llm-router
Warn
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: MEDIUMEXTERNAL_DOWNLOADSCOMMAND_EXECUTION
Full Analysis
- EXTERNAL_DOWNLOADS (MEDIUM): The file
scripts/check_install_cli.shexecutesnpm install -g swiftopenai-cli. This downloads and installs a package from the public npm registry. Since the author and package are not on the trusted source list, this is classified as an unverifiable dependency installation. - COMMAND_EXECUTION (LOW): The scripts execute several local system commands including
npm,swiftopenai,tr, andcutto manage the installation and configuration of the CLI tool. - PERSISTENCE_MECHANISMS (LOW): The script
scripts/configure_provider.shand the documentation inreferences/providers.mdencourage users to append API keys to shell profile files such as~/.zshrcor~/.bashrc. Although the script does not automate this modification, it explicitly suggests a pattern for persisting sensitive environment variables. - CREDENTIALS_UNSAFE (SAFE): The skill does not contain hardcoded secrets. It includes placeholders (e.g.,
sk-...,gsk_...) and directs users to provide their own keys via environment variables or interactive configuration.
Audit Metadata