registry  /  tokentracker-cli  /  0.67.0

tokentracker-cli@0.67.0

Token usage tracker for AI agent CLIs (Claude Code, Codex, Cursor, Gemini, Antigravity, Kiro, OpenCode, OpenClaw, Every Code, Hermes, GitHub Copilot, Kimi Code, CodeBuddy, WorkBuddy, Grok Build, oh-my-pi, pi, Craft Agents, Kilo CLI, Kilo Code, Roo Code, Z

Static Scan Results

scanned 18h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 97 file(s), 3.66 MB of source, external domains: 1.1.1.1, 127.0.0.1, 2026.ip138.com, api.anthropic.com, api.github.com, api.kimi.com, api.openai.com, auth.kimi.com, auth.openai.com, chatgpt.com, claude.ai, cli-chat-proxy.grok.com, cloudcode-pa.googleapis.com, cursor.com, fonts.googleapis.com, github.com, ip.net.coffee, jcgt.org, local.tokentracker, my.ip.cn, oauth2.googleapis.com, open.er-api.com, opencode.ai, raw.githubusercontent.com, reactjs.org, skills.sh, socket.io, srctyff5.us-east.insforge.app, tokentracker.statuspage.io, twitter.com, va.vercel-scripts.com, vercel.com, www.cursor.com, www.tokentracker.cc, www.w3.org, zcode.z.ai

Source & flagged code

8 flagged · loading source
dashboard/dist/assets/main-V7ji8RkP.jsView file
42patternName = supabase_service_key severity = critical line = 42 matchedText = `);i=d.p...atus
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dashboard/dist/assets/main-V7ji8RkP.jsView on unpkg · L42
42patternName = supabase_service_key severity = critical line = 42 matchedText = `);i=d.p...atus
Critical
Secret Pattern

Supabase service role key (JWT) in dashboard/dist/assets/main-V7ji8RkP.js

dashboard/dist/assets/main-V7ji8RkP.jsView on unpkg · L42
src/lib/claude-categorizer.jsView file
334function defaultClaudeProjectsDir() { L335: return path.join(os.homedir(), ".claude", "projects"); L336: } ... L511: try { L512: obj = JSON.parse(line); L513: } catch (_e) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/lib/claude-categorizer.jsView on unpkg · L334
src/lib/proxy-env.jsView file
106package = tokentracker-cli; repositoryIdentity = tokentracker; dependency = undici L106: // eslint-disable-next-line global-require L107: const undici = require("undici"); L108: setter = setter || undici.setGlobalDispatcher;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

src/lib/proxy-env.jsView on unpkg · L106
dashboard/dist/assets/geist-mono-latin-ext-900-normal-DvYIGD1f.woff2View file
path = dashboard/dist/assets/geist-mono-latin-ext-900-normal-DvYIGD1f.woff2 kind = high_entropy_blob sizeBytes = 7164 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dashboard/dist/assets/geist-mono-latin-ext-900-normal-DvYIGD1f.woff2View on unpkg
dashboard/dist/assets/DevicePage-vyJEBiMw.jsView file
1patternName = supabase_service_key severity = critical line = 1 matchedText = import{Y...lt};
Critical
Secret Pattern

Supabase service role key (JWT) in dashboard/dist/assets/DevicePage-vyJEBiMw.js

dashboard/dist/assets/DevicePage-vyJEBiMw.jsView on unpkg · L1
src/lib/cursor-config.jsView file
75patternName = generic_password severity = medium line = 75 matchedText = * - na...XXX"
Medium
Secret Pattern

Hardcoded password in src/lib/cursor-config.js

src/lib/cursor-config.jsView on unpkg · L75
src/lib/runtime-config.jsView file
11patternName = supabase_service_key severity = critical line = 11 matchedText = "eyJhbGc...QY";
Critical
Secret Pattern

Supabase service role key (JWT) in src/lib/runtime-config.js

src/lib/runtime-config.jsView on unpkg · L11

Findings

4 Critical2 High4 Medium6 Low
CriticalCritical Secretdashboard/dist/assets/main-V7ji8RkP.js
CriticalSecret Patterndashboard/dist/assets/main-V7ji8RkP.js
CriticalSecret Patterndashboard/dist/assets/DevicePage-vyJEBiMw.js
CriticalSecret Patternsrc/lib/runtime-config.js
HighCopied Package Dependency Bridgesrc/lib/proxy-env.js
HighShips High Entropy Blobdashboard/dist/assets/geist-mono-latin-ext-900-normal-DvYIGD1f.woff2
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/lib/cursor-config.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosrc/lib/claude-categorizer.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings