registry  /  @polarity-lab/cosmos-mcp  /  0.9.7

@polarity-lab/cosmos-mcp@0.9.7

MCP server for the Polarity exocortex. Read and write your personal knowledge graph from any LLM client.

AI Security Review

scanned 4d ago · by lpm-firewall-ai

No confirmed malicious attack surface. The package provides user-invoked MCP and connector sync commands that collect local personal data and send it to the configured Cosmos service, matching the package description.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
Explicit CLI/MCP actions such as init, provision, browser sync, imessage sync, shell-history sync, update, or daemon install.
Impact
Local browser/iMessage/shell/calendar/Claude Desktop data may be uploaded to Cosmos after user configuration and command invocation.
Mechanism
user-invoked personal-data sync and macOS helper installation
Rationale
The flagged primitives are real but are tied to explicit CLI features for an MCP personal knowledge graph connector, not hidden lifecycle execution or covert exfiltration. Static inspection found no concrete malicious behavior beyond package-aligned, user-invoked data sync and helper installation.
Evidence
package.jsonbin/cosmos-mcp.jsdist/server.jsdist/config.jsdist/auth/bootstrap.jsdist/client/cosmos.jsdist/sources/browser/cli.jsdist/sources/browser/readers.jsdist/sources/imessage/cli.jsdist/sources/imessage/sync.jsdist/sources/shell-history/sync.jsdist/daemon/manage.js~/.config/cosmos-mcp/token~/Library/Application Support/cosmos-mcp/cosmos-mcp-handler.app~/Library/LaunchAgents/com.polaritylab.cosmos-mcp.sync.plist~/Library/Application Support/cosmos-mcp/daemon-run.sh~/Applications/Cosmos Sync.app
Network endpoints5
cosmos.polarity-lab.comcosmos.polarity-lab.com/api/polarity/whoamicosmos.polarity-lab.com/api/me/connectors/browser/visitscosmos.polarity-lab.com/api/me/connectors/conversations/turnsregistry.npmjs.org/@polarity-lab/cosmos-mcp/latest

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • bin/cosmos-mcp.js can run user-invoked sync/provision/install-handler/daemon subcommands with child_process and file writes.
  • dist/sources/browser/cli.js and readers.js read browser history and POST to configured Cosmos API when `browser sync` is invoked.
  • dist/sources/imessage/cli.js and sync.js read iMessage data and POST conversation turns when `imessage sync` is invoked.
  • dist/sources/shell-history/sync.js reads shell history and posts commands when `shell-history sync` is invoked.
  • dist/daemon/manage.js installs a LaunchAgent and runner only via daemon install path; dist/CosmosSync.zip ships a macOS app bundle.
Evidence against
  • package.json postinstall is limited to `npm rebuild better-sqlite3 2>/dev/null || true`.
  • dist/server.js default entrypoint starts an MCP stdio server and dispatches declared tools; no import-time exfiltration found.
  • Network use is package-aligned to Cosmos endpoints or npm registry update check, with COSMOS_URL override.
  • Credential storage reads/writes are scoped to Cosmos MCP key/keychain/token cache for authentication.
  • No obfuscated eval/vm/Function, destructive install-time behavior, or unconsented AI-agent control-surface writes found.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 45 file(s), 239 KB of source, external domains: 127.0.0.1, cosmos.polarity-lab.com, registry.npmjs.org, www.apple.com

Source & flagged code

11 flagged · loading source
package.jsonView file
scripts.postinstall = npm rebuild better-sqlite3 2>/dev/null || true
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = npm rebuild better-sqlite3 2>/dev/null || true
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/cosmos-mcp.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @polarity-lab/cosmos-mcp@0.9.6 matchedIdentity = npm:[redacted]:0.9.6 similarity = 0.955 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

bin/cosmos-mcp.jsView on unpkg
9L10: import { execFile, execFileSync, spawnSync } from "node:child_process"; L11: import { createRequire } from "node:module";
High
Child Process

Package source references child process execution.

bin/cosmos-mcp.jsView on unpkg · L9
9Manifest entrypoint (manifest.bin) carries capability families absent from dist/build output: environment+network, sensitive-file+network, execution+network L9: L10: import { execFile, execFileSync, spawnSync } from "node:child_process"; L11: import { createRequire } from "node:module"; ... L19: const __filename = fileURLToPath(import.meta.url); L20: const __dirname = dirname(__filename); L21: const PACKAGE_ROOT = join(__dirname, ".."); ... L26: const KEYCHAIN_SERVICE = "cosmos-mcp-key"; L27: const DEFAULT_COSMOS_URL = process.env.COSMOS_BASE_URL || process.env.COSMOS_URL || "https://cosmos.polarity-lab.com"; L28: ... L140: if (!node) { L141: process.stderr.write( L142: "better-sqlite3 was built for a different Node.js than the one running.\n\n" +
High
Entrypoint Build Divergence

Manifest entrypoint contains risky behavior absent from dist/build output.

bin/cosmos-mcp.jsView on unpkg · L9
6// are tiny and because they must not depend on the rest of the build being L7: // present (e.g. `npx -y @polarity-lab/cosmos-mcp provision pmk_xxx` on a fresh L8: // install should not fail because better-sqlite3 hasn't been gyp-rebuilt yet). L9: L10: import { execFile, execFileSync, spawnSync } from "node:child_process"; L11: import { createRequire } from "node:module";
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

bin/cosmos-mcp.jsView on unpkg · L6
dist/daemon/manage.jsView file
1import { execFileSync, spawnSync } from "node:child_process"; L2: import { chmodSync, existsSync, mkdirSync, writeFileSync } from "node:fs"; ... L8: const blocks = [ L9: "#!/bin/bash", L10: `# cosmos-mcp daemon runner. Invoked by launchd every ${mins} minutes.`, ... L74: if (existsSync(paths.plistPath)) { L75: const r = spawnSync("/bin/launchctl", ["list", DAEMON_LABEL], { encoding: "utf8" }); L76: loaded = r.status === 0; ... L138: if (loadRes.status !== 0) { L139: return { ok: false, error: `launchctl load failed: ${(loadRes.stderr || "").trim()}` }; L140: }
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

dist/daemon/manage.jsView on unpkg · L1
dist/settings/server.jsView file
2import http from "node:http"; L3: import { execFileSync, spawn } from "node:child_process"; L4: import { dirname, join } from "node:path"; ... L17: import { beginSyncJob, getJob, isSyncRunning, listJobs, } from "./sync-jobs.js"; L18: const DEFAULT_API = process.env.COSMOS_URL || "https://cosmos.polarity-lab.com"; L19: function packageRoot() {
High
Same File Env Network Execution

A single source file combines environment access, network access, and code or shell execution; review context before blocking.

dist/settings/server.jsView on unpkg · L2
dist/CosmosSync.zipView file
path = dist/CosmosSync.zip kind = high_entropy_blob sizeBytes = 50245 magicHex = [redacted]
High
Ships High Entropy Blob

Package ships high-entropy non-source blobs.

dist/CosmosSync.zipView on unpkg
path = dist/CosmosSync.zip kind = compressed_blob sizeBytes = 50245 magicHex = [redacted]
Medium
Ships Compressed Blob

Package ships compressed or archive-like blobs.

dist/CosmosSync.zipView on unpkg
path = dist/CosmosSync.zip kind = nested_archive_needs_inspection sizeBytes = 50245 magicHex = [redacted]
Low
Nested Archive Needs Inspection

Package ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.

dist/CosmosSync.zipView on unpkg

Findings

1 Critical7 High6 Medium6 Low
CriticalPrevious Version Dangerous Deltabin/cosmos-mcp.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/cosmos-mcp.js
HighShell
HighEntrypoint Build Divergencebin/cosmos-mcp.js
HighSame File Env Network Executiondist/settings/server.js
HighRuntime Package Installbin/cosmos-mcp.js
HighShips High Entropy Blobdist/CosmosSync.zip
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencedist/daemon/manage.js
MediumShips Compressed Blobdist/CosmosSync.zip
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings
LowNested Archive Needs Inspectiondist/CosmosSync.zip