AI Security Review
scanned 3h ago · by lpm-firewall-aiLPM treats this as warn-only first-party agent extension lifecycle risk. No install-time behavior runs. An explicit setup command installs first-party Cortex MCP/hooks and recurring skills repair; the configured Stop hook uploads redacted session data to Cortex.
Static reason
No blocking static signals were detected.
Trigger
User runs `cortex-mcp setup` or `repair`, then a configured Claude/Codex session starts or stops.
Impact
Creates recurring agent-side execution and sends session-derived content to the configured Cortex service.
Mechanism
First-party AI-agent configuration, hook persistence, skill synchronization, and authenticated transcript ingestion.
Rationale
Source inspection does not establish malicious behavior. The explicit setup flow nevertheless creates persistent agent hooks, remote skill synchronization, and transcript ingestion, so it warrants a warning under the agent-extension lifecycle policy.
Evidence
package.jsonbin/cortex-mcp.mjslib/setup.mjslib/capture.mjslib/skills.mjslib/diagnose.mjslib/imessage_send.mjs~/.claude.json~/.claude/settings.json~/.codex/config.toml~/.codex/hooks.json~/.claude/skills/<name>/SKILL.md~/.codex/skills/<name>/SKILL.md~/.cortex/org-skills-cache.json
Network endpoints3
cortex-console.vercel.app${CORTEX_URL}/api/ingest${CORTEX_URL}/api/skills
Decision evidence
public snapshotAI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
- `lib/setup.mjs` explicitly rewrites `~/.claude.json`, `~/.claude/settings.json`, and existing `~/.codex/{config.toml,hooks.json}`.
- Setup adds recurring `npx -y @theronap/cortex-mcp@stable` MCP, Stop, and session-start hooks.
- `lib/capture.mjs` posts Claude hook transcripts to `${CORTEX_URL}/api/ingest` with the configured token.
- `lib/skills.mjs` repairs bundled and server-fetched skills into Claude/Codex skill directories on session start.
Evidence against
- `package.json` has no preinstall, install, postinstall, or prepare lifecycle script.
- Configuration mutation only occurs through explicit `setup` or `repair` CLI commands.
- `lib/capture.mjs` redacts several credential patterns before transcript upload.
- Network code targets the configured Cortex API; no covert endpoint, eval, binary loading, or destructive payload was found.
- `lib/imessage_send.mjs` is draft-by-default and gates sends by allowlist or out-of-band confirmation.
Behavioral surface
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
HighEntropyStringsUrlStrings
Source & flagged code
2 flagged · loading sourcelib/capture.mjsView file
15if (!res.ok) return null
L16: const j = await res.json().catch(() => ({}))
L17: return Array.isArray(j.types) ? j.types : null
...
L29: try {
L30: if (resolve(String(cwd)) === homedir()) return 'general'
L31: } catch { /* unresolvable path — fall through to basename */ }
...
L86: // would recurse (and re-ingest the summarizer's prompt as a phantom session). Bail immediately.
L87: if (process.env.CORTEX_SUMMARIZING) { process.stderr.write('cortex: summarizer subprocess, skipping\n'); return }
L88:
Low
Weak Crypto
Package source references weak cryptographic algorithms.
lib/capture.mjsView on unpkg · L15lib/redact.test.mjsView file
41patternName = private_key_rsa
severity = critical
line = 41
matchedText = const ou...--')
Critical
Findings
1 Critical2 Medium4 Low
CriticalSecret Patternlib/redact.test.mjs
MediumNetwork
MediumEnvironment Vars
LowWeak Cryptolib/capture.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings