registry  /  tokmon  /  0.20.5

tokmon@0.20.5

⚠ Under review

Terminal + web dashboard for Claude Code, Codex, Cursor, opencode, pi, Copilot, Gemini & more — usage, limits, and costs

Static Scan Results

scanned 9d ago · by rust-scanner

Static analysis flagged 15 finding(s) at 86.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 15 file(s), 1.27 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, api.openai.com, api2.cursor.sh, chatgpt.com, cloudcode-pa.googleapis.com, daily-cloudcode-pa.googleapis.com, davidilie.com, fb.me, github.com, nuqs.dev, oauth2.googleapis.com, reactjs.org, www.w3.org

Source & flagged code

5 flagged · loading source
dist/web/assets/index-B9eW55YB.jsView file
83`)}const bO=CO();function _O(e){let t=e.message;if(e.path&&e.path.length>0){const n=zN(e.path);t+=` L84: at ${n}`}return t}function pl(e){switch(e._tag){case"InvalidType":case"OneOf":case"Composite":case"AnyOf":return Ea(e.ast.annotations);case"InvalidValue":case"Forbidden":return Ea(... L85: * table-core
High
Eval

Package source references dynamic code evaluation.

dist/web/assets/index-B9eW55YB.jsView on unpkg · L83
83`)}const bO=CO();function _O(e){let t=e.message;if(e.path&&e.path.length>0){const n=zN(e.path);t+=` L84: at ${n}`}return t}function pl(e){switch(e._tag){case"InvalidType":case"OneOf":case"Composite":case"AnyOf":return Ea(e.ast.annotations);case"InvalidValue":case"Forbidden":return Ea(... L85: * table-core
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/web/assets/index-B9eW55YB.jsView on unpkg · L83
dist/chunk-EHIQHGJL.jsView file
17try { L18: return Intl.DateTimeFormat().resolvedOptions().timeZone || "UTC"; L19: } catch { ... L193: try { L194: const obj = JSON.parse(await readFile(cacheFile(), "utf-8")); L195: for (const [path, s] of Object.entries(obj)) { ... L527: // src/providers/cursor/sqlite.ts L528: import { execFile as execFileCb } from "child_process"; L529: import { accessSync, constants } from "fs"; ... L586: const names = process.platform === "win32" ? ["sqlite3.exe", "sqlite3.cmd", "sqlite3.bat"] : ["sqlite3"]; L587: for (const dir of (process.env.PATH ?? "").split(delimiter).filter(Boolean)) { L588: for (const name of names) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/chunk-EHIQHGJL.jsView on unpkg · L17
17Trigger-reachable chain: manifest.bin -> dist/cli.js -> dist/bootstrap-ink-MVH5QEVR.js -> dist/chunk-EHIQHGJL.js L17: try { L18: return Intl.DateTimeFormat().resolvedOptions().timeZone || "UTC"; L19: } catch { ... L193: try { L194: const obj = JSON.parse(await readFile(cacheFile(), "utf-8")); L195: for (const [path, s] of Object.entries(obj)) { ... L527: // src/providers/cursor/sqlite.ts L528: import { execFile as execFileCb } from "child_process"; L529: import { accessSync, constants } from "fs"; ... L586: const names = process.platform === "win32" ? ["sqlite3.exe", "sqlite3.cmd", "sqlite3.bat"] : ["sqlite3"]; L587: for (const dir of (process.env.PATH ?? "").split(delimiter).filter(Boolean)) { L588: for (const name of names) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-EHIQHGJL.jsView on unpkg · L17
dist/web/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woffView file
path = dist/web/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woff kind = high_entropy_blob sizeBytes = 10128 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/web/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woffView on unpkg

Findings

2 Critical2 High5 Medium6 Low
CriticalCredential Exfiltrationdist/chunk-EHIQHGJL.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-EHIQHGJL.js
HighEvaldist/web/assets/index-B9eW55YB.js
HighShips High Entropy Blobdist/web/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woff
MediumDynamic Requiredist/web/assets/index-B9eW55YB.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings