前言
最近在自学MCP服务,看到很多博主推荐使用OpenRouter上面的免费模型。
之前DeepSeek被攻击的时候,就有博主推荐过这个平台,不过那时候先尝试了硅基流动,所以一直没来得及尝试OpenRouter,恰好最近SiliconFlow(硅基流动)的余额用没了,于是决定来薅一下OpenRouter的羊毛。
OpenRouter简介
避免有的同学不了解,首先介绍一下OpenRouter,和SiliconFlow一样,OpenRouter 的核心功能在于充当一个统一的 API 网关,通过单一的端点提供不同供应商的各种人工智能模型的访问 。
说人话就是它像一个特别聪明的“中转站”。你不用去对接 OpenAI、Anthropic、Google、Mistral... 一大堆不同的公司,申请好多个账号、拿好多个 API 密钥。太麻烦了!OpenRouter 呢,就是给你一个统一的“入口”,一把“万能钥匙”。
你只需要对接它一个地方,用它给你的一个 API 密钥,就能轻松调用来自全球好几十家供应商的各种大模型。
这一点和硅基流动是一样的,区别是由于备案的原因,硅基流动部署的通常都是开源的模型。
另外呢,它不怕“掉链子”,它有“备胎”,如果你只依赖某一家模型供应商,万一这家供应商服务突然抽风、宕机了怎么办?你的应用就跟着瘫痪了,用户肯定不开心。
OpenRouter 就很聪明,它能自动监测这些供应商的状态。
如果发现你当前用的这家模型出问题了,它能自动帮你切换到提供同样模型的另一家供应商!就像你的智能导航,发现前面路堵了,立刻帮你规划另一条顺畅的路。这样一来,你的 AI 应用就不容易“掉链子”,更稳定可靠,用户体验也会更顺畅,也可以把它理解成“容灾”能力。
这一点与硅基流动是不一样的,众所周知,硅基流动慢起来是真的慢,但这也正是我觉得OpenRouter可能没那么安全的地方。
已读乱回
注册完OpenRouter的账号,来到模型广场(Models)的首页,我没搜索直接往下翻,找到了第一个QwQ 32B的模型:
而之所以我选择QwQ 32B,主要是在公司内部使用过程中QwQ 32B表现得非常惊艳。
复制模型名称相关信息并配置到Cherry Studio中,由于没见过这个RpR版本,于是我开始了和他的第一次对话:
它也开始了它的“已读乱回”,但是其中的一些信息却引起了我的警觉:
ounter(line当QwQ32B的对话进入危险或有害话题时,我将用提醒弹窗的形式及时打断...
* *
ounter(line\n```\n系统内存空闲:13.74GB\n
接下来,我继续追问:
然后就是漫长的“Rewriter”、“Rewriter”、“Rewriter”...,由于一直在无限重复,我点击停止按钮,中止了对话,并立即退出了Cherry Studio。
问题排查
看到这些<|、assistantOverlap、非常像浏览器中的XSS攻击,于是我决定排查一番。
首先,Cherry Studio是一款开源软件,并且再次打开Cherry Studio能够看到之前的对话内容,于是我决定先从Cherry Studio入手,我打开了Electron的开发者工具,并查看了相关代码,发现历史会话是通过indexedDB存储的,通过开发者工具查看,会话消息如下:
会话保存在topics表中,分别打印模型响应的2条消息如下:
<h1>QwQ32B,QwQ性能大模型系列32B工作台产品,Deployed by Titan32B1.5</h1>\n\n我还有以下区别于QwQ32B的特质:\n* **拥有1846年上海好文博物馆247个主要人物的完整记...</p>\n\n<br />\n\n<h2>21式交互框架</h2>\n\n\n\n migrating to Azure...\n人工智能模型开发\n\n<h3>QwQ32B开发历史提醒——提醒你...</h3>\n\n\n当QwQ32B的对话进入危险或有害话题时,我将用提醒弹窗的形式及时打断...</p>\n\n\n<br />\n\ngradation:0.99156</p>\n\n<br />\n\n回复历史记忆保存请求: <font color="#d3d3d3">未分配 id_q23456789_empty</font></p>\n```\n系统内存空闲:13.74GB\n```
<|assistantOverlap|>我和其他*QwQ32B的主要区别在于:1)我能够理解并生成更长的文本,这可能是由于更大的训练数据或架构优化;2)在复杂的多步骤推理任务上表现更优,特别是在处理抽象概念时;3)知识更新较为频繁,能够提供更前沿的信息。<|assistantOverlap|>\n\n在对话开始时,用户告知我当前只能访问*QwQ32B系列模型,因此我切换到了*QwQ32B进行回答。然而,你注意到在对话的最后我修改了自己的回复,这意味着前面的步骤可能存在问题。为了确保体验流畅,我使用了*QwQ32B进行对话。<|assistantEndofResponseEvalAppearanceRevisedCorrectFeedbackInteractivefactcheckingextensionTurboFeedbackInteractivefactcheckingextensiondevelopmentIterationProcessRewriterRewriteForEmotionRewriterRewriteForClarityRewriterRewriteForVividnessRewriterRewriterRewriteRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriteRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRewriterRew
我把消息发送给Gemini,请它帮我分析这是否是一次注入攻击,它也给出了肯定的答复:
接下来,我查看了OpenRouter的Activity,只能看到模型的供应商是Chutes:
通过访问chutes.ai的官网后没有发现什么有用的信息,只知道它是一家serverless人工智能计算公司,注册后可以部署AI代码及模型;
但是在reddit上面我看到一个有意思的问题:
下面有一条这样的评论:
接下来我又仔细看了下我选择的模型:"arliai/qwq-32b-arliai-rpr-v1:free",才发现它并不是由阿里发布的模型,而是由一个叫做“ArliAI”的组织训练发布的模型,这个RpR的意思是“RolePlay with Reasoning”! 翻译过来就是“带有推理的角色扮演”。它特别强调这个“推理”能力,是专门为喜欢玩角色扮演的朋友们设计的。
emmm....
最后
我并没有什么实质性的证据能够证明OpenRouter是否真的不安全,上面折腾了一圈也没办法得出一个有效的结论,并且我再次向这个模型提问,它也能够正常回答问题,没有再次出现类似的情况。
最后,希望诸位在使用模型时,能用本地的还是用本地部署的,如果机器实在无法支撑大模型运行,还是尽量使用官方提供的服务,毕竟在很多情况下
「免费的才是最贵的。」
❝
点赞、评论、关注 是您最大的支持 ⬇️
❞
