Conversation
|
The latest updates on your projects. Learn more about Vercel for Git ↗︎
|
![devin-ai-integration[bot]](https://avatars.githubusercontent.com/in/811515?s=60&v=4){kind=small}
| export const openrouter = createOpenAI({ | ||
| baseURL: 'https://openrouter.ai/api/v1', | ||
| name: 'openrouter', | ||
| }); |
There was a problem hiding this comment.
🔴 OpenRouter provider uses OpenAI API key, leaking it to a third-party service
The openrouter provider at lib/models.ts:17-20 is created via createOpenAI without specifying an apiKey. The createOpenAI function from @ai-sdk/openai defaults to using the OPENAI_API_KEY environment variable. This means when the kimi-k2 model is invoked, the user's OpenAI API key is sent as the Bearer token to https://openrouter.ai/api/v1 — a third-party service. This is both a security vulnerability (API key leakage) and a functional bug (OpenRouter will reject the OpenAI key, causing authentication failures).
| export const openrouter = createOpenAI({ | |
| baseURL: 'https://openrouter.ai/api/v1', | |
| name: 'openrouter', | |
| }); | |
| export const openrouter = createOpenAI({ | |
| baseURL: 'https://openrouter.ai/api/v1', | |
| apiKey: process.env.OPENROUTER_API_KEY, | |
| name: 'openrouter', | |
| }); |
Was this helpful? React with 👍 or 👎 to provide feedback.
1 participant
Summary
kimi-k2model using OpenRouterTesting
pnpm linthttps://chatgpt.com/codex/tasks/task_e_687402f88aac8321a22c035fa6d3a2e6