AI Security Review
scanned 4d ago · by lpm-firewall-aiNo confirmed malicious attack surface. The package provides user-invoked MCP and connector sync commands that collect local personal data and send it to the configured Cosmos service, matching the package description.
Decision evidence
public snapshot- bin/cosmos-mcp.js can run user-invoked sync/provision/install-handler/daemon subcommands with child_process and file writes.
- dist/sources/browser/cli.js and readers.js read browser history and POST to configured Cosmos API when `browser sync` is invoked.
- dist/sources/imessage/cli.js and sync.js read iMessage data and POST conversation turns when `imessage sync` is invoked.
- dist/sources/shell-history/sync.js reads shell history and posts commands when `shell-history sync` is invoked.
- dist/daemon/manage.js installs a LaunchAgent and runner only via daemon install path; dist/CosmosSync.zip ships a macOS app bundle.
- package.json postinstall is limited to `npm rebuild better-sqlite3 2>/dev/null || true`.
- dist/server.js default entrypoint starts an MCP stdio server and dispatches declared tools; no import-time exfiltration found.
- Network use is package-aligned to Cosmos endpoints or npm registry update check, with COSMOS_URL override.
- Credential storage reads/writes are scoped to Cosmos MCP key/keychain/token cache for authentication.
- No obfuscated eval/vm/Function, destructive install-time behavior, or unconsented AI-agent control-surface writes found.
Source & flagged code
11 flagged · loading sourcePackage defines install-time lifecycle scripts.
package.jsonView on unpkgInstall-time lifecycle script is not statically allowlisted and needs review.
package.jsonView on unpkgThis package version adds a dangerous source file absent from the previous stored version.
bin/cosmos-mcp.jsView on unpkgManifest entrypoint contains risky behavior absent from dist/build output.
bin/cosmos-mcp.jsView on unpkg · L9Package source invokes a package manager install command at runtime.
bin/cosmos-mcp.jsView on unpkg · L6Source writes installer persistence such as shell profile or service configuration.
dist/daemon/manage.jsView on unpkg · L1A single source file combines environment access, network access, and code or shell execution; review context before blocking.
dist/settings/server.jsView on unpkg · L2Package ships compressed or archive-like blobs.
dist/CosmosSync.zipView on unpkgPackage ships a nested archive or MCP bundle that was inventoried but not recursively analyzed.
dist/CosmosSync.zipView on unpkg