agentaudit 3.9.16 → 3.9.17

This diff represents the content of publicly available package versions that have been released to one of the supported registries. The information contained in this diff is provided for informational purposes only and reflects changes between package versions as they appear in their respective public registries.
Files changed (3) hide show
  1. package/README.md +16 -5
  2. package/cli.mjs +10 -3
  3. package/package.json +1 -1
package/README.md CHANGED
@@ -207,6 +207,7 @@ Then ask your agent: *"Check which MCP servers I have installed and audit any un
207
207
  | `agentaudit scan <url> --deep` | Deep audit (same as `audit`) | `agentaudit scan https://github.com/owner/repo --deep` |
208
208
  | `agentaudit audit <url>` | Deep LLM-powered 3-pass audit (~30s) | `agentaudit audit https://github.com/owner/repo` |
209
209
  | `agentaudit lookup <name>` | Look up package in trust registry | `agentaudit lookup fastmcp` |
210
+ | `agentaudit check <name\|url>` | Lookup + auto-audit if not found | `agentaudit check https://github.com/owner/repo` |
210
211
  | `agentaudit setup` | Register agent + configure API key | `agentaudit setup` |
211
212
 
212
213
  ### Global Flags
@@ -235,7 +236,7 @@ Then ask your agent: *"Check which MCP servers I have installed and audit any un
235
236
  |---|---------------------|---------------------|
236
237
  | **Speed** | ~2 seconds | ~30 seconds |
237
238
  | **Method** | Regex pattern matching | LLM-powered 3-pass analysis |
238
- | **API key needed** | No | Yes (`ANTHROPIC_API_KEY` or `OPENAI_API_KEY`) |
239
+ | **API key needed** | No | Yes (Anthropic, OpenAI, or OpenRouter) |
239
240
  | **False positives** | Higher (regex limitations) | Very low (context-aware) |
240
241
  | **Detects** | Common patterns (injection, secrets, eval) | Complex attack chains, AI-specific threats, obfuscation |
241
242
  | **Best for** | Quick triage, CI pipelines | Critical packages, pre-production review |
@@ -434,6 +435,8 @@ export AGENTAUDIT_API_KEY=asf_your_key_here
434
435
  | `AGENTAUDIT_API_KEY` | API key for registry access |
435
436
  | `ANTHROPIC_API_KEY` | Anthropic API key for deep audits (Claude) |
436
437
  | `OPENAI_API_KEY` | OpenAI API key for deep audits (GPT-4o) |
438
+ | `OPENROUTER_API_KEY` | OpenRouter API key (access 200+ models) |
439
+ | `OPENROUTER_MODEL` | Model to use via OpenRouter (default: `anthropic/claude-sonnet-4`) |
437
440
  | `NO_COLOR` | Disable ANSI colors ([no-color.org](https://no-color.org)) |
438
441
 
439
442
  ---
@@ -465,23 +468,31 @@ Or use without installing: `npx agentaudit`
465
468
 
466
469
  ### Setting up your LLM key for deep audits
467
470
 
468
- The `audit` command supports **Anthropic (Claude)** and **OpenAI (GPT-4o)**. Set one of these environment variables:
471
+ The `audit` command supports **three LLM providers**. Set one of these environment variables:
469
472
 
470
473
  ```bash
471
474
  # Linux / macOS
472
- export ANTHROPIC_API_KEY=sk-ant-... # Recommended
473
- export OPENAI_API_KEY=sk-... # Alternative
475
+ export ANTHROPIC_API_KEY=sk-ant-... # Recommended (Claude Sonnet)
476
+ export OPENAI_API_KEY=sk-... # Alternative (GPT-4o)
477
+ export OPENROUTER_API_KEY=sk-or-... # 200+ models via OpenRouter
474
478
 
475
479
  # Windows (PowerShell)
476
480
  $env:ANTHROPIC_API_KEY = "sk-ant-..."
477
481
  $env:OPENAI_API_KEY = "sk-..."
482
+ $env:OPENROUTER_API_KEY = "sk-or-..."
478
483
 
479
484
  # Windows (CMD)
480
485
  set ANTHROPIC_API_KEY=sk-ant-...
481
486
  set OPENAI_API_KEY=sk-...
487
+ set OPENROUTER_API_KEY=sk-or-...
482
488
  ```
483
489
 
484
- **Priority:** If both are set, Anthropic is used. The active provider is shown during the audit.
490
+ **Provider priority:** Anthropic > OpenAI > OpenRouter. The active provider is shown during the audit.
491
+
492
+ **OpenRouter model selection:** By default, OpenRouter uses `anthropic/claude-sonnet-4`. Override with:
493
+ ```bash
494
+ export OPENROUTER_MODEL=google/gemini-2.5-pro # or any model on openrouter.ai
495
+ ```
485
496
 
486
497
  **Troubleshooting:** If you see `API error: Incorrect API key`, double-check your key is valid and has credits. Use `--debug` to see the full API response.
487
498
 
package/cli.mjs CHANGED
@@ -8,6 +8,7 @@
8
8
  * agentaudit scan <repo-url> [--deep] Quick scan (or deep audit with --deep)
9
9
  * agentaudit audit <repo-url> Deep LLM-powered security audit
10
10
  * agentaudit lookup <name> Look up package in registry
11
+ * agentaudit check <name|url> Lookup + auto-audit if not found
11
12
  * agentaudit setup Register + configure API key
12
13
  *
13
14
  * Global flags: --json, --quiet, --no-color
@@ -1654,6 +1655,7 @@ async function main() {
1654
1655
  console.log(` ${c.cyan}agentaudit scan${c.reset} <url> ${c.dim}--deep${c.reset} Deep audit (same as audit)`);
1655
1656
  console.log(` ${c.cyan}agentaudit audit${c.reset} <url> [url...] Deep LLM-powered security audit`);
1656
1657
  console.log(` ${c.cyan}agentaudit lookup${c.reset} <name> Look up package in registry`);
1658
+ console.log(` ${c.cyan}agentaudit check${c.reset} <name|url> Lookup + auto-audit if not found`);
1657
1659
  console.log(` ${c.cyan}agentaudit setup${c.reset} Register + configure API key`);
1658
1660
  console.log();
1659
1661
  console.log(` ${c.bold}Global flags:${c.reset}`);
@@ -1675,13 +1677,18 @@ async function main() {
1675
1677
  console.log(` agentaudit audit https://github.com/owner/repo`);
1676
1678
  console.log(` agentaudit lookup fastmcp --json`);
1677
1679
  console.log();
1678
- console.log(` ${c.bold}For deep audits,${c.reset} set an LLM API key:`);
1680
+ console.log(` ${c.bold}For deep audits,${c.reset} set an LLM API key (any one):`);
1679
1681
  if (process.platform === 'win32') {
1680
1682
  console.log(` ${c.dim}PowerShell: $env:ANTHROPIC_API_KEY = "sk-ant-..."${c.reset}`);
1683
+ console.log(` ${c.dim} $env:OPENAI_API_KEY = "sk-..."${c.reset}`);
1684
+ console.log(` ${c.dim} $env:OPENROUTER_API_KEY = "sk-or-..."${c.reset}`);
1681
1685
  console.log(` ${c.dim}CMD: set ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
1682
- console.log(` ${c.dim}(or use OPENAI_API_KEY instead)${c.reset}`);
1686
+ console.log(` ${c.dim} set OPENAI_API_KEY=sk-...${c.reset}`);
1687
+ console.log(` ${c.dim} set OPENROUTER_API_KEY=sk-or-...${c.reset}`);
1683
1688
  } else {
1684
- console.log(` ${c.dim}export ANTHROPIC_API_KEY=sk-ant-...${c.reset} ${c.dim}(or OPENAI_API_KEY)${c.reset}`);
1689
+ console.log(` ${c.dim}export ANTHROPIC_API_KEY=sk-ant-...${c.reset}`);
1690
+ console.log(` ${c.dim}export OPENAI_API_KEY=sk-...${c.reset}`);
1691
+ console.log(` ${c.dim}export OPENROUTER_API_KEY=sk-or-...${c.reset} ${c.dim}(200+ models, set OPENROUTER_MODEL to pick)${c.reset}`);
1685
1692
  }
1686
1693
  console.log();
1687
1694
  console.log(` ${c.bold}Or use as MCP server${c.reset} in Cursor/Claude ${c.dim}(no extra API key needed):${c.reset}`);
package/package.json CHANGED
@@ -1,6 +1,6 @@
1
1
  {
2
2
  "name": "agentaudit",
3
- "version": "3.9.16",
3
+ "version": "3.9.17",
4
4
  "description": "Security scanner for AI packages — MCP server + CLI",
5
5
  "type": "module",
6
6
  "bin": {