registry  /  routiform  /  4.0.0

routiform@4.0.0

Routiform — Smart AI Router with auto fallback — route to FREE & cheap models, zero downtime. Works with Cursor, Cline, Claude Desktop, Codex, and any OpenAI-compatible tool.

AI Security Review

scanned 2h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
A user or caller sends a POST request to a CLI-tools configuration route while Routiform is running.
Impact
Can redirect configured AI CLI traffic through Routiform and store the selected API key in those clients' config/auth files.
Mechanism
Validated runtime writes of Routiform endpoint/API-key settings into external AI CLI configuration files.
Rationale
Source inspection does not establish concrete malicious behavior, but it does establish default-enabled runtime mutation of foreign AI-agent configuration. Per policy, this explicit agent-config setup capability warrants a warning rather than a publish block.
Evidence
package.jsonscripts/postinstall.mjsbin/routiform.mjsapp/src/app/api/cli-tools/codex-settings/route.tsapp/src/app/api/cli-tools/claude-settings/route.tsapp/src/app/api/cli-tools/openclaw-settings/route.tsapp/src/shared/services/cliRuntime.tsscripts/native-binary-compat.mjsscripts/bootstrap-env.mjsbin/reset-password.mjsbin/mcp-server.mjsapp/server.js

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • `scripts/postinstall.mjs` runs at npm postinstall and can invoke node-pre-gyp or `npm rebuild` for better-sqlite3.
  • `app/src/app/api/cli-tools/codex-settings/route.ts` writes Codex `config.toml` and `auth.json` after a POST.
  • `app/src/app/api/cli-tools/claude-settings/route.ts` creates and writes Claude CLI settings after a POST.
  • `app/src/app/api/cli-tools/openclaw-settings/route.ts` writes OpenClaw settings after a POST.
  • `app/src/shared/services/cliRuntime.ts` permits CLI config writes by default unless `CLI_ALLOW_CONFIG_WRITES=false`.
Evidence against
  • No install hook writes AI-agent configuration; postinstall is limited to bundled native-module compatibility.
  • Agent-config mutations are runtime POST actions, validate request bodies, and create backups first.
  • CLI launch reads local `.env` files and starts the packaged local server; no exfiltration endpoint was found in reviewed entrypoints.
  • Reviewed lifecycle, CLI, and server-wrapper sources contain no credential upload, remote payload execution, destructive wipe, or stealth persistence.
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNativeBindingsNetworkShellWebSocket
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 1,837 file(s), 9.77 MB of source, external domains: 10.0.0.1, 127.0.0.1, 169.254.169.254, 192.168.1.10, accounts.google.com, agent.api5.cursor.sh, agentn.api5.cursor.sh, ai.google.dev, aimlapi.com, aiplatform.googleapis.com, api-docs.deepseek.com, api-inference.huggingface.co, api.aimlapi.com, api.anthropic.com, api.assemblyai.com, api.blackbox.ai, api.cartesia.ai, api.cerebras.ai, api.cline.bot, api.cloudflare.com, api.cohere.com, api.commandcode.ai, api.deepgram.com, api.deepinfra.com, api.deepseek.com, api.elevenlabs.io, api.epsiloncode.pl, api.exa.ai, api.example.com, api.fireworks.ai, api.getgoapi.com, api.github.com, api.githubcopilot.com, api.groq.com, api.hyperbolic.xyz, api.inworld.ai, api.kilo.ai, api.kimi.com, api.laozhang.ai, api.longcat.chat, api.minimax.io, api.minimaxi.com, api.mistral.ai, api.moonshot.ai, api.nanobananaapi.ai, api.ollama.com, api.openai.com, api.perplexity.ai, api.play.ht, api.provider.com

Source & flagged code

31 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
app/.next/server/chunks/_d1e03206._.jsView file
44patternName = private_key_rsa severity = critical line = 44 matchedText = `),c.pus...(r)}
Critical
Critical Secret

Package contains a critical-looking secret pattern.

app/.next/server/chunks/_d1e03206._.jsView on unpkg · L44
44patternName = private_key_rsa severity = critical line = 44 matchedText = `),c.pus...(r)}
Critical
Secret Pattern

RSA private key in app/.next/server/chunks/_d1e03206._.js

app/.next/server/chunks/_d1e03206._.jsView on unpkg · L44
app/dbsetup.jsView file
2L3: import { spawn } from 'node:child_process' L4:
High
Child Process

Package source references child process execution.

app/dbsetup.jsView on unpkg · L2
12function exec(command) { L13: const child = spawn(command, { shell: true, stdio: 'inherit', env }) L14: return new Promise((resolve, reject) => {
High
Shell

Package source references shell execution.

app/dbsetup.jsView on unpkg · L12
6L7: await exec('npx next build --experimental-build-mode generate') L8:
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

app/dbsetup.jsView on unpkg · L6
app/bin/routiform.mjsView file
109try { L110: const { run } = await import("./cli/dispatch.mjs"); L111: await run(args);
Medium
Dynamic Require

Package source references dynamic require/import behavior.

app/bin/routiform.mjsView on unpkg · L109
app/open-sse/services/qoderCli.tsView file
1import { spawn as _spawn } from "child_process"; L2: import crypto from "crypto"; ... L14: // The two tier IDs below are the universally-available smart-routing wrappers L15: // listed at https://docs.qoder.com/user-guide/chat/model-tier-selector. L16: // Frontier models (qmodel/dmodel/...) are intentionally NOT hard-coded — the ... L38: code: number | null; L39: stdout: string; L40: stderr: string; ... L59: export function getQoderCliCommand(): string { L60: const explicit = String(process.env.CLI_QODER_BIN || "").trim(); L61: return explicit || "qodercli"; ... L69: const home = String(process.env.HOME || "").trim();
Low
Weak Crypto

Package source references weak cryptographic algorithms.

app/open-sse/services/qoderCli.tsView on unpkg · L1
app/scripts/run-ecosystem-tests.mjsView file
2L3: import { spawn } from "node:child_process"; L4: import { setTimeout as delay } from "node:timers/promises"; ... L6: L7: const port = process.env.DASHBOARD_PORT || process.env.PORT || "20128"; L8: const baseUrl = process.env.ROUTIFORM_BASE_URL || `http://localhost:${port}`; L9: const healthUrl = `${baseUrl}/api/monitoring/health`;
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

app/scripts/run-ecosystem-tests.mjsView on unpkg · L2
app/scripts/postinstall.mjsView file
14* L15: * Fixes: https://github.com/linhnguyen-gt/Routiform/issues/129 L16: * Fixes: https://github.com/linhnguyen-gt/Routiform/issues/321 ... L26: const __filename = fileURLToPath(import.meta.url); L27: const __dirname = dirname(__filename); L28: const ROOT = join(__dirname, ".."); ... L52: const platformMatch = L53: process.platform === PUBLISHED_BUILD_PLATFORM && process.arch === PUBLISHED_BUILD_ARCH; L54: ... L88: try { L89: const { execSync } = await import("node:child_process"); L90: // better-sqlite3 bundles @mapbox/node-pre-gyp — use it directly
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

app/scripts/postinstall.mjsView on unpkg · L14
app/src/lib/network/safeOutboundFetch.tsView file
1import { isIP } from "node:net"; L2: import { lookup } from "node:dns/promises"; L3: ... L18: allowLoopback?: boolean; L19: allowPrivateAddress?: boolean; L20: }
High
Cloud Metadata Access

Source reaches cloud instance metadata or link-local credential endpoints.

app/src/lib/network/safeOutboundFetch.tsView on unpkg · L1
app/open-webui/static/sql.js/sql-wasm.wasmView file
path = app/open-webui/static/sql.js/sql-wasm.wasm kind = wasm_module sizeBytes = 659730 magicHex = [redacted]
Medium
Ships Wasm Module

Package ships WebAssembly modules.

app/open-webui/static/sql.js/sql-wasm.wasmView on unpkg
app/open-webui/scripts/generate-sbom.shView file
path = app/open-webui/scripts/generate-sbom.sh kind = build_helper sizeBytes = 5788 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

app/open-webui/scripts/generate-sbom.shView on unpkg
app/open-webui/static/audio/greeting.mp3View file
path = app/open-webui/static/audio/greeting.mp3 kind = high_entropy_blob sizeBytes = 16320 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

app/open-webui/static/audio/greeting.mp3View on unpkg
app/tests/security/test-cloud-sync-and-call.shView file
path = app/tests/security/test-cloud-sync-and-call.sh kind = payload_in_excluded_dir sizeBytes = 3567 magicHex = [redacted]
High
Payload In Excluded Dir

Package hides binary, compressed, or executable-looking payloads in test/fixture/hidden paths.

app/tests/security/test-cloud-sync-and-call.shView on unpkg
app/.next/server/chunks/ssr/_64b9964f._.jsView file
path = app/.next/server/chunks/ssr/_64b9964f._.js kind = oversized_source_file sizeBytes = 3270371 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

app/.next/server/chunks/ssr/_64b9964f._.jsView on unpkg
app/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = routiform@3.37.0 matchedIdentity = npm:cm91dGlmb3Jt:3.37.0 similarity = 0.833 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

app/server.jsView on unpkg
app/tests/unit/login-bootstrap-route.test.mjsView file
77patternName = generic_password severity = medium line = 77 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in app/tests/unit/login-bootstrap-route.test.mjs

app/tests/unit/login-bootstrap-route.test.mjsView on unpkg · L77
140patternName = generic_password severity = medium line = 140 matchedText = const pa...et";
Medium
Secret Pattern

Hardcoded password in app/tests/unit/login-bootstrap-route.test.mjs

app/tests/unit/login-bootstrap-route.test.mjsView on unpkg · L140
167patternName = generic_password severity = medium line = 167 matchedText = body: JS... }),
Medium
Secret Pattern

Hardcoded password in app/tests/unit/login-bootstrap-route.test.mjs

app/tests/unit/login-bootstrap-route.test.mjsView on unpkg · L167
app/tests/unit/api-auth.test.mjsView file
152patternName = generic_password severity = medium line = 152 matchedText = await lo... });
Medium
Secret Pattern

Hardcoded password in app/tests/unit/api-auth.test.mjs

app/tests/unit/api-auth.test.mjsView on unpkg · L152
app/tests/unit/mitm-core.test.mjsView file
108patternName = private_key_rsa severity = critical line = 108 matchedText = assert.o...M");
Critical
Secret Pattern

RSA private key in app/tests/unit/mitm-core.test.mjs

app/tests/unit/mitm-core.test.mjsView on unpkg · L108
app/tests/unit/require-management-auth.test.mjsView file
34patternName = generic_password severity = medium line = 34 matchedText = await up... });
Medium
Secret Pattern

Hardcoded password in app/tests/unit/require-management-auth.test.mjs

app/tests/unit/require-management-auth.test.mjsView on unpkg · L34
app/tests/unit/provider-validation-branches.test.mjsView file
433patternName = private_key_rsa severity = critical line = 433 matchedText = private_...\n",
Critical
Secret Pattern

RSA private key in app/tests/unit/provider-validation-branches.test.mjs

app/tests/unit/provider-validation-branches.test.mjsView on unpkg · L433
app/tests/unit/mcp-management-routes-auth.test.mjsView file
44patternName = generic_password severity = medium line = 44 matchedText = password...rd",
Medium
Secret Pattern

Hardcoded password in app/tests/unit/mcp-management-routes-auth.test.mjs

app/tests/unit/mcp-management-routes-auth.test.mjsView on unpkg · L44
app/.next/server/chunks/_5664c74a._.jsView file
44patternName = private_key_rsa severity = critical line = 44 matchedText = `),c.pus...(r)}
Critical
Secret Pattern

