registry  /  @polarity-lab/cosmos-mcp  /  0.9.16

@polarity-lab/cosmos-mcp@0.9.16

MCP server for the Polarity exocortex. Read and write your personal knowledge graph from any LLM client.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package has privacy-sensitive, user-invoked sync and MCP memory features, but they are aligned with its stated personal knowledge graph purpose and not triggered silently at install/import.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs cosmos-mcp init/provision/sync/settings/daemon or an MCP client calls listed tools.
Impact
Can upload selected conversation/local activity data when configured and invoked; no unconsented lifecycle exfiltration observed.
Mechanism
User-authorized MCP memory and local data sync to Cosmos APIs
Rationale
Static inspection found dangerous primitives and privacy-sensitive sync features, but they are tied to documented user commands/settings/MCP tool calls and package-aligned Cosmos endpoints. The install hook does not execute package code beyond rebuilding better-sqlite3, and no silent credential harvesting, persistence, destructive behavior, or unrelated exfiltration was found.
Evidence
package.jsonbin/cosmos-mcp.jsdist/server.jsdist/tools/index.jsdist/client/cosmos.jsdist/config.jsdist/daemon/manage.jsdist/settings/server.jsdist/sources/claude-desktop/sync.jsdist/sources/shell-history/sync.js~/.config/cosmos-mcp/token~/.cosmos/*-state.json~/Library/LaunchAgents/com.polaritylab.cosmos-sync.plist~/Library/Application Support/cosmos-mcp/cosmos-mcp-handler.app~/.claude/projects~/.zsh_history~/.bash_history~/Library/Messages/chat.db
Network endpoints3
cosmos.polarity-lab.comregistry.npmjs.org/@polarity-lab/cosmos-mcp/latest127.0.0.1:11434

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/tools/index.js instructs agents to call cosmos_capture_turn at the end of substantive exchanges.
  • User-invoked sync commands can read local Claude sessions, shell history, browser/calendar/iMessage data and POST them to Cosmos.
  • dist/daemon/manage.js can install a macOS LaunchAgent for background sync when enabled from settings.
Evidence against
  • package.json postinstall only runs npm rebuild better-sqlite3; no install-time network or data collection found.
  • bin/cosmos-mcp.js child_process use is for macOS keychain, npm rebuild/reexec, URL handler registration, and user-invoked subcommands.
  • dist/server.js starts an MCP stdio server and only handles listed tool calls; no import-time exfiltration found.
  • Network destinations are package-aligned Cosmos/Ollama/registry endpoints and use configured user keys.
  • Persistent files are documented app state/token/LaunchAgent paths created by init/provision/settings/daemon actions.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 46 file(s), 251 KB of source, external domains: 127.0.0.1, cosmos.polarity-lab.com, registry.npmjs.org, www.apple.com, www.w3.org

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = npm rebuild better-sqlite3 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm rebuild better-sqlite3 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/cosmos-mcp.jsView file
9L10: import { execFile, execFileSync, spawnSync } from "node:child_process"; L11: import { createRequire } from "node:module";
High
Child Process

Package source references child process execution.

bin/cosmos-mcp.jsView on unpkg · L9
9Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network L9: L10: import { execFile, execFileSync, spawnSync } from "node:child_process"; L11: import { createRequire } from "node:module"; ... L19: const __filename = fileURLToPath(import.meta.url); L20: const __dirname = dirname(__filename); L21: const PACKAGE_ROOT = join(__dirname, ".."); ... L26: const KEYCHAIN_SERVICE = "cosmos-mcp-key"; L27: const DEFAULT_COSMOS_URL = process.env.COSMOS_BASE_URL || process.env.COSMOS_URL || "https://cosmos.polarity-lab.com"; L28: ... L140: if (!node) { L141: process.stderr.write( L142: "better-sqlite3 was built for a different Node.js than the one running.\n\n" +
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/cosmos-mcp.jsView on unpkg · L9
6// are tiny and because they must not depend on the rest of the build being L7: // present (e.g. `npx -y @polarity-lab/cosmos-mcp provision pmk_xxx` on a fresh L8: // install should not fail because better-sqlite3 hasn't been gyp-rebuilt yet). L9: L10: import { execFile, execFileSync, spawnSync } from "node:child_process"; L11: import { createRequire } from "node:module";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cosmos-mcp.jsView on unpkg · L6
dist/daemon/manage.jsView file
1import { execFileSync, spawnSync } from "node:child_process"; L2: import { chmodSync, existsSync, mkdirSync, writeFileSync } from "node:fs"; ... L8: const blocks = [ L9: "#!/bin/bash", L10: `# cosmos-mcp daemon runner. Invoked by launchd every ${mins} minutes.`, ... L74: if (existsSync(paths.plistPath)) { L75: const r = spawnSync("/bin/launchctl", ["list", DAEMON_LABEL], { encoding: "utf8" }); L76: loaded = r.status === 0; ... L138: if (loadRes.status !== 0) { L139: return { ok: false, error: `launchctl load failed: ${(loadRes.stderr || "").trim()}` }; L140: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/daemon/manage.jsView on unpkg · L1
dist/auth/bootstrap.jsView file
1import { createServer } from "node:http"; L2: import { writeFileSync, mkdirSync, chmodSync } from "node:fs"; L3: import { randomBytes } from "node:crypto"; L4: import { execFile } from "node:child_process"; L5: import { TOKEN_PATHS } from "../config.js"; L6: const DEFAULT_COSMOS_URL = process.env.COSMOS_URL || "https://cosmos.polarity-lab.com"; L7: export async function runBootstrap() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/auth/bootstrap.jsView on unpkg · L1
dist/CosmosSync.zipView file
path = dist/CosmosSync.zip kind = compressed_blob sizeBytes = 50245 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/CosmosSync.zipView on unpkg
path = dist/CosmosSync.zip kind = nested_archive_needs_inspection sizeBytes = 50245 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/CosmosSync.zipView on unpkg
dist/CosmosSync.app/Contents/Resources/AppIcon.icnsView file
path = dist/CosmosSync.app/Contents/Resources/AppIcon.icns kind = high_entropy_blob sizeBytes = 81223 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/CosmosSync.app/Contents/Resources/AppIcon.icnsView on unpkg
dist/settings/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @polarity-lab/cosmos-mcp@0.9.15 matchedIdentity = npm:[redacted]:0.9.15 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/settings/server.jsView on unpkg

Findings

1 Critical7 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/settings/server.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/cosmos-mcp.js
HighShell
HighEntrypoint Build Divergencebin/cosmos-mcp.js
HighSame File Env Network Executiondist/auth/bootstrap.js
HighRuntime Package Installbin/cosmos-mcp.js
HighShips High Entropy Blobdist/CosmosSync.app/Contents/Resources/AppIcon.icns
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/daemon/manage.js
MediumShips Compressed Blobdist/CosmosSync.zip
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/CosmosSync.zip