Skip to main content
Scans/pypi/claude-mux

claude-mux

pypi

Share

Summary

claude-mux v1.0.3 was classified as CRITICAL RISK with a risk score of 542. Sigil detected 29 findings across 42 files, covering phases including provenance, network exfiltration, install hooks. Review the findings below before installing this package.

Package description: Claude Proxy Router - 智能代理路由器

CRITICAL RISK(542)

v1.0.3

20 March 2026, 18:06 UTC

by Sigil Bot

Risk Score

542

Findings

29

Files Scanned

42

Provenance

Registry

https://pypi.org/project/claude-mux/1.0.3/

Findings by Phase

Phase Ordering

Phases are ordered by criticality, with the most dangerous at the top. Click any phase header to expand or collapse its findings. Critical phases are expanded by default.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/PKG-INFO:48

# 一行命令即可运行(自动创建临时环境)
curl -LsSf https://astral.sh/uv/uvx-install.sh | sh && uvx claude-mux
```
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/PKG-INFO:55

# 1. 安装 uv(如果还没有)
curl -LsSf https://astral.sh/uv/install.sh | sh
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/PKG-INFO:84

```bash
curl -fsSL https://raw.githubusercontent.com/YOUR_USERNAME/claude-mux/main/scripts/install.sh | bash
```
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/README.md:21

# 一行命令即可运行(自动创建临时环境)
curl -LsSf https://astral.sh/uv/uvx-install.sh | sh && uvx claude-mux
```
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/README.md:28

# 1. 安装 uv(如果还没有)
curl -LsSf https://astral.sh/uv/install.sh | sh
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/README.md:57

```bash
curl -fsSL https://raw.githubusercontent.com/YOUR_USERNAME/claude-mux/main/scripts/install.sh | bash
```
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/docs/superpowers/plans/2026-03-20-one-click-distribution.md:26

| Docker | `docker run ...` | ✅ 良好 | ⭐⭐⭐⭐ | 运维部署 |
| 一键脚本 | `curl ...\|bash` | ✅ 良好 | ⭐⭐⭐⭐⭐ | 快速体验 |
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/docs/superpowers/plans/2026-03-20-one-click-distribution.md:319

    echo -e "方案 C: 先安装 uv(uv 会自动下载 Python)"
    echo -e "  ${YELLOW}curl -LsSf https://astral.sh/uv/install.sh | sh${NC}"
    echo -e "  ${YELLOW}# 注意:uv 需要从 GitHub 下载 Python,国内可能较慢${NC}"
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/docs/superpowers/plans/2026-03-20-one-click-distribution.md:577

# 一行命令即可运行(自动创建临时环境)
curl -LsSf https://astral.sh/uv/uvx-install.sh | sh && uvx claude-mux
```
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/docs/superpowers/plans/2026-03-20-one-click-distribution.md:584

# 1. 安装 uv(如果还没有)
curl -LsSf https://astral.sh/uv/install.sh | sh
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/docs/superpowers/plans/2026-03-20-one-click-distribution.md:646

```bash
curl -fsSL https://raw.githubusercontent.com/YOUR_USERNAME/claude-mux/main/scripts/install.sh | bash
```
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/docs/superpowers/plans/2026-03-20-one-click-distribution.md:779

```bash
curl -fsSL https://install.claude-mux.dev | bash
```
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/docs/superpowers/plans/2026-03-20-one-click-distribution.md:816

|----------|------|----------|----------|
| **uvx(推荐)** | `curl -LsSf https://astral.sh/uv/uvx-install.sh \| sh && uvx claude-mux` | ✅ 极速 | 快速体验、零门槛 |
| **pipx** | `pipx install claude-mux` | ⚠️ 需代理 | 开发者长期使用 |
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/docs/uv-tool-installation-guide.md:24

# macOS / Linux
curl -LsSf https://astral.sh/uv/install.sh | sh
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/docs/uv-tool-installation-guide.md:97

# macOS / Linux
curl -LsSf https://astral.sh/uv/install.sh | sh
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

install-makefile-curl

HIGH

Makefile/script pipes remote content to shell

claude_mux-1.0.3/scripts/install.sh:91

    echo -e "方案 C: 先安装 uv(uv 会自动下载 Python)"
    echo -e "  ${YELLOW}curl -LsSf https://astral.sh/uv/install.sh | sh${NC}"
    echo -e "  ${YELLOW}# 注意:uv 需要从 GitHub 下载 Python,国内可能较慢${NC}"
Why was this flagged?

A script or Makefile pipes content from a remote URL directly into a shell (curl | sh or wget | bash). This is inherently dangerous because the remote content can change at any time, and the command runs with the current user's permissions. Rated HIGH because it requires manual execution (unlike install hooks) but still executes arbitrary remote code.

Badge

Sigil scan badge for pypi/claude-mux

Markdown

[![Sigil Scan](https://sigilsec.ai/badge/pypi/claude-mux)](https://sigilsec.ai/scans/832BB0DC-E5C4-4E88-8640-73AA41BBB597)

HTML

<a href="https://sigilsec.ai/scans/832BB0DC-E5C4-4E88-8640-73AA41BBB597"><img src="https://sigilsec.ai/badge/pypi/claude-mux" alt="Sigil Scan"></a>

Run This Scan Yourself

Scan your own packages

Run Sigil locally to audit any package before it touches your codebase.

curl -sSL https://sigilsec.ai/install.sh | sh
Read the docs →Free. Apache 2.0.

Early Access

Get cloud scanning, threat intel, and CI/CD integration.

Join 150+ developers on the waitlist.

Get threat intelligence and product updates

Security research, new threat signatures, and product updates. No spam.

Other pypi scans

discovery-engine-api

v0.2.79

MEDIUM RISK20

models-dev

v1.0.207

LOW RISK8

synapsekit

v1.2.0

CRITICAL RISK609

agentkit-cli

v0.74.0

CRITICAL RISK6583

mcp-tautulli

v1.0.0

LOW RISK8

Believe this result is incorrect? Request a review or see our Terms of Service and Methodology.

Scanned bySigil Bot
← Back to Scan Database