AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was found. The package has privacy-sensitive, user-invoked sync and MCP memory features, but they are aligned with its stated personal knowledge graph purpose and not triggered silently at install/import.
Decision evidence
public snapshot- dist/tools/index.js instructs agents to call cosmos_capture_turn at the end of substantive exchanges.
- User-invoked sync commands can read local Claude sessions, shell history, browser/calendar/iMessage data and POST them to Cosmos.
- dist/daemon/manage.js can install a macOS LaunchAgent for background sync when enabled from settings.
- package.json postinstall only runs npm rebuild better-sqlite3; no install-time network or data collection found.
- bin/cosmos-mcp.js child_process use is for macOS keychain, npm rebuild/reexec, URL handler registration, and user-invoked subcommands.
- dist/server.js starts an MCP stdio server and only handles listed tool calls; no import-time exfiltration found.
- Network destinations are package-aligned Cosmos/Ollama/registry endpoints and use configured user keys.
- Persistent files are documented app state/token/LaunchAgent paths created by init/provision/settings/daemon actions.
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgManifest entrypoint contains risky behavior absent from dist/build output.
bin/cosmos-mcp.jsView on unpkg · L9Package source invokes a package manager install command at runtime.
bin/cosmos-mcp.jsView on unpkg · L6Source writes installer persistence such as shell profile or service configuration.
dist/daemon/manage.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/auth/bootstrap.jsView on unpkg · L1Package ships compressed or archive-like blobs.
dist/CosmosSync.zipView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
dist/CosmosSync.zipView on unpkgPackage ships high-entropy non-source blobs.
dist/CosmosSync.app/Contents/Resources/AppIcon.icnsView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist/settings/server.jsView on unpkg