registry  /  @theronap/cortex-mcp  /  0.9.45

@theronap/cortex-mcp@0.9.45

Connect your AI assistant to Cortex — your org's projects, activity, gaps, and directives, scoped to you.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. No install-time execution is present. Explicit setup/install commands modify first-party Cortex editor integrations and add capture hooks; those hooks can send redacted session-derived data to Cortex. An exposed iMessage tool is guarded but remains a sensitive capability.

Static reason
No blocking static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `setup` or `install`, then a configured editor invokes the Cortex MCP server or Stop hook.
Impact
Configured sessions may be captured to Cortex; an agent may draft or, with configured authorization, send iMessages.
Mechanism
User-invoked MCP/editor hook wiring, session ingestion, and guarded local iMessage automation.
Rationale
Source shows an explicit, package-owned AI-agent integration with session capture and a guarded messaging capability, not malicious npm install behavior. Warn rather than block so users receive visibility into the persistent editor-hook and data-ingest surface.
Evidence
package.jsonbin/cortex-mcp.mjslib/setup.mjslib/install.mjslib/capture.mjslib/diagnose.mjslib/imessage_send.mjslib/uninstall.mjslib/server.mjslib/editors/claude.mjslib/editors/codex.mjs
Network endpoints2
cortex-console.vercel.app/api/ingestcortex-console.vercel.app/api/mcp-context

Decision evidence

public snapshot
AI called this Suspicious at 90.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `lib/setup.mjs` explicitly writes Claude and detected Codex MCP/hook configuration.
  • `lib/capture.mjs` reads Stop-hook transcript input and POSTs derived data; raw transcript is fallback when local extraction is unavailable.
  • `lib/imessage_send.mjs` can invoke `osascript` to send iMessage after explicit `send:true` and recipient gating.
  • `lib/install.mjs` wires supported editors and writes `~/.cortex/editors.json` on an explicit CLI command.
Evidence against
  • `package.json` has no preinstall, install, or postinstall lifecycle scripts.
  • `bin/cortex-mcp.mjs` activates setup/install/uninstall/capture only through explicit subcommands.
  • `lib/capture.mjs` redacts transcript secrets before constructing the ingest request.
  • `lib/imessage_send.mjs` defaults to draft mode and blocks non-allowlisted sends without an out-of-band secret.
  • Network use is Cortex-aligned: default base is `https://cortex-console.vercel.app` in `lib/diagnose.mjs`.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 25 file(s), 211 KB of source, external domains: cortex-console.vercel.app, www.apple.com

Source & flagged code

3 flagged · loading source
lib/capture.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = @theronap/cortex-mcp@0.9.37 matchedIdentity = npm:QHRoZXJvbmFwL2NvcnRleC1tY3A:0.9.37 similarity = 0.500 summary = stored previous version shares package body but lacks this dangerous source file
High
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

lib/capture.mjsView on unpkg
1import { readFileSync } from 'fs' L2: import { spawn } from 'child_process' L3: import { homedir } from 'os' ... L17: if (!res.ok) return null L18: const j = await res.json().catch(() => ({})) L19: return Array.isArray(j.types) ? j.types : null ... L31: try { L32: if (resolve(String(cwd)) === homedir()) return 'general' L33: } catch { /* unresolvable path — fall through to basename */ } ... L94: // recurse (and re-ingest the summarizer's prompt as a phantom session). Bail immediately. L95: if (process.env.CORTEX_SUMMARIZING) { process.stderr.write('cortex: summarizer subprocess, skipping\n'); return } L96:
Low
Weak Crypto

Package source references weak cryptographic algorithms.

lib/capture.mjsView on unpkg · L1
lib/uninstall.mjsView file
3import { join } from 'path' L4: import { execFileSync } from 'child_process' L5: ... L12: // 6. launchd agent → ~/Library/LaunchAgents/com.cortex.*.plist (unload + remove) L13: // 7. crontab → lines tagged "# cortex ..." L14: // 8. off-switch env → launchctl unsetenv CORTEX_SUMMARIZE_DISABLED (macOS) ... L20: L21: const HOME = homedir() L22: const CLAUDE_JSON = join(HOME, '.claude.json') ... L36: L37: process.stdout.write(dry ? '\nCortex uninstall — DRY RUN (nothing will change):\n\n' : '\nCortex uninstall — removing all wiring…\n\n') L38:
Medium
Install Persistence

Source writes installer persistence such as shell profile or service configuration.

lib/uninstall.mjsView on unpkg · L3

Findings

1 High3 Medium4 Low
HighPrevious Version Dangerous Deltalib/capture.mjs
MediumNetwork
MediumEnvironment Vars
MediumInstall Persistencelib/uninstall.mjs
LowWeak Cryptolib/capture.mjs
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings