registry  /  token-trace-manager  /  0.7.2

token-trace-manager@0.7.2

Proxy local universal de rastreio de tokens de LLM para TUIs de código (Claude Code, Codex, OpenCode, Gemini CLI, Kilo...), com labels por tarefa, dashboard local e auto-link que preserva redirects prévios (z.ai/GLM/...).

AI Security Review

scanned 2h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package installs a first-party Claude plugin/MCP server and prompt hook when enabled by the host platform. Its daemon proxies local LLM traffic, persists payloads locally by default, and can optionally export usage telemetry to a configured OTLP endpoint. No install-time foreign control-surface mutation or confirmed exfiltration is established.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User enables the Claude plugin/MCP server or runs `ttm` commands such as `start` or `link`.
Impact
Prompt/task guidance is injected into Claude sessions; proxied request and response payloads may be retained locally, and configured OTLP telemetry leaves the machine.
Mechanism
Local LLM proxy with Claude hook/MCP lifecycle integration and optional telemetry export.
Rationale
Source inspection finds a package-aligned local observability proxy, but its automatic agent hook/MCP lifecycle, default payload retention, and explicit TUI reconfiguration create meaningful agent-extension and privacy risk. It lacks install-time abuse, stealthy persistence, remote payload execution, or unconsented exfiltration sufficient for a block.
Evidence
package.json.claude-plugin/plugin.json.mcp.jsonhooks/hooks.jsonhooks/ttm-task-guard.mjslib/mcp-server.mjslib/daemon.mjslib/link.mjslib/tui-config.mjslib/otel-export.mjslib/daemon-client.mjs
Network endpoints5
api.anthropic.comapi.openai.comgenerativelanguage.googleapis.comopenrouter.ai/api127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `.claude-plugin/plugin.json` registers an MCP server that executes `lib/mcp-server.mjs`.
  • `hooks/hooks.json` registers `UserPromptSubmit`; `hooks/ttm-task-guard.mjs` automatically adds task-label guidance and writes session markers.
  • `lib/mcp-server.mjs` starts a detached local daemon during MCP initialization.
  • `lib/link.mjs` and `lib/tui-config.mjs` can rewrite Claude Code, Codex, and OpenCode base-URL settings after explicit `ttm link`.
  • `lib/daemon.mjs` proxies LLM requests and, by default, stores request/response payload content locally.
  • `lib/otel-export.mjs` supports outbound OTLP export only when the user configures an endpoint.
Evidence against
  • `package.json` has no preinstall, install, or postinstall hook; only `prepublishOnly` runs tests.
  • `lib/daemon.mjs` binds the proxy exclusively to `127.0.0.1`.
  • No source-observed credential harvesting, remote code loading, eval/vm use, or arbitrary shell execution.
  • The only child processes are the package daemon, local dashboard opener, and fixed `git` context queries.
  • Payload persistence excludes request headers; comments and construction show API keys are not written to payload files.
  • External configuration rewrites occur through explicit `ttm link`/`ttm unlink`, not package installation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 17 file(s), 149 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.openai.com, generativelanguage.googleapis.com, openrouter.ai

Source & flagged code

1 flagged · loading source
bin/ttm.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = token-trace-manager@0.7.1 matchedIdentity = npm:dG9rZW4tdHJhY2UtbWFuYWdlcg:0.7.1 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

bin/ttm.mjsView on unpkg

Findings

1 High2 Medium5 Low
HighPrevious Version Dangerous Deltabin/ttm.mjs
MediumNetwork
MediumEnvironment Vars
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings