registry  /  tokmon  /  0.22.5

tokmon@0.22.5

Terminal + web dashboard for Claude Code, Codex, Cursor, opencode, pi, Copilot, Gemini & more — usage, limits, and costs

AI Security Review

scanned 9h ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a user-invoked AI usage dashboard that reads local usage/auth state and calls provider APIs for billing/quota data.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs `tokmon` or `tokmon serve`.
Impact
Local credentials are used against their corresponding service APIs; no off-domain exfiltration or install-time mutation confirmed.
Mechanism
Local usage monitoring with vendor API polling
Rationale
Static inspection shows sensitive local reads and network calls are aligned with tokmon's documented usage/quota dashboard purpose and are only activated by user-run entrypoints. With no lifecycle hooks, attacker endpoint, credential exfiltration sink, destructive behavior, or agent control-surface mutation, the scanner's malicious label appears noisy.
Evidence
package.jsonREADME.mddist/cli.jsdist/daemon-handle-HLSKLMWU.jsdist/daemon-ATXHNYTK.jsdist/chunk-AQNFQRWV.jsdist/chunk-QTHCHB7S.js~/.config/tokmon/config.json~/.cache/tokmon~/Library/Caches/tokmon~/.claude/.credentials.json~/.claude.json~/.codex/auth.jsonCursor/User/globalStorage/state.vscdb~/.config/gh/hosts.yml~/.gemini/oauth_creds.json
Network endpoints12
api2.cursor.sh/aiserver.v1.DashboardService/GetCurrentPeriodUsageapi2.cursor.sh/aiserver.v1.DashboardService/GetPlanInfoapi2.cursor.sh/aiserver.v1.DashboardService/GetCreditGrantsBalancecursor.com/api/auth/stripeapi.anthropic.com/api/oauth/profileapi.anthropic.com/api/oauth/usagechatgpt.com/backend-api/wham/usagechatgpt.com/backend-api/wham/rate-limit-reset-creditsapi.github.com/copilot_internal/useroauth2.googleapis.com/tokendaily-cloudcode-pa.googleapis.comcloudcode-pa.googleapis.com

Decision evidence

public snapshot
AI called this Clean at 88.0% confidence as Benign with low false-positive risk.
Evidence for block
  • Reads local AI-tool credentials to query quota/billing APIs at runtime
  • Uses child_process for daemon spawn, browser open, macOS keychain, and locating Gemini/npm
  • Writes package-owned config/cache/daemon files under tokmon dirs
Evidence against
  • package.json has no preinstall/install/postinstall lifecycle hooks
  • bin dist/cli.js only runs on user invocation and starts TUI/daemon
  • Credential-bearing requests go to matching vendor APIs, not attacker-owned endpoints
  • README documents reading local provider data and live quota APIs
  • No broad AI-agent config mutation, persistence, destructive action, or remote payload loading found
  • Font blobs/web assets appear package UI assets, not executed payloads
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 1.33 MB of source, external domains: 127.0.0.1, api.anthropic.com, api.github.com, api.openai.com, api2.cursor.sh, chatgpt.com, cloudcode-pa.googleapis.com, cursor.com, davidilie.com, fb.me, github.com, nuqs.dev, oauth2.googleapis.com, promoclock.co, reactjs.org, www.w3.org

Source & flagged code

3 flagged · loading source
dist/chunk-AQNFQRWV.jsView file
17try { L18: return Intl.DateTimeFormat().resolvedOptions().timeZone || "UTC"; L19: } catch { ... L216: try { L217: const obj = JSON.parse(await readFile(cacheFile(), "utf-8")); L218: for (const [path, s] of Object.entries(obj)) { ... L611: // src/providers/cursor/sqlite.ts L612: import { execFile as execFileCb } from "child_process"; L613: import { accessSync, constants } from "fs"; ... L670: const names = process.platform === "win32" ? ["sqlite3.exe", "sqlite3.cmd", "sqlite3.bat"] : ["sqlite3"]; L671: for (const dir of (process.env.PATH ?? "").split(delimiter).filter(Boolean)) { L672: for (const name of names) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/chunk-AQNFQRWV.jsView on unpkg · L17
17Trigger-reachable chain: manifest.bin -> dist/cli.js -> dist/bootstrap-ink-TWFRIEBW.js -> dist/chunk-AQNFQRWV.js L17: try { L18: return Intl.DateTimeFormat().resolvedOptions().timeZone || "UTC"; L19: } catch { ... L216: try { L217: const obj = JSON.parse(await readFile(cacheFile(), "utf-8")); L218: for (const [path, s] of Object.entries(obj)) { ... L611: // src/providers/cursor/sqlite.ts L612: import { execFile as execFileCb } from "child_process"; L613: import { accessSync, constants } from "fs"; ... L670: const names = process.platform === "win32" ? ["sqlite3.exe", "sqlite3.cmd", "sqlite3.bat"] : ["sqlite3"]; L671: for (const dir of (process.env.PATH ?? "").split(delimiter).filter(Boolean)) { L672: for (const name of names) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-AQNFQRWV.jsView on unpkg · L17
dist/web/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woffView file
path = dist/web/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woff kind = high_entropy_blob sizeBytes = 10128 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/web/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woffView on unpkg

Findings

2 Critical1 High5 Medium7 Low
CriticalCredential Exfiltrationdist/chunk-AQNFQRWV.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-AQNFQRWV.js
HighShips High Entropy Blobdist/web/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woff
MediumDynamic Require
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings