registry  /  @fernado03/oh-my-pi-supreme-token-saver  /  1.2.1

@fernado03/oh-my-pi-supreme-token-saver@1.2.1

Three toggleable OMP extensions that save tokens: terse replies, compact shell output, and minimal code decisions — with a manual updater and dry-run support.

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 5 file(s), 56.0 KB of source, external domains: api.github.com, github.com, raw.githubusercontent.com

Source & flagged code

5 flagged · loading source
install-omp-addons.jsView file
12import os from "node:os"; L13: import { execFile } from "node:child_process"; L14: import readline from "node:readline";
High
Child Process

Package source references child process execution.

install-omp-addons.jsView on unpkg · L12
348if (IS_WINDOWS) { L349: await execP("powershell", ["Expand-Archive", "-Path", archivePath, "-DestinationPath", extractDir, "-Force"], L350: { timeout: 60000 });
High
Shell

Package source references shell execution.

install-omp-addons.jsView on unpkg · L348
5L6: import https from "node:https"; L7: import { fileURLToPath } from "node:url"; ... L12: import os from "node:os"; L13: import { execFile } from "node:child_process"; L14: import readline from "node:readline"; ... L16: const IS_WINDOWS = process.platform === "win32"; L17: const HOME = process.env.HOME || process.env.USERPROFILE || ""; L18:
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

install-omp-addons.jsView on unpkg · L5
matchType = previous_version_dangerous_delta matchedPackage = @fernado03/oh-my-pi-supreme-token-saver@1.2.0 matchedIdentity = npm:[redacted]:1.2.0 similarity = 0.400 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

install-omp-addons.jsView on unpkg
extensions/ai-addons-updater/index.jsView file
6L7: import https from "node:https"; L8: import { createHash } from "node:crypto"; ... L12: import os from "node:os"; L13: import { execFileSync } from "node:child_process"; L14: L15: const IS_WINDOWS = process.platform === "win32"; L16: const HOME = os.homedir(); L17: L18: const PONYTAIL_REMOTE = "https://raw.githubusercontent.[redacted].json"; L19: const PONYTAIL_LOCAL = path.join(HOME, ".omp", "plugins", "node_modules", "@dietrichgebert", "ponytail", "package.json"); ... L90: const remoteRaw = await httpsGet(PONYTAIL_REMOTE);
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

extensions/ai-addons-updater/index.jsView on unpkg · L6

Findings

5 High3 Medium4 Low
HighChild Processinstall-omp-addons.js
HighShellinstall-omp-addons.js
HighSame File Env Network Executioninstall-omp-addons.js
HighSandbox Evasion Gated Capabilityextensions/ai-addons-updater/index.js
HighPrevious Version Dangerous Deltainstall-omp-addons.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings