign per node: ${toolCatalog}`; L25544: const CRITIQUE_INSTRUCTIONS = "You are a cross-lab reviewer of a workflow IR (JSON). List concrete concerns that would weaken the result — missing verification, a mis-scoped node, ...
High
Remote Agent Bridge

Source exposes local file and command tools to a remote model endpoint.

dist/peer-mcp-personas-BQVOxB1i.jsView on unpkg · L12
1Cross-file remote execution chain: dist/peer-mcp-personas-BQVOxB1i.js spawns dist/browser-bridge/index.js; helper contains network access plus dynamic code execution. L1: import { t as PATHS } from "./paths-D0tJ_tms.js"; L2: import { d as runCommandCapture, l as parseBoolEnv, n as isPidAlive, o as trackChild, p as runManagedExeCapture, r as registerColbertExitHandlers, t as getColbertInstanceUuid, u as... L3: import { i as registerExitHandlers, n as getInstanceUuid, r as recordWorkerRepo, t as WorktreeRegistry } from "./lifecycle-DGvk4z63.js"; ... L15: import { fileURLToPath } from "node:url"; L16: import { Agent, ProxyAgent } from "undici"; L17: import { performance } from "node:perf_hooks"; ... L20: import { Worker } from "node:worker_threads"; L21: import { gunzipSync, inflateRawSync } from "node:zlib"; L22: import WebSocket from "ws"; ... L83: }; L84: const GITHUB_API_BASE_URL = process.env.GITHUB_API_URL ?? "https://api.github.com"; L85: const githubHeaders = (state$1) => ({
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/peer-mcp-personas-BQVOxB1i.jsView on unpkg · L1
32//#region rolldown:runtime L33: var __require = /* @__PURE__ */ createRequire(import.meta.url); L34:
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/peer-mcp-personas-BQVOxB1i.jsView on unpkg · L32
dist/main.jsView file
matchType = previous_version_dangerous_delta matchedPackage = github-router@0.3.138 matchedIdentity = npm:Z2l0aHViLXJvdXRlcg:0.3.138 similarity = 0.800 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/main.jsView on unpkg

Findings

1 Critical4 High4 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/main.js
HighChild Processdist/peer-mcp-personas-BQVOxB1i.js
HighShelldist/peer-mcp-personas-BQVOxB1i.js
HighRemote Agent Bridgedist/peer-mcp-personas-BQVOxB1i.js
HighCross File Remote Execution Contextdist/peer-mcp-personas-BQVOxB1i.js
MediumDynamic Requiredist/peer-mcp-personas-BQVOxB1i.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings