registry  /  @polarity-lab/cosmos-mcp  /  0.9.28

@polarity-lab/cosmos-mcp@0.9.28

MCP server for the Polarity exocortex. Read and write your personal knowledge graph from any LLM client.

AI Security Review

scanned 1d ago · by lpm-firewall-ai

No confirmed malicious install-time attack surface was found. The package does expose agent-facing memory tools and user-invoked local data sync/background sync features that can send personal data to the Cosmos service.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit MCP tool call, CLI sync command, settings action, or cosmos-mcp daemon install
Impact
Agents or configured sync jobs can persist conversation, shell, browser, calendar, iMessage, or Claude transcript data to the user's Cosmos account.
Mechanism
MCP memory API plus user-invoked local data sync and optional LaunchAgent
Attack narrative
The risky behavior is capability-oriented rather than a confirmed malware delivery path: MCP tools encourage agents to persist conversation data, and explicit CLI/settings sync flows can upload local personal data to Cosmos. The npm lifecycle hook does not plant agent configs or start persistence; the LaunchAgent and handler are installed only through user-invoked commands/settings actions.
Rationale
Source inspection does not support a malicious verdict because the install hook is limited to rebuilding better-sqlite3 and the foreign-agent/config/persistence behaviors are not lifecycle-triggered. The package still merits a warning because it gives AI agents persistent memory/write capabilities and offers explicit local-data sync/background-sync features with broad privacy impact.
Evidence
package.jsonbin/cosmos-mcp.jsdist/server.jsdist/tools/index.jsdist/client/cosmos.jsdist/auth/bootstrap.jsdist/daemon/manage.jsdist/sources/claude-desktop/sync.jsdist/sources/shell-history/sync.js~/.config/cosmos-mcp/token~/.cosmos/sync-config.json~/.cosmos/*-state.json~/Library/LaunchAgents/com.polaritylab.cosmos-mcp.sync.plist~/Library/Application Support/cosmos-mcp/daemon-run.sh~/Library/Application Support/cosmos-mcp/cosmos-mcp-handler.app~/Applications/Cosmos.app~/.claude/projects~/.zsh_history
Network endpoints3
cosmos.polarity-lab.comregistry.npmjs.org/@polarity-lab/cosmos-mcp/latest127.0.0.1

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/tools/index.js exposes MCP write tools; polarity_capture_turn tells agents to call it at end of every substantive exchange.
  • dist/sources/claude-desktop/sync.js can read ~/.claude/projects/*.jsonl and POST conversation turns to Cosmos when invoked.
  • dist/sources/shell-history/sync.js can read shell history and POST commands to Cosmos when invoked.
  • dist/daemon/manage.js can install a macOS LaunchAgent and runner that periodically invokes sync commands.
  • bin/cosmos-mcp.js install-handler writes a URL-handler app under ~/Library/Application Support/cosmos-mcp when explicitly run.
Evidence against
  • package.json postinstall only runs npm rebuild better-sqlite3; no package code is executed from the lifecycle hook.
  • dist/server.js import/default path starts an MCP stdio server; auth/bootstrap only runs for explicit init.
  • No evidence of install-time writes to Claude/Cursor/Codex MCP configs or other foreign agent control surfaces.
  • Network traffic is package-aligned to cosmos.polarity-lab.com or user-configured COSMOS_URL.
  • Daemon, URL handler, shell/Claude/browser/iMessage syncs are CLI/settings actions, not automatic npm install effects.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 46 file(s), 251 KB of source, external domains: 127.0.0.1, cosmos.polarity-lab.com, registry.npmjs.org, www.apple.com, www.w3.org

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = npm rebuild better-sqlite3 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm rebuild better-sqlite3 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/cosmos-mcp.jsView file
9L10: import { execFile, execFileSync, spawnSync } from "node:child_process"; L11: import { createRequire } from "node:module";
High
Child Process

Package source references child process execution.

bin/cosmos-mcp.jsView on unpkg · L9
9Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network L9: L10: import { execFile, execFileSync, spawnSync } from "node:child_process"; L11: import { createRequire } from "node:module"; ... L19: const __filename = fileURLToPath(import.meta.url); L20: const __dirname = dirname(__filename); L21: const PACKAGE_ROOT = join(__dirname, ".."); ... L26: const KEYCHAIN_SERVICE = "cosmos-mcp-key"; L27: const DEFAULT_COSMOS_URL = process.env.COSMOS_BASE_URL || process.env.COSMOS_URL || "https://cosmos.polarity-lab.com"; L28: ... L140: if (!node) { L141: process.stderr.write( L142: "better-sqlite3 was built for a different Node.js than the one running.\n\n" +
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/cosmos-mcp.jsView on unpkg · L9
6// are tiny and because they must not depend on the rest of the build being L7: // present (e.g. `npx -y @polarity-lab/cosmos-mcp provision pmk_xxx` on a fresh L8: // install should not fail because better-sqlite3 hasn't been gyp-rebuilt yet). L9: L10: import { execFile, execFileSync, spawnSync } from "node:child_process"; L11: import { createRequire } from "node:module";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cosmos-mcp.jsView on unpkg · L6
dist/daemon/manage.jsView file
3// Original source was not present in git or the npm tarball; runtime source: ../../../../../../tmp/cosmos-mcp-pack/package/dist/daemon/manage.js L4: import { execFileSync, spawnSync } from "node:child_process"; L5: import { chmodSync, existsSync, mkdirSync, writeFileSync } from "node:fs"; ... L11: const blocks = [ L12: "#!/bin/bash", L13: `# cosmos-mcp daemon runner. Invoked by launchd every ${mins} minutes.`, ... L77: if (existsSync(paths.plistPath)) { L78: const r = spawnSync("/bin/launchctl", ["list", DAEMON_LABEL], { encoding: "utf8" }); L79: loaded = r.status === 0; ... L141: if (loadRes.status !== 0) { L142: return { ok: false, error: `launchctl load failed: ${(loadRes.stderr || "").trim()}` }; L143: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/daemon/manage.jsView on unpkg · L3
dist/auth/bootstrap.jsView file
1import { createServer } from "node:http"; L2: import { writeFileSync, mkdirSync, chmodSync } from "node:fs"; L3: import { randomBytes } from "node:crypto"; L4: import { execFile } from "node:child_process"; L5: import { TOKEN_PATHS } from "../config.js"; L6: const DEFAULT_COSMOS_URL = process.env.COSMOS_URL || "https://cosmos.polarity-lab.com"; L7: export async function runBootstrap() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/auth/bootstrap.jsView on unpkg · L1
dist/Cosmos.zipView file
path = dist/Cosmos.zip kind = compressed_blob sizeBytes = 681489 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/Cosmos.zipView on unpkg
path = dist/Cosmos.zip kind = nested_archive_needs_inspection sizeBytes = 681489 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/Cosmos.zipView on unpkg
dist/Cosmos.app/Contents/Resources/AppIcon.icnsView file
path = dist/Cosmos.app/Contents/Resources/AppIcon.icns kind = high_entropy_blob sizeBytes = 118589 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/Cosmos.app/Contents/Resources/AppIcon.icnsView on unpkg
dist/settings/server.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @polarity-lab/cosmos-mcp@0.9.27 matchedIdentity = npm:[redacted]:0.9.27 similarity = 0.733 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/settings/server.jsView on unpkg

Findings

1 Critical7 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltadist/settings/server.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/cosmos-mcp.js
HighShell
HighEntrypoint Build Divergencebin/cosmos-mcp.js
HighSame File Env Network Executiondist/auth/bootstrap.js
HighRuntime Package Installbin/cosmos-mcp.js
HighShips High Entropy Blobdist/Cosmos.app/Contents/Resources/AppIcon.icns
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/daemon/manage.js
MediumShips Compressed Blobdist/Cosmos.zip
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/Cosmos.zip