registry  /  tokentracker-cli  /  0.68.1

tokentracker-cli@0.68.1

Token usage tracker for AI agent CLIs (Claude Code, Codex, Cursor, Gemini, Antigravity, Kiro, OpenCode, OpenClaw, Every Code, Hermes, GitHub Copilot, Kimi Code, CodeBuddy, WorkBuddy, Grok Build, oh-my-pi, pi, Craft Agents, Kilo CLI, Kilo Code, Roo Code, Z

Static Scan Results

scanned 2h ago · by rust-scanner

Static analysis flagged 17 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 99 file(s), 3.67 MB of source, external domains: 1.1.1.1, 127.0.0.1, 2026.ip138.com, api.anthropic.com, api.github.com, api.kimi.com, api.openai.com, auth.kimi.com, auth.openai.com, chatgpt.com, claude.ai, cli-chat-proxy.grok.com, cloudcode-pa.googleapis.com, cursor.com, fonts.googleapis.com, github.com, ip.net.coffee, jcgt.org, local.tokentracker, my.ip.cn, oauth2.googleapis.com, open.er-api.com, opencode.ai, raw.githubusercontent.com, reactjs.org, skills.sh, socket.io, srctyff5.us-east.insforge.app, tokentracker.statuspage.io, twitter.com, va.vercel-scripts.com, vercel.com, www.cursor.com, www.tokentracker.cc, www.w3.org, zcode.z.ai

Source & flagged code

9 flagged · loading source
dashboard/dist/assets/main-BS4wXJQk.jsView file
42patternName = supabase_service_key severity = critical line = 42 matchedText = `);i=d.p...atus
Critical
Critical Secret

Package contains a critical-looking secret pattern.

dashboard/dist/assets/main-BS4wXJQk.jsView on unpkg · L42
42patternName = supabase_service_key severity = critical line = 42 matchedText = `);i=d.p...atus
Critical
Secret Pattern

Supabase service role key (JWT) in dashboard/dist/assets/main-BS4wXJQk.js

dashboard/dist/assets/main-BS4wXJQk.jsView on unpkg · L42
src/lib/claude-categorizer.jsView file
334function defaultClaudeProjectsDir() { L335: return path.join(os.homedir(), ".claude", "projects"); L336: } ... L511: try { L512: obj = JSON.parse(line); L513: } catch (_e) {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

src/lib/claude-categorizer.jsView on unpkg · L334
src/lib/proxy-env.jsView file
106package = tokentracker-cli; repositoryIdentity = tokentracker; dependency = undici L106: // eslint-disable-next-line global-require L107: const undici = require("undici"); L108: setter = setter || undici.setGlobalDispatcher;
High
Copied Package Dependency Bridge

Package metadata claims a different repository identity while copied source loads a runtime dependency bridge.

src/lib/proxy-env.jsView on unpkg · L106
dashboard/dist/assets/geist-mono-latin-ext-900-normal-DvYIGD1f.woff2View file
path = dashboard/dist/assets/geist-mono-latin-ext-900-normal-DvYIGD1f.woff2 kind = high_entropy_blob sizeBytes = 7164 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dashboard/dist/assets/geist-mono-latin-ext-900-normal-DvYIGD1f.woff2View on unpkg
src/commands/serve.jsView file
matchType = previous_version_dangerous_delta matchedPackage = tokentracker-cli@0.68.0 matchedIdentity = npm:dG9rZW50cmFja2VyLWNsaQ:0.68.0 similarity = 0.980 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

src/commands/serve.jsView on unpkg
dashboard/dist/assets/DevicePage-BGkZILd3.jsView file
1patternName = supabase_service_key severity = critical line = 1 matchedText = import{Y...lt};
Critical
Secret Pattern

Supabase service role key (JWT) in dashboard/dist/assets/DevicePage-BGkZILd3.js

dashboard/dist/assets/DevicePage-BGkZILd3.jsView on unpkg · L1
src/lib/cursor-config.jsView file
75patternName = generic_password severity = medium line = 75 matchedText = * - na...XXX"
Medium
Secret Pattern

Hardcoded password in src/lib/cursor-config.js

src/lib/cursor-config.jsView on unpkg · L75
src/lib/runtime-config.jsView file
11patternName = supabase_service_key severity = critical line = 11 matchedText = "eyJhbGc...QY";
Critical
Secret Pattern

Supabase service role key (JWT) in src/lib/runtime-config.js

src/lib/runtime-config.jsView on unpkg · L11

Findings

4 Critical3 High4 Medium6 Low
CriticalCritical Secretdashboard/dist/assets/main-BS4wXJQk.js
CriticalSecret Patterndashboard/dist/assets/main-BS4wXJQk.js
CriticalSecret Patterndashboard/dist/assets/DevicePage-BGkZILd3.js
CriticalSecret Patternsrc/lib/runtime-config.js
HighCopied Package Dependency Bridgesrc/lib/proxy-env.js
HighShips High Entropy Blobdashboard/dist/assets/geist-mono-latin-ext-900-normal-DvYIGD1f.woff2
HighPrevious Version Dangerous Deltasrc/commands/serve.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
MediumSecret Patternsrc/lib/cursor-config.js
LowNon Install Lifecycle Scripts
LowScripts Present
LowWeak Cryptosrc/lib/claude-categorizer.js
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings