Is Hackatime safe?

Findings

Contains Vulnerability (CVSS Critical)

Flags items that contain or rely on components with critical severity vulnerabilities, as identified by sources such as Google OSV and NVD. These vulnerabilities may expose the item to exploitation, including risks like backdoors, privilege escalation, or data compromise.

medium

Unverified Publisher

Flags items published by entities that haven’t gone through the publisher verification process of the marketplace. Lack of verification may indicate higher risk, as the publisher’s identity and trustworthiness are unconfirmed.

medium

Contains Vulnerability (CVSS High)

Flags items that contain or rely on components with high-severity vulnerabilities, as identified by sources such as Google OSV and NVD. These vulnerabilities may expose the item to exploitation, including risks like backdoors, privilege escalation, or data compromise.

low

All findings are available for Enterprise users

Code analysis

AI-powered analysis of the extension's source code for security insights and risk assessment.

This VSCode extension named "Hackatime" provides an interactive dashboard to visualize coding statistics using data from the Hackatime API, which is compatible with Wakatime data. It fetches user coding activity summaries and displays them in various charts within a WebView panel.

Key Functionalities and API Calls

Reading Local Configuration: Reads the .wakatime.cfg file from the user's home directory to extract an API key.

const wakatimeFilePath = path.join(homeDir, '.wakatime.cfg');
const fileContent = fs.readFileSync(wakatimeFilePath, 'utf-8');
const apiKeyMatch = fileContent.match(/api_key\s*=\s*(.+)/);

Network Communication: Makes an authenticated GET request to https://waka.hackclub.com/api/compat/wakatime/v1/users/current/summaries with query parameters to fetch coding summaries.

axios.get(`https://waka.hackclub.com/api/compat/wakatime/v1/users/current/summaries?${params.toString()}`, {
  headers: { Accept: 'application/json', Authorization: authorizationHeader }
});

WebView UI: Creates a WebView panel with embedded HTML/JavaScript that uses Chart.js to render doughnut and pie charts for languages, categories, editors, and projects.
Data Aggregation: Aggregates multiple days of data into a single summary for display.

Filesystem Activity

Reads the .wakatime.cfg file from the user's home directory.

Network Activity

Sends HTTPS GET requests to https://waka.hackclub.com to retrieve user coding statistics.

Process Execution

No evidence of spawning new processes or executing shell/PowerShell commands.

Obfuscation

The code is not obfuscated; it is straightforward and readable.

Persistence

No mechanisms for persistence or autostart detected.

Privilege Escalation

No requests or usage of elevated privileges.

Data Exfiltration

Data is sent only as authenticated requests to a known API endpoint to fetch user coding stats; no suspicious data exfiltration observed.

Registry and User Operations

No Windows Registry read/write or user account creation.

Clipboard Access

No clipboard access or monitoring.

Summary

The extension reads a local config file to obtain an API key, fetches coding activity data from a remote API, and displays it in a user-friendly dashboard within VSCode. It does not perform any suspicious or malicious operations.

API Calls

API calls detected through static analysis of the source code. For more accurate insights, explore our sandbox dynamic analysis.

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

API CALLS ARE AVAILABLE FOR ENTERPRISE USERS

Secrets

Any encoded/decoded secrets we managed to find in the source code, git repository, or related files

high

Enterprise Only

medium

Enterprise Only

low

Enterprise Only

SECRETS ARE AVAILABLE FOR ENTERPRISE USERS

Vulnerabilities

Known vulnerabilities and security issues detected in the extension's dependencies and code.

GHSA-fjxv-7rqg-78g4

form-data uses unsafe random function in form-data for choosing boundary

CVSS:

9.4

GHSA-jr5f-v2jv-69x6

axios Requests Vulnerable To Possible SSRF and Credential Leakage via Absolute URL

CVSS:

7.7

GHSA-4hjh-wcwx-xvwj

Axios is vulnerable to DoS attack through lack of data size check

CVSS:

7.5

All vulnerabilities are available for Enterprise users

External communication

Any identifiers we detected that may indicate external communication from the item's code

https://waka.hackclub.com/api/compat/wakatime/v1/users/current/summaries?range=today

https://cdnjs.cloudflare.com/ajax/libs/Chart.js/3.7.0/chart.min.js

extension/out/extension.js

https://waka.hackclub.com/api/compat/wakatime/v1/users/current/summaries?$

extension/out/extension.js

All external communications are available for Enterprise users

Dependencies

Dependencies and third-party libraries used by the extension, including version information and license details.

moment

Version:

2.30.1

@types/chart.js

Version:

Unknown

@types/mocha

Version:

Unknown

All dependencies are available for Enterprise users

Licenses & Compliance

Licenses

Apache License 2.0

View License

Apache License Version 2.0, January 2004 http://www.apache.org/licenses/ TERMS AND CONDITIONS FOR USE, REPRO...