AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. Risky primitives are aligned with a personal-data MCP sync tool and are gated by explicit commands or configuration.
Decision evidence
public snapshot- bin/cosmos-mcp.js uses child_process for macOS keychain, npx handler, native rebuild, and URL handler setup.
- dist/sources/* CLIs can upload user data such as iMessage, browser visits, shell history, calendar, and Claude Desktop turns after explicit sync commands.
- dist/daemon/manage.js can install a macOS launchd background sync agent when the user runs daemon/menu setup.
- package.json postinstall only runs `npm rebuild better-sqlite3 ... || true`; no hidden downloader or package start on install.
- dist/server.js starts an MCP stdio server and imports auth bootstrap only for `cosmos-mcp init`.
- dist/client/cosmos.js sends authenticated requests only to configured Cosmos API paths, defaulting to https://cosmos.polarity-lab.com.
- bin/cosmos-mcp.js provision validates a pmk_ key, stores it in macOS keychain and ~/.config/cosmos-mcp/token with 0600 permissions.
- dist/settings/sync-jobs.js spawns local package CLI subcommands for user-requested sync jobs, not arbitrary shell strings.
- No evidence of credential harvesting beyond package auth tokens, destructive behavior, obfuscated payload execution, or unconsented install-time persistence.
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgManifest entrypoint contains risky behavior absent from dist/build output.
bin/cosmos-mcp.jsView on unpkg · L9Package source invokes a package manager install command at runtime.
bin/cosmos-mcp.jsView on unpkg · L6Source writes installer persistence such as shell profile or service configuration.
dist/daemon/manage.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/auth/bootstrap.jsView on unpkg · L1Package ships compressed or archive-like blobs.
dist/CosmosSync.zipView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
dist/CosmosSync.zipView on unpkgPackage ships high-entropy non-source blobs.
dist/CosmosSync.app/Contents/Resources/AppIcon.icnsView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist/settings/sync-jobs.jsView on unpkg