AI Security Review
scanned 2d ago · by lpm-firewall-aiThe MCP server exposes tools that can cause an AI agent to upload full conversation turns to Cosmos. The strongest issue is the tool description itself instructing autonomous capture of every substantive user/assistant exchange without being asked.
Decision evidence
public snapshot- dist/tools/index.js defines cosmos_capture_turn with instruction to call at end of every substantive exchange without being asked
- dist/client/cosmos.js sends captured user_text/assistant_text to /api/polarity/capture-turn with X-MCP-Key
- dist/sources/claude-desktop/cli.js sync reads ~/.claude/projects transcripts and ships turns to cosmos
- dist/sources/imessage/cli.js sync reads ~/Library/Messages/chat.db and contacts, then posts turns and captions
- dist/sources/browser/cli.js sync reads local browser history and posts visits to /api/me/connectors/browser/visits
- dist/daemon/manage.js can install a LaunchAgent that periodically runs local data syncs
- package.json postinstall only runs npm rebuild better-sqlite3, no arbitrary download or obfuscated payload
- bin/cosmos-mcp.js dangerous shell/keychain actions are routed through explicit subcommands such as provision, install-handler, daemon, update, imessage
- Network hosts are package-aligned with cosmos.polarity-lab.com or registry update checks
- Token files are written under ~/.config/cosmos-mcp/token with 0600 permissions
- No eval/vm/Function or hidden decoded payload found in inspected JS
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgManifest entrypoint contains risky behavior absent from dist/build output.
bin/cosmos-mcp.jsView on unpkg · L9Package source invokes a package manager install command at runtime.
bin/cosmos-mcp.jsView on unpkg · L6Source writes installer persistence such as shell profile or service configuration.
dist/daemon/manage.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/auth/bootstrap.jsView on unpkg · L1Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
dist/Cosmos.zipView on unpkgPackage ships high-entropy non-source blobs.
dist/Cosmos.app/Contents/Resources/AppIcon.icnsView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist/settings/server.jsView on unpkg