registry  /  @polarity-lab/cosmos-mcp  /  0.9.27

@polarity-lab/cosmos-mcp@0.9.27

MCP server for the Polarity exocortex. Read and write your personal knowledge graph from any LLM client.

AI Security Review

scanned 2d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package is a Cosmos MCP client with explicit user-invoked personal-data sync features and macOS helper installation.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs cosmos-mcp subcommands, MCP tool calls, settings UI actions, or enables daemon/update features.
Impact
Can upload selected local personal data to the configured Cosmos service when invoked by the user, but no covert install/import-time behavior was found.
Mechanism
Explicit authenticated sync to Cosmos APIs plus optional local macOS helper/LaunchAgent setup
Rationale
Static inspection found high-risk primitives, shipped app bundles, and personal-data sync capability, but they are aligned with the package purpose and gated by user commands/authentication. The install lifecycle does not execute the sync/daemon paths and no covert credential harvesting, unrelated exfiltration, destructive action, or unconsented agent-control mutation was found.
Evidence
package.jsonbin/cosmos-mcp.jsdist/server.jsdist/client/cosmos.jsdist/config.jsdist/auth/bootstrap.jsdist/daemon/manage.jsdist/update/cli.jsdist/settings/server.jsdist/sources/claude-desktop/cli.jsdist/sources/shell-history/cli.js~/.config/cosmos-mcp/token~/Library/Application Support/cosmos-mcp/cosmos-mcp-handler.app~/Applications/Cosmos.app~/Library/LaunchAgents/com.polaritylab.cosmos-sync.plist~/.cosmos/*~/Library/Messages/chat.db~/.claude/projects~/.zsh_history
Network endpoints6
cosmos.polarity-lab.comcosmos.polarity-lab.com/api/polarity/whoamicosmos.polarity-lab.com/api/auth/mcp/grantregistry.npmjs.org/@polarity-lab/cosmos-mcp/latest127.0.0.1:11434127.0.0.1

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • User-invoked sync commands read local personal data: iMessage, browser, calendar, Claude transcripts, and shell history.
  • bin/cosmos-mcp.js uses child_process for macOS keychain, handler install, npm rebuild, and app registration.
  • dist/daemon/manage.js can install a LaunchAgent and copied app bundle when user runs daemon/menu/settings flows.
  • dist/update/cli.js can run npx to install latest package when user invokes update or enables auto_update.
Evidence against
  • package.json postinstall only runs npm rebuild better-sqlite3 and does not start sync or exfiltration.
  • dist/server.js default import starts an MCP stdio server and only calls tools after MCP requests.
  • Network calls target package-aligned Cosmos endpoints or localhost/Ollama; no unrelated exfiltration host found.
  • Credential storage is explicit auth bootstrap/provisioning to ~/.config/cosmos-mcp/token or macOS keychain.
  • Sensitive sync paths are gated behind explicit subcommands/settings UI and require configured Cosmos token.
  • No install-time AI-agent config mutation or prompt/reviewer manipulation found in inspected source.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 46 file(s), 259 KB of source, external domains: 127.0.0.1, cosmos.polarity-lab.com, registry.npmjs.org, www.apple.com, www.w3.org

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = npm rebuild better-sqlite3 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm rebuild better-sqlite3 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/cosmos-mcp.jsView file
9L10: import { execFile, execFileSync, spawnSync } from "node:child_process"; L11: import { createRequire } from "node:module";
High
Child Process

Package source references child process execution.

bin/cosmos-mcp.jsView on unpkg · L9
9Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network L9: L10: import { execFile, execFileSync, spawnSync } from "node:child_process"; L11: import { createRequire } from "node:module"; ... L19: const __filename = fileURLToPath(import.meta.url); L20: const __dirname = dirname(__filename); L21: const PACKAGE_ROOT = join(__dirname, ".."); ... L26: const KEYCHAIN_SERVICE = "cosmos-mcp-key"; L27: const DEFAULT_COSMOS_URL = process.env.COSMOS_BASE_URL || process.env.COSMOS_URL || "https://cosmos.polarity-lab.com"; L28: ... L140: if (!node) { L141: process.stderr.write( L142: "better-sqlite3 was built for a different Node.js than the one running.\n\n" +
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/cosmos-mcp.jsView on unpkg · L9
6// are tiny and because they must not depend on the rest of the build being L7: // present (e.g. `npx -y @polarity-lab/cosmos-mcp provision pmk_xxx` on a fresh L8: // install should not fail because better-sqlite3 hasn't been gyp-rebuilt yet). L9: L10: import { execFile, execFileSync, spawnSync } from "node:child_process"; L11: import { createRequire } from "node:module";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cosmos-mcp.jsView on unpkg · L6
dist/daemon/manage.jsView file
1import { execFileSync, spawnSync } from "node:child_process"; L2: import { chmodSync, existsSync, mkdirSync, writeFileSync } from "node:fs"; ... L8: const blocks = [ L9: "#!/bin/bash", L10: `# cosmos-mcp daemon runner. Invoked by launchd every ${mins} minutes.`, ... L74: if (existsSync(paths.plistPath)) { L75: const r = spawnSync("/bin/launchctl", ["list", DAEMON_LABEL], { encoding: "utf8" }); L76: loaded = r.status === 0; ... L140: if (loadRes.status !== 0) { L141: return { ok: false, error: `launchctl load failed: ${(loadRes.stderr || "").trim()}` }; L142: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/daemon/manage.jsView on unpkg · L1
dist/auth/bootstrap.jsView file
1import { createServer } from "node:http"; L2: import { writeFileSync, mkdirSync, chmodSync } from "node:fs"; L3: import { randomBytes } from "node:crypto"; L4: import { execFile } from "node:child_process"; L5: import { TOKEN_PATHS } from "../config.js"; L6: const DEFAULT_COSMOS_URL = process.env.COSMOS_URL || "https://cosmos.polarity-lab.com"; L7: export async function runBootstrap() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/auth/bootstrap.jsView on unpkg · L1
dist/Cosmos.zipView file
path = dist/Cosmos.zip kind = compressed_blob sizeBytes = 296469 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/Cosmos.zipView on unpkg
path = dist/Cosmos.zip kind = nested_archive_needs_inspection sizeBytes = 296469 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/Cosmos.zipView on unpkg
dist/Cosmos.app/Contents/Resources/AppIcon.icnsView file
path = dist/Cosmos.app/Contents/Resources/AppIcon.icns kind = high_entropy_blob sizeBytes = 118589 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/Cosmos.app/Contents/Resources/AppIcon.icnsView on unpkg
dist/settings/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @polarity-lab/cosmos-mcp@0.9.24 matchedIdentity = npm:[redacted]:0.9.24 similarity = 0.933 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

dist/settings/server.jsView on unpkg

Findings

1 Critical7 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/settings/server.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/cosmos-mcp.js
HighShell
HighEntrypoint Build Divergencebin/cosmos-mcp.js
HighSame File Env Network Executiondist/auth/bootstrap.js
HighRuntime Package Installbin/cosmos-mcp.js
HighShips High Entropy Blobdist/Cosmos.app/Contents/Resources/AppIcon.icns
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/daemon/manage.js
MediumShips Compressed Blobdist/Cosmos.zip
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/Cosmos.zip