RSA private key in app/.next/server/chunks/_5664c74a._.js

app/.next/server/chunks/_5664c74a._.jsView on unpkg · L44
app/.next/server/chunks/_593a35c0._.jsView file
201patternName = private_key_rsa severity = critical line = 201 matchedText = `),c.pus...(r)}
Critical
Secret Pattern

RSA private key in app/.next/server/chunks/_593a35c0._.js

app/.next/server/chunks/_593a35c0._.jsView on unpkg · L201
app/.next/server/chunks/_ba688be4._.jsView file
199patternName = private_key_rsa severity = critical line = 199 matchedText = `),c.pus...nt:`
Critical
Secret Pattern

RSA private key in app/.next/server/chunks/_ba688be4._.js

app/.next/server/chunks/_ba688be4._.jsView on unpkg · L199
app/.next/server/chunks/[root-of-the-server]__589a4c58._.jsView file
3patternName = generic_password severity = medium line = 3 matchedText = `),s.std...)}];
Medium
Secret Pattern

Hardcoded password in app/.next/server/chunks/[root-of-the-server]__589a4c58._.js

app/.next/server/chunks/[root-of-the-server]__589a4c58._.jsView on unpkg · L3
app/src/mitm/manager.tsView file
326patternName = generic_password severity = medium line = 326 matchedText = console....ge);
Medium
Secret Pattern

Hardcoded password in app/src/mitm/manager.ts

app/src/mitm/manager.tsView on unpkg · L326

Findings

8 Critical10 High15 Medium6 Low
CriticalCritical Secretapp/.next/server/chunks/_d1e03206._.js
CriticalPrevious Version Dangerous Deltaapp/server.js
CriticalSecret Patternapp/tests/unit/mitm-core.test.mjs
CriticalSecret Patternapp/tests/unit/provider-validation-branches.test.mjs
CriticalSecret Patternapp/.next/server/chunks/_d1e03206._.js
CriticalSecret Patternapp/.next/server/chunks/_5664c74a._.js
CriticalSecret Patternapp/.next/server/chunks/_593a35c0._.js
CriticalSecret Patternapp/.next/server/chunks/_ba688be4._.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processapp/dbsetup.js
HighShellapp/dbsetup.js
HighSame File Env Network Executionapp/scripts/run-ecosystem-tests.mjs
HighSandbox Evasion Gated Capabilityapp/scripts/postinstall.mjs
HighCloud Metadata Accessapp/src/lib/network/safeOutboundFetch.ts
HighRuntime Package Installapp/dbsetup.js
HighShips High Entropy Blobapp/open-webui/static/audio/greeting.mp3
HighPayload In Excluded Dirapp/tests/security/test-cloud-sync-and-call.sh
HighOversized Source Fileapp/.next/server/chunks/ssr/_64b9964f._.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumDynamic Requireapp/bin/routiform.mjs
MediumNetwork
MediumEnvironment Vars
MediumShips Wasm Moduleapp/open-webui/static/sql.js/sql-wasm.wasm
MediumShips Build Helperapp/open-webui/scripts/generate-sbom.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternapp/tests/unit/login-bootstrap-route.test.mjs
MediumSecret Patternapp/tests/unit/login-bootstrap-route.test.mjs
MediumSecret Patternapp/tests/unit/login-bootstrap-route.test.mjs
MediumSecret Patternapp/tests/unit/api-auth.test.mjs
MediumSecret Patternapp/tests/unit/require-management-auth.test.mjs
MediumSecret Patternapp/tests/unit/mcp-management-routes-auth.test.mjs
MediumSecret Patternapp/.next/server/chunks/[root-of-the-server]__589a4c58._.js
MediumSecret Patternapp/src/mitm/manager.ts
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptoapp/open-sse/services/qoderCli.ts
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings