registry  /  chaching  /  1.13.0

chaching@1.13.0

⚠ Under review

Local multi-provider AI token spend dashboard for Claude Code, Codex, OpenCode, and Cursor.

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 15 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 40 file(s), 1.51 MB of source, external domains: api.cursor.com, datatracker.ietf.org, my.site, npmjs.com, svelte.dev, www.w3.org

Source & flagged code

6 flagged · loading source
dist/cli/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = chaching@1.12.0 matchedIdentity = npm:Y2hhY2hpbmc:1.12.0 similarity = 0.875 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/index.jsView on unpkg
6012import { createServer } from "net"; L6013: import { spawn } from "child_process"; L6014: import { existsSync as existsSync5 } from "fs";
High
Child Process

Package source references child process execution.

dist/cli/index.jsView on unpkg · L6012
6001const missingDep = code === "ERR_MODULE_NOT_FOUND" || code === "MODULE_NOT_FOUND" || /Cannot find (package|module) '(satori|@resvg\/resvg-js)'|ERR_MODULE_NOT_FOUND|MODULE_NOT_FOUND... L6002: process.stderr.write( L6003: "chaching wrapped: PNG export requires the brand renderer.\n" + (missingDep ? "Your install came without the PNG renderer dependencies. Install them with:\n npm i -g satori @resvg... ... L6011: init_theme(); L6012: import { createServer } from "net"; L6013: import { spawn } from "child_process"; L6014: import { existsSync as existsSync5 } from "fs";
High
Command Output Exfiltration

Source combines command execution, command-output handling, and outbound requests; review data flow before blocking.

dist/cli/index.jsView on unpkg · L6001
bin/chaching.jsView file
26if (existsSync(cliEntry)) { L27: await import(cliEntry); L28: // One-shot commands must be force-exited: the bundled graph (Ink/clack touch
Medium
Dynamic Require

Package source references dynamic require/import behavior.

bin/chaching.jsView on unpkg · L26
build/client/robots.txt.brView file
path = build/client/robots.txt.br kind = compressed_blob sizeBytes = 67 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

build/client/robots.txt.brView on unpkg
static/fonts/space-grotesk-latin-700-normal.woff2View file
path = static/fonts/space-grotesk-latin-700-normal.woff2 kind = high_entropy_blob sizeBytes = 12840 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

static/fonts/space-grotesk-latin-700-normal.woff2View on unpkg

Findings

1 Critical4 High5 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/cli/index.js
HighChild Processdist/cli/index.js
HighShell
HighCommand Output Exfiltrationdist/cli/index.js
HighShips High Entropy Blobstatic/fonts/space-grotesk-latin-700-normal.woff2
MediumDynamic Requirebin/chaching.js
MediumNetwork
MediumEnvironment Vars
MediumShips Compressed Blobbuild/client/robots.txt.br
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings