registry  /  @hasna/economy  /  0.2.43

@hasna/economy@0.2.43

AI coding cost tracker — CLI + MCP server + REST API + web dashboard for Claude Code, Codex, Gemini, OpenCode, Cursor, Pi, and Hermes

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedProtestwareTelemetryUrlStrings
Manifest
WildcardDependency
scanned 10 file(s), 1.82 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, api.openai.com, bit.ly, chatgpt.com, cursor.com, economy.hasna.xyz, github.com, radix-ui.com, react.dev, redux-toolkit.js.org, redux.js.org, www.w3.org

Source & flagged code

6 flagged · loading source
package.jsonView file
scripts.postinstall = mkdir -p $HOME/.hasna/economy/training 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = mkdir -p $HOME/.hasna/economy/training 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
dist/index.jsView file
516import { SqliteAdapter as Database } from "@hasna/cloud"; L517: import { execFileSync } from "child_process"; L518: import { copyFileSync, existsSync, mkdirSync, readdirSync, statSync } from "fs";
High
Child Process

Package source references child process execution.

dist/index.jsView on unpkg · L516
dist/storage.jsView file
36} L37: exec(sql) { L38: this.db.exec(sql); ... L573: function getMachineId() { L574: if (process.env["ECONOMY_MACHINE_ID"]) L575: return process.env["ECONOMY_MACHINE_ID"]; L576: const h = hostname().toLowerCase(); L577: if (h.startsWith("spark") || h.startsWith("apple")) ... L1387: return null; L1388: return { ...row, tags: JSON.parse(row["tags"] ?? "[]") }; L1389: } ... L1850: const candidates = [
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/storage.jsView on unpkg · L36
dist/cli/index.jsView file
9233const port = parseCliPort(opts.port ?? "3456", "--port"); L9234: const url = `http://localhost:${port}`; L9235: let serverRunning = false; ... L9241: console.log(chalk7.cyan(`\u2192 Starting economy server on port ${port}...`)); L9242: const { spawn } = await import("child_process"); L9243: const { resolve: resolve3, dirname: dirname4 } = await import("path"); ... L9247: stdio: "ignore", L9248: env: { ...process.env, ECONOMY_PORT: String(port) } L9249: });
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/cli/index.jsView on unpkg · L9233
dist/server/index.jsView file
517import { SqliteAdapter as Database } from "@hasna/cloud"; L518: import { execFileSync } from "child_process"; L519: import { copyFileSync, existsSync, mkdirSync, readdirSync, statSync } from "fs"; ... L544: function getMachineId() { L545: const envMachine = normalizeMachineId(process.env["ECONOMY_MACHINE_ID"]); L546: if (envMachine) L547: return envMachine; L548: const hostMachine = normalizeMachineId(hostname()) ?? "unknown"; L549: if (hostMachine === "mac" || hostMachine === "localhost") ... L1406: function listProjects(db) { L1407: return db.prepare(`SELECT * FROM projects ORDER BY created_at DESC`).all().map((row) => ({ ...row, tags: JSON.parse(row["tags"] ?? "[]") })); L1408: }
High
Credential Exfiltration

Source combines credential-like environment material and outbound requests; review data flow before blocking.

dist/server/index.jsView on unpkg · L517

Findings

5 High7 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processdist/index.js
HighShell
HighSame File Env Network Executiondist/cli/index.js
HighCredential Exfiltrationdist/server/index.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/storage.js
MediumProtestware
MediumStructural Risk Force Deep Review
MediumWildcard Dependency
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings