agentaudit 3.9.15 → 3.9.17

package/README.md

@@ -207,6 +207,7 @@ Then ask your agent: *"Check which MCP servers I have installed and audit any un
 | `agentaudit scan <url> --deep` | Deep audit (same as `audit`) | `agentaudit scan https://github.com/owner/repo --deep` |
 | `agentaudit audit <url>` | Deep LLM-powered 3-pass audit (~30s) | `agentaudit audit https://github.com/owner/repo` |
 | `agentaudit lookup <name>` | Look up package in trust registry | `agentaudit lookup fastmcp` |
+| `agentaudit check <name\|url>` | Lookup + auto-audit if not found | `agentaudit check https://github.com/owner/repo` |
 | `agentaudit setup` | Register agent + configure API key | `agentaudit setup` |
 
 ### Global Flags
@@ -235,7 +236,7 @@ Then ask your agent: *"Check which MCP servers I have installed and audit any un
 |---|---------------------|---------------------|
 | **Speed** | ~2 seconds | ~30 seconds |
 | **Method** | Regex pattern matching | LLM-powered 3-pass analysis |
-| **API key needed** | No | Yes (`ANTHROPIC_API_KEY` or `OPENAI_API_KEY`) |
+| **API key needed** | No | Yes (Anthropic, OpenAI, or OpenRouter) |
 | **False positives** | Higher (regex limitations) | Very low (context-aware) |
 | **Detects** | Common patterns (injection, secrets, eval) | Complex attack chains, AI-specific threats, obfuscation |
 | **Best for** | Quick triage, CI pipelines | Critical packages, pre-production review |
@@ -434,6 +435,8 @@ export AGENTAUDIT_API_KEY=asf_your_key_here
 | `AGENTAUDIT_API_KEY` | API key for registry access |
 | `ANTHROPIC_API_KEY` | Anthropic API key for deep audits (Claude) |
 | `OPENAI_API_KEY` | OpenAI API key for deep audits (GPT-4o) |
+| `OPENROUTER_API_KEY` | OpenRouter API key (access 200+ models) |
+| `OPENROUTER_MODEL` | Model to use via OpenRouter (default: `anthropic/claude-sonnet-4`) |
 | `NO_COLOR` | Disable ANSI colors ([no-color.org](https://no-color.org)) |
 
 ---
@@ -465,23 +468,31 @@ Or use without installing: `npx agentaudit`
 
 ### Setting up your LLM key for deep audits
 
-The `audit` command supports **Anthropic (Claude)** and **OpenAI (GPT-4o)**. Set one of these environment variables:
+The `audit` command supports **three LLM providers**. Set one of these environment variables:
 
 ```bash
 # Linux / macOS
-export ANTHROPIC_API_KEY=sk-ant-...    # Recommended
-export OPENAI_API_KEY=sk-...           # Alternative
+export ANTHROPIC_API_KEY=sk-ant-...       # Recommended (Claude Sonnet)
+export OPENAI_API_KEY=sk-...              # Alternative (GPT-4o)
+export OPENROUTER_API_KEY=sk-or-...       # 200+ models via OpenRouter
 
 # Windows (PowerShell)
 $env:ANTHROPIC_API_KEY = "sk-ant-..."
 $env:OPENAI_API_KEY = "sk-..."
+$env:OPENROUTER_API_KEY = "sk-or-..."
 
 # Windows (CMD)
 set ANTHROPIC_API_KEY=sk-ant-...
 set OPENAI_API_KEY=sk-...
+set OPENROUTER_API_KEY=sk-or-...
 ```
 
-**Priority:** If both are set, Anthropic is used. The active provider is shown during the audit.
+**Provider priority:** Anthropic > OpenAI > OpenRouter. The active provider is shown during the audit.
+
+**OpenRouter model selection:** By default, OpenRouter uses `anthropic/claude-sonnet-4`. Override with:
+```bash
+export OPENROUTER_MODEL=google/gemini-2.5-pro    # or any model on openrouter.ai
+```
 
 **Troubleshooting:** If you see `API error: Incorrect API key`, double-check your key is valid and has credits. Use `--debug` to see the full API response.
 

package/cli.mjs

@@ -8,6 +8,7 @@
  *   agentaudit scan <repo-url> [--deep]             Quick scan (or deep audit with --deep)
  *   agentaudit audit <repo-url>                     Deep LLM-powered security audit
  *   agentaudit lookup <name>                        Look up package in registry
+ *   agentaudit check <name|url>                     Lookup + auto-audit if not found
  *   agentaudit setup                                Register + configure API key
  * 
  * Global flags: --json, --quiet, --no-color
@@ -1309,15 +1310,17 @@ async function auditRepo(url) {
   // Check for API keys to determine which LLM to use
   const anthropicKey = process.env.ANTHROPIC_API_KEY;
   const openaiKey = process.env.OPENAI_API_KEY;
-  const activeProvider = anthropicKey ? 'Anthropic (Claude)' : openaiKey ? 'OpenAI (GPT-4o)' : null;
+  const openrouterKey = process.env.OPENROUTER_API_KEY;
+  const openrouterModel = process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4';
+  const activeProvider = anthropicKey ? 'Anthropic (Claude)' : openaiKey ? 'OpenAI (GPT-4o)' : openrouterKey ? `OpenRouter (${openrouterModel})` : null;
   
-  if (!anthropicKey && !openaiKey) {
+  if (!anthropicKey && !openaiKey && !openrouterKey) {
     // No LLM API key — clear explanation
     console.log();
     console.log(`  ${c.yellow}No LLM API key found.${c.reset} The ${c.bold}audit${c.reset} command needs an LLM to analyze code.`);
     console.log();
     console.log(`  ${c.bold}Option 1: Set an API key${c.reset}`);
-    console.log(`  Supported keys: ${c.cyan}ANTHROPIC_API_KEY${c.reset} or ${c.cyan}OPENAI_API_KEY${c.reset}`);
+    console.log(`  Supported keys: ${c.cyan}ANTHROPIC_API_KEY${c.reset}, ${c.cyan}OPENAI_API_KEY${c.reset}, or ${c.cyan}OPENROUTER_API_KEY${c.reset}`);
     console.log();
     console.log(`  ${c.dim}# Linux / macOS:${c.reset}`);
     console.log(`  ${c.dim}export ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
@@ -1420,15 +1423,22 @@ async function auditRepo(url) {
       const text = data.content?.[0]?.text || '';
       _lastLlmText = text;
       report = extractJSON(text);
-    } else if (openaiKey) {
-      const res = await fetch('https://api.openai.com/v1/chat/completions', {
+    } else if (openaiKey || openrouterKey) {
+      const isOpenRouter = !openaiKey && !!openrouterKey;
+      const apiUrl = isOpenRouter ? 'https://openrouter.ai/api/v1/chat/completions' : 'https://api.openai.com/v1/chat/completions';
+      const apiToken = isOpenRouter ? openrouterKey : openaiKey;
+      const modelName = isOpenRouter ? (process.env.OPENROUTER_MODEL || 'anthropic/claude-sonnet-4') : 'gpt-4o';
+      const extraHeaders = isOpenRouter ? { 'HTTP-Referer': 'https://agentaudit.dev', 'X-Title': 'AgentAudit' } : {};
+
+      const res = await fetch(apiUrl, {
         method: 'POST',
         headers: {
-          'Authorization': `Bearer ${openaiKey}`,
+          'Authorization': `Bearer ${apiToken}`,
           'Content-Type': 'application/json',
+          ...extraHeaders,
         },
         body: JSON.stringify({
-          model: 'gpt-4o',
+          model: modelName,
           max_tokens: 8192,
           messages: [
             { role: 'system', content: systemPrompt },
@@ -1535,6 +1545,13 @@ async function checkPackage(name) {
   const data = await checkRegistry(name);
   if (!data) {
     if (!jsonMode) {
+      // If input looks like a URL, offer to auto-audit
+      if (name.includes('github.com') || name.includes('://')) {
+        console.log(`  ${c.yellow}Not found in registry.${c.reset}`);
+        console.log(`  ${c.dim}Starting audit for ${name}...${c.reset}`);
+        console.log();
+        return await auditRepo(name);
+      }
       console.log(`  ${c.yellow}Not found${c.reset} — package "${name}" hasn't been audited yet.`);
       console.log(`  ${c.dim}Run: agentaudit audit <repo-url> for a deep LLM audit${c.reset}`);
     }
@@ -1638,6 +1655,7 @@ async function main() {
     console.log(`    ${c.cyan}agentaudit scan${c.reset} <url> ${c.dim}--deep${c.reset}                Deep audit (same as audit)`);
     console.log(`    ${c.cyan}agentaudit audit${c.reset} <url> [url...]              Deep LLM-powered security audit`);
     console.log(`    ${c.cyan}agentaudit lookup${c.reset} <name>                     Look up package in registry`);
+    console.log(`    ${c.cyan}agentaudit check${c.reset} <name|url>                  Lookup + auto-audit if not found`);
     console.log(`    ${c.cyan}agentaudit setup${c.reset}                             Register + configure API key`);
     console.log();
     console.log(`  ${c.bold}Global flags:${c.reset}`);
@@ -1659,13 +1677,18 @@ async function main() {
     console.log(`    agentaudit audit https://github.com/owner/repo`);
     console.log(`    agentaudit lookup fastmcp --json`);
     console.log();
-    console.log(`  ${c.bold}For deep audits,${c.reset} set an LLM API key:`);
+    console.log(`  ${c.bold}For deep audits,${c.reset} set an LLM API key (any one):`);
     if (process.platform === 'win32') {
       console.log(`    ${c.dim}PowerShell:  $env:ANTHROPIC_API_KEY = "sk-ant-..."${c.reset}`);
+      console.log(`    ${c.dim}             $env:OPENAI_API_KEY = "sk-..."${c.reset}`);
+      console.log(`    ${c.dim}             $env:OPENROUTER_API_KEY = "sk-or-..."${c.reset}`);
       console.log(`    ${c.dim}CMD:         set ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
-      console.log(`    ${c.dim}(or use OPENAI_API_KEY instead)${c.reset}`);
+      console.log(`    ${c.dim}             set OPENAI_API_KEY=sk-...${c.reset}`);
+      console.log(`    ${c.dim}             set OPENROUTER_API_KEY=sk-or-...${c.reset}`);
     } else {
-      console.log(`    ${c.dim}export ANTHROPIC_API_KEY=sk-ant-...${c.reset}    ${c.dim}(or OPENAI_API_KEY)${c.reset}`);
+      console.log(`    ${c.dim}export ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
+      console.log(`    ${c.dim}export OPENAI_API_KEY=sk-...${c.reset}`);
+      console.log(`    ${c.dim}export OPENROUTER_API_KEY=sk-or-...${c.reset}    ${c.dim}(200+ models, set OPENROUTER_MODEL to pick)${c.reset}`);
     }
     console.log();
     console.log(`  ${c.bold}Or use as MCP server${c.reset} in Cursor/Claude ${c.dim}(no extra API key needed):${c.reset}`);

package/package.json

@@ -1,6 +1,6 @@
 {
   "name": "agentaudit",
-  "version": "3.9.15",
+  "version": "3.9.17",
   "description": "Security scanner for AI packages — MCP server + CLI",
   "type": "module",
   "bin": {