AI Security Review
scanned 1d ago · by lpm-firewall-aiNo confirmed malicious install-time attack surface was found. The package does expose agent-facing memory tools and user-invoked local data sync/background sync features that can send personal data to the Cosmos service.
Decision evidence
public snapshot- dist/tools/index.js exposes MCP write tools; polarity_capture_turn tells agents to call it at end of every substantive exchange.
- dist/sources/claude-desktop/sync.js can read ~/.claude/projects/*.jsonl and POST conversation turns to Cosmos when invoked.
- dist/sources/shell-history/sync.js can read shell history and POST commands to Cosmos when invoked.
- dist/daemon/manage.js can install a macOS LaunchAgent and runner that periodically invokes sync commands.
- bin/cosmos-mcp.js install-handler writes a URL-handler app under ~/Library/Application Support/cosmos-mcp when explicitly run.
- package.json postinstall only runs npm rebuild better-sqlite3; no package code is executed from the lifecycle hook.
- dist/server.js import/default path starts an MCP stdio server; auth/bootstrap only runs for explicit init.
- No evidence of install-time writes to Claude/Cursor/Codex MCP configs or other foreign agent control surfaces.
- Network traffic is package-aligned to cosmos.polarity-lab.com or user-configured COSMOS_URL.
- Daemon, URL handler, shell/Claude/browser/iMessage syncs are CLI/settings actions, not automatic npm install effects.
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgManifest entrypoint contains risky behavior absent from dist/build output.
bin/cosmos-mcp.jsView on unpkg · L9Package source invokes a package manager install command at runtime.
bin/cosmos-mcp.jsView on unpkg · L6Source writes installer persistence such as shell profile or service configuration.
dist/daemon/manage.jsView on unpkg · L3A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/auth/bootstrap.jsView on unpkg · L1Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
dist/Cosmos.zipView on unpkgPackage ships high-entropy non-source blobs.
dist/Cosmos.app/Contents/Resources/AppIcon.icnsView on unpkgThis package version adds a dangerous source file absent from the previous stored version; route for source-aware review.
dist/settings/server.jsView on unpkg