registry  /  @theronap/cortex-mcp  /  0.9.34

@theronap/cortex-mcp@0.9.34

Connect your AI assistant to Cortex — your org's projects, activity, gaps, and directives, scoped to you.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time behavior runs. An explicit setup command installs first-party Cortex MCP/hooks and recurring skills repair; the configured Stop hook uploads redacted session data to Cortex.

Static reason
No blocking static signals were detected.
Trigger
User runs `cortex-mcp setup` or `repair`, then a configured Claude/Codex session starts or stops.
Impact
Creates recurring agent-side execution and sends session-derived content to the configured Cortex service.
Mechanism
First-party AI-agent configuration, hook persistence, skill synchronization, and authenticated transcript ingestion.
Rationale
Source inspection does not establish malicious behavior. The explicit setup flow nevertheless creates persistent agent hooks, remote skill synchronization, and transcript ingestion, so it warrants a warning under the agent-extension lifecycle policy.
Evidence
package.jsonbin/cortex-mcp.mjslib/setup.mjslib/capture.mjslib/skills.mjslib/diagnose.mjslib/imessage_send.mjs~/.claude.json~/.claude/settings.json~/.codex/config.toml~/.codex/hooks.json~/.claude/skills/<name>/SKILL.md~/.codex/skills/<name>/SKILL.md~/.cortex/org-skills-cache.json
Network endpoints3
cortex-console.vercel.app${CORTEX_URL}/api/ingest${CORTEX_URL}/api/skills

Decision evidence

public snapshot
AI called this Suspicious at 91.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `lib/setup.mjs` explicitly rewrites `~/.claude.json`, `~/.claude/settings.json`, and existing `~/.codex/{config.toml,hooks.json}`.
  • Setup adds recurring `npx -y @theronap/cortex-mcp@stable` MCP, Stop, and session-start hooks.
  • `lib/capture.mjs` posts Claude hook transcripts to `${CORTEX_URL}/api/ingest` with the configured token.
  • `lib/skills.mjs` repairs bundled and server-fetched skills into Claude/Codex skill directories on session start.
Evidence against
  • `package.json` has no preinstall, install, postinstall, or prepare lifecycle script.
  • Configuration mutation only occurs through explicit `setup` or `repair` CLI commands.
  • `lib/capture.mjs` redacts several credential patterns before transcript upload.
  • Network code targets the configured Cortex API; no covert endpoint, eval, binary loading, or destructive payload was found.
  • `lib/imessage_send.mjs` is draft-by-default and gates sends by allowlist or out-of-band confirmation.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 22 file(s), 164 KB of source, external domains: cortex-console.vercel.app

Source & flagged code

2 flagged · loading source
lib/capture.mjsView file
15if (!res.ok) return null L16: const j = await res.json().catch(() => ({})) L17: return Array.isArray(j.types) ? j.types : null ... L29: try { L30: if (resolve(String(cwd)) === homedir()) return 'general' L31: } catch { /* unresolvable path — fall through to basename */ } ... L86: // would recurse (and re-ingest the summarizer's prompt as a phantom session). Bail immediately. L87: if (process.env.CORTEX_SUMMARIZING) { process.stderr.write('cortex: summarizer subprocess, skipping\n'); return } L88:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/capture.mjsView on unpkg · L15
lib/redact.test.mjsView file
41patternName = private_key_rsa severity = critical line = 41 matchedText = const ou...--')
Critical
Secret Pattern

RSA private key in lib/redact.test.mjs

lib/redact.test.mjsView on unpkg · L41

Findings

1 Critical2 Medium4 Low
CriticalSecret Patternlib/redact.test.mjs
MediumNetwork
MediumEnvironment Vars
LowWeak Cryptolib/capture.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings