Static Scan Results
scanned 4h ago · by rust-scannerStatic analysis flagged 19 finding(s) at 72.0% confidence. This version is warn-only unless an AI or security-team review confirms malicious behavior.
Decision evidence
public snapshotSource & flagged code
10 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgManifest entrypoint contains risky behavior absent from dist/build output.
bin/cosmos-mcp.jsView on unpkg · L9Package source invokes a package manager install command at runtime.
bin/cosmos-mcp.jsView on unpkg · L6Source writes installer persistence such as shell profile or service configuration.
dist/daemon/manage.jsView on unpkg · L3A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/auth/bootstrap.jsView on unpkg · L1Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
dist/Cosmos.zipView on unpkgPackage ships high-entropy non-source blobs.
dist/Cosmos.app/Contents/Resources/AppIcon.icnsView on unpkg