registry  /  cctally  /  1.64.0

cctally@1.64.0

Claude Code usage tracker and local dashboard for Pro/Max subscription limits - weekly cost-per-percent trend, quota forecasts, threshold alerts. ccusage-compatible.

Static Scan Results

scanned 4h ago · by rust-scanner

Static analysis flagged 12 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessEnvironmentVarsFilesystemNetwork
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 3 file(s), 910 KB of source, external domains: github.com, reactjs.org, www.w3.org

Source & flagged code

4 flagged · loading source
package.jsonView file
scripts.postinstall = node ./bin/cctally-npm[redacted]
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
bin/_lib_render.pyView file
path = bin/_lib_render.py kind = build_helper sizeBytes = 130743 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/_lib_render.pyView on unpkg
dashboard/static/assets/newsreader-latin-500-normal-DFwuUcdu.woffView file
path = [redacted]-latin-500-normal-DFwuUcdu.woff kind = high_entropy_blob sizeBytes = 29636 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dashboard/static/assets/newsreader-latin-500-normal-DFwuUcdu.woffView on unpkg
bin/cctally-npm-postinstall.jsView file
matchType = previous_version_dangerous_delta matchedPackage = cctally@1.60.0 matchedIdentity = npm:Y2N0YWxseQ:1.60.0 similarity = 0.667 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/cctally-npm-postinstall.jsView on unpkg

Findings

3 High4 Medium5 Low
HighInstall Time Lifecycle Scriptspackage.json
HighShips High Entropy Blobdashboard/static/assets/newsreader-latin-500-normal-DFwuUcdu.woff
HighPrevious Version Dangerous Deltabin/cctally-npm-postinstall.js
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/_lib_render.py
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings