agentaudit 3.9.12 → 3.9.13

package/README.md

@@ -454,10 +454,32 @@ Or use without installing: `npx agentaudit`
 ### Do I need an API key?
 
 - **Quick scan** (`scan`): No API key needed — runs locally with regex
-- **Deep audit** (`audit`): Needs `ANTHROPIC_API_KEY` or `OPENAI_API_KEY`
+- **Deep audit** (`audit`): Needs an LLM API key (see below)
 - **Registry lookup** (`lookup`): No key needed for reading; key needed for uploading reports
 - **MCP server**: No extra key needed — uses the host editor's LLM
 
+### Setting up your LLM key for deep audits
+
+The `audit` command supports **Anthropic (Claude)** and **OpenAI (GPT-4o)**. Set one of these environment variables:
+
+```bash
+# Linux / macOS
+export ANTHROPIC_API_KEY=sk-ant-...    # Recommended
+export OPENAI_API_KEY=sk-...           # Alternative
+
+# Windows (PowerShell)
+$env:ANTHROPIC_API_KEY = "sk-ant-..."
+$env:OPENAI_API_KEY = "sk-..."
+
+# Windows (CMD)
+set ANTHROPIC_API_KEY=sk-ant-...
+set OPENAI_API_KEY=sk-...
+```
+
+**Priority:** If both are set, Anthropic is used. The active provider is shown during the audit.
+
+**Troubleshooting:** If you see `API error: Incorrect API key`, double-check your key is valid and has credits. Use `--debug` to see the full API response.
+
 ### What data is sent externally?
 
 - **Registry lookups**: Package name/slug is sent to `agentaudit.dev` to check for existing audits

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentaudit",
-  "version": "3.9.12",
+  "version": "3.9.13",
   "description": "Security scanner for AI packages — MCP server + CLI",
   "type": "module",
   "bin": {