AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface was established. The package is an MCP server plus explicit user-invoked local data sync tooling for a Cosmos service.
Decision evidence
public snapshot- package.json defines postinstall, but it only runs `npm rebuild better-sqlite3`.
- bin/cosmos-mcp.js and dist/daemon/*.js use child_process, launchctl, cp/rm, and npx for explicit macOS provisioning/menu/daemon/update commands.
- dist/sources/* sync commands read sensitive local data including iMessage, browser history, calendar, shell history, and Claude transcripts.
- dist/server.js import-time behavior is an MCP stdio server that loads config and dispatches declared tools.
- dist/client/cosmos.js sends requests only to configured Cosmos URL, defaulting to https://cosmos.polarity-lab.com, with documented auth headers.
- dist/config.js reads specific COSMOS_* env vars and ~/.config/cosmos-mcp/token; no broad env harvesting found.
- dist/auth/bootstrap.js uses a loopback OAuth flow and writes the token file with 0600 permissions.
- README.md documents provisioning, local data sources, keychain/token storage, and macOS handler/menu behavior.
- No covert install-time exfiltration, obfuscated staged loader, destructive payload, reviewer prompt injection, or unconsented AI-agent config mutation found.
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgManifest entrypoint contains risky behavior absent from dist/build output.
bin/cosmos-mcp.jsView on unpkg · L9Package source invokes a package manager install command at runtime.
bin/cosmos-mcp.jsView on unpkg · L6Source writes installer persistence such as shell profile or service configuration.
dist/daemon/manage.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/auth/bootstrap.jsView on unpkg · L1Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
dist/Cosmos.zipView on unpkgPackage ships high-entropy non-source blobs.
dist/Cosmos.app/Contents/Resources/AppIcon.icnsView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist/daemon/menu-cli.jsView on unpkg