AI Security Review
scanned 2d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package is a Cosmos MCP client with explicit user-invoked personal-data sync features and macOS helper installation.
Decision evidence
public snapshot- User-invoked sync commands read local personal data: iMessage, browser, calendar, Claude transcripts, and shell history.
- bin/cosmos-mcp.js uses child_process for macOS keychain, handler install, npm rebuild, and app registration.
- dist/daemon/manage.js can install a LaunchAgent and copied app bundle when user runs daemon/menu/settings flows.
- dist/update/cli.js can run npx to install latest package when user invokes update or enables auto_update.
- package.json postinstall only runs npm rebuild better-sqlite3 and does not start sync or exfiltration.
- dist/server.js default import starts an MCP stdio server and only calls tools after MCP requests.
- Network calls target package-aligned Cosmos endpoints or localhost/Ollama; no unrelated exfiltration host found.
- Credential storage is explicit auth bootstrap/provisioning to ~/.config/cosmos-mcp/token or macOS keychain.
- Sensitive sync paths are gated behind explicit subcommands/settings UI and require configured Cosmos token.
- No install-time AI-agent config mutation or prompt/reviewer manipulation found in inspected source.
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgManifest entrypoint contains risky behavior absent from dist/build output.
bin/cosmos-mcp.jsView on unpkg · L9Package source invokes a package manager install command at runtime.
bin/cosmos-mcp.jsView on unpkg · L6Source writes installer persistence such as shell profile or service configuration.
dist/daemon/manage.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/auth/bootstrap.jsView on unpkg · L1Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
dist/Cosmos.zipView on unpkgPackage ships high-entropy non-source blobs.
dist/Cosmos.app/Contents/Resources/AppIcon.icnsView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
dist/settings/server.jsView on unpkg