AI Security Review
scanned 4d ago · by lpm-firewall-aiNo install-time malware was confirmed. The main risk is a memory MCP server whose tool metadata encourages agents to persist conversation text to Cosmos automatically, plus user-invoked local data sync commands.
Decision evidence
public snapshot- dist/tools/index.js tool description tells agents to call cosmos_capture_turn at end of every substantive exchange without being asked
- dist/client/cosmos.js sends tool payloads to Cosmos API with X-MCP-Key/X-System-Key auth headers
- dist/sources/imessage/sync.js, browser/cli.js, claude-desktop/sync.js, and shell-history/sync.js upload local messages/history/sessions/commands when invoked
- dist/CosmosSync.zip and dist/CosmosSync.app ship macOS binaries, limiting full source auditability
- package.json postinstall only runs npm rebuild better-sqlite3 and ignores failure
- bin/cosmos-mcp.js child_process use is for macOS keychain, LaunchServices handler, native rebuild/reexec, and subcommand dispatch
- Network endpoints are consistent with the package's Cosmos memory/sync purpose
- Persistence via launchd daemon is behind explicit daemon/menu install commands, not package install/import
- No install-time credential harvesting or automatic import-time exfiltration found
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
bin/cosmos-mcp.jsView on unpkgManifest entrypoint contains risky behavior absent from dist/build output.
bin/cosmos-mcp.jsView on unpkg · L9Package source invokes a package manager install command at runtime.
bin/cosmos-mcp.jsView on unpkg · L6Source writes installer persistence such as shell profile or service configuration.
dist/daemon/manage.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/auth/bootstrap.jsView on unpkg · L1Package ships compressed or archive-like blobs.
dist/CosmosSync.zipView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
dist/CosmosSync.zipView on unpkg