registry  /  @ipv9/tokentracker-cli  /  0.39.20

@ipv9/tokentracker-cli@0.39.20

Local-first token and cost dashboard for 22 AI coding tools, including Claude Code, Codex, Cursor, Gemini, Kiro, OpenCode, OpenClaw, Copilot, Antigravity, Zed, and Goose.

Static Scan Results

scanned 13h ago · by rust-scanner

Static analysis flagged 13 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 88 file(s), 3.17 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, api.kimi.com, api.openai.com, auth.kimi.com, auth.openai.com, base-ui.com, chatgpt.com, cloudcode-pa.googleapis.com, cursor.com, fonts.googleapis.com, github.com, ip.net.coffee, jcgt.org, local.tokentracker, oauth2.googleapis.com, open.er-api.com, raw.githubusercontent.com, reactjs.org, skills.sh, socket.io, srctyff5.us-east.insforge.app, tokentracker.statuspage.io, twitter.com, va.vercel-scripts.com, vercel.com, www.cursor.com, www.tokentracker.cc, www.w3.org

Source & flagged code

5 flagged · loading source
src/lib/claude-categorizer.jsView file
334function defaultClaudeProjectsDir() { L335: return path.join(os.homedir(), ".claude", "projects"); L336: } ... L511: try { L512: obj = JSON.parse(line); L513: } catch (_e) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/lib/claude-categorizer.jsView on unpkg · L334
src/lib/proxy-env.jsView file
106package = @ipv9/tokentracker-cli; repositoryIdentity = tokentracker; dependency = undici L106: // eslint-disable-next-line global-require L107: const undici = require("undici"); L108: setter = setter || undici.setGlobalDispatcher;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

src/lib/proxy-env.jsView on unpkg · L106
scripts/uninstall-local-service.shView file
path = scripts/uninstall-local-service.sh kind = build_helper sizeBytes = 813 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

scripts/uninstall-local-service.shView on unpkg
dashboard/dist/assets/geist-mono-cyrillic-500-normal-mNhfPmgl.woffView file
path = dashboard/dist/assets/geist-mono-cyrillic-500-normal-mNhfPmgl.woff kind = high_entropy_blob sizeBytes = 7352 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dashboard/dist/assets/geist-mono-cyrillic-500-normal-mNhfPmgl.woffView on unpkg
src/lib/cursor-config.jsView file
75patternName = generic_password severity = medium line = 75 matchedText = * - na...XXX"
Medium
Secret Pattern

Hardcoded password in src/lib/cursor-config.js

src/lib/cursor-config.jsView on unpkg · L75

Findings

2 High5 Medium6 Low
HighCopied Package Dependency Bridgesrc/lib/proxy-env.js
HighShips High Entropy Blobdashboard/dist/assets/geist-mono-cyrillic-500-normal-mNhfPmgl.woff
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperscripts/uninstall-local-service.sh
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/lib/cursor-config.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosrc/lib/claude-categorizer.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings