registry  /  tokmon  /  0.22.7

tokmon@0.22.7

⚠ Under review

Terminal + web dashboard for Claude Code, Codex, Cursor, Grok, opencode, pi, Copilot, Gemini & more — usage, limits, and costs

Static Scan Results

scanned 3h ago · by rust-scanner

Static analysis flagged 16 finding(s) at 93.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source

Decision evidence

public snapshot
Behavioral surface
Source
ChildProcessCryptoDynamicRequireEnvironmentVarsEvalFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedProtestwareTelemetryUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 1.33 MB of source, external domains: 127.0.0.1, accounts.x.ai, api.anthropic.com, api.github.com, api.openai.com, api2.cursor.sh, auth.x.ai, chatgpt.com, cloudcode-pa.googleapis.com, cursor.com, davidilie.com, fb.me, github.com, grok.com, nuqs.dev, oauth2.googleapis.com, promoclock.co, reactjs.org, www.w3.org

Source & flagged code

6 flagged · loading source
dist/web/assets/index-ygZyXDLT.jsView file
151`)}const Xme=Kme();function Yme(e){let t=e.message;if(e.path&&e.path.length>0){const n=ffe(e.path);t+=` L152: at ${n}`}return t}function md(e){switch(e._tag){case"InvalidType":case"OneOf":case"Composite":case"AnyOf":return Bc(e.ast.annotations);case"InvalidValue":case"Forbidden":return Bc(... L153: * table-core
High
Eval

Package source references dynamic code evaluation.

dist/web/assets/index-ygZyXDLT.jsView on unpkg · L151
68H`).concat(Nr,"M").concat(2*u,",").concat(o,` L69: A`).concat(a,",").concat(a,",0,1,1,").concat(u,",").concat(o),className:"recharts-legend-icon"});if(r.type==="rect")return H.createElement("path",{stroke:"none",fill:c,d:"M0,".conc... L70: In order to be iterable, non-array objects must have a [Symbol.iterator]() method.`)}function LY(e,t){if(e){if(typeof e=="string")return d$(e,t);var n=Object.prototype.toString.cal...
Medium
Dynamic Require

Package source references dynamic require/import behavior.

dist/web/assets/index-ygZyXDLT.jsView on unpkg · L68
dist/chunk-I4USANOF.jsView file
17try { L18: return Intl.DateTimeFormat().resolvedOptions().timeZone || "UTC"; L19: } catch { ... L216: try { L217: const obj = JSON.parse(await readFile(cacheFile(), "utf-8")); L218: for (const [path, s] of Object.entries(obj)) { ... L583: } L584: const home = homedir(); L585: const dirs = [join2(home, ".claude")]; ... L594: if (appData) dirs.push(join2(appData, "claude")); L595: if (process.env.CLAUDE_CONFIG_DIR) { L596: for (const p of process.env.CLAUDE_CONFIG_DIR.split(process.platform === "win32" ? ";" : ",")) {
Critical
Credential Exfiltration

Source appears to send environment or credential material to an external endpoint.

dist/chunk-I4USANOF.jsView on unpkg · L17
17Trigger-reachable chain: manifest.bin -> dist/cli.js -> dist/daemon-IP3UCTPB.js -> dist/chunk-I4USANOF.js L17: try { L18: return Intl.DateTimeFormat().resolvedOptions().timeZone || "UTC"; L19: } catch { ... L216: try { L217: const obj = JSON.parse(await readFile(cacheFile(), "utf-8")); L218: for (const [path, s] of Object.entries(obj)) { ... L583: } L584: const home = homedir(); L585: const dirs = [join2(home, ".claude")]; ... L594: if (appData) dirs.push(join2(appData, "claude")); L595: if (process.env.CLAUDE_CONFIG_DIR) { L596: for (const p of process.env.CLAUDE_CONFIG_DIR.split(process.platform === "win32" ? ";" : ",")) {
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/chunk-I4USANOF.jsView on unpkg · L17
dist/web/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woffView file
path = dist/web/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woff kind = high_entropy_blob sizeBytes = 10128 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/web/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woffView on unpkg
dist/bootstrap-ink-OHPQZKGB.jsView file
matchType = previous_version_dangerous_delta matchedPackage = tokmon@0.22.5 matchedIdentity = npm:dG9rbW9u:0.22.5 similarity = 0.786 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/bootstrap-ink-OHPQZKGB.jsView on unpkg

Findings

3 Critical2 High5 Medium6 Low
CriticalCredential Exfiltrationdist/chunk-I4USANOF.js
CriticalTrigger Reachable Dangerous Capabilitydist/chunk-I4USANOF.js
CriticalPrevious Version Dangerous Deltadist/bootstrap-ink-OHPQZKGB.js
HighEvaldist/web/assets/index-ygZyXDLT.js
HighShips High Entropy Blobdist/web/assets/jetbrains-mono-latin-ext-400-normal-fXTG6kC5.woff
MediumDynamic Requiredist/web/assets/index-ygZyXDLT.js
MediumNetwork
MediumEnvironment Vars
MediumProtestware
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings