registry  /  overmind-mcp  /  3.2.5

overmind-mcp@3.2.5

Orchestrateur universel agents IA multi-modeles via MCP. Inclut le protocole 'Custom-Nickname' pour identifier vos agents avec des surnoms originaux (The Chaos Prophet, Shadow Sniper, etc.), l'isolation mémoire (Private Memory Context) et le support pour

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. The package has a high-risk lifecycle installer that mutates the user's home environment and starts/installs infrastructure without an explicit CLI action. The observed AI-agent control files are package-owned under ~/.overmind, so this is a guarded platform extension lifecycle risk rather than confirmed hijack of a foreign agent surface.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install / npm install -g lifecycle postinstall
Impact
Can create persistent local infrastructure and package-owned MCP config during installation; later user-invoked agent runs may spawn Claude with permission prompts disabled by default.
Mechanism
install-time shell orchestration, remote config download, Docker service setup, and package-owned MCP config generation
Policy narrative
On install, postinstall.mjs can create ~/.overmind, fetch config templates from the package GitHub main branch, create .env/.env.postgres/.mcp.json, install overmind-postgres-mcp globally, and start a Docker pgvector container with restart policy. The generated MCP config points to local Overmind/Postgres/Discord MCP HTTP endpoints. Runtime agent execution can spawn Claude with --dangerously-skip-permissions unless overridden.
Rationale
The package performs risky install-time setup of AI-agent infrastructure, but the confirmed control-surface writes are confined to its own ~/.overmind namespace and align with the package's MCP orchestrator purpose. This warrants a warn for lifecycle extension risk, not a publish block for foreign AI-agent control hijack or malware exfiltration.
Evidence
package.jsonscripts/postinstall.mjs.mcp.json.exampledist/lib/config.jsdist/services/ClaudeRunner.js~/.overmind/.env.example~/.overmind/.mcp.json.example~/.overmind/.env~/.overmind/.env.postgres~/.overmind/.mcp.json
Network endpoints7
raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.exampleraw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.examplewww.docker.com/products/docker-desktop/docs.docker.com/engine/install/localhost:3099/mcplocalhost:5433/mcplocalhost:3141/mcp

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node scripts/postinstall.mjs.
  • scripts/postinstall.mjs executes shell commands during install: docker pull/run, docker exec, and npm install -g overmind-postgres-mcp.
  • scripts/postinstall.mjs downloads .env.example and .mcp.json.example from GitHub main at install time and writes them under ~/.overmind.
  • scripts/postinstall.mjs creates ~/.overmind/.mcp.json from downloaded content, defining MCP servers for local HTTP endpoints.
  • dist/lib/config.js defaults ClaudeRunner permissions to --dangerously-skip-permissions when user invokes Claude agent runs.
Evidence against
  • Install-time config is written under the package-owned ~/.overmind namespace, not directly to project .mcp.json, Claude/Codex/Cursor settings, or shell startup files.
  • No credential exfiltration endpoint found; env/key handling is for local config validation and spawning configured agents.
  • Agent runners and MCP endpoints are package-aligned orchestration functionality and mostly user-invoked after install.
  • Agent names used in runner file paths are validated against path traversal.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 88 file(s), 802 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.minimax.com, api.minimax.io, api.minimaxi.com, api.telegram.org, api.z.ai, deamondev888.github.io, discord.gg, docs.docker.com, github.com, openrouter.ai, podman.io, raw.githubusercontent.com, www.docker.com, www.npmjs.com, www.trae.ai, www.w3.org

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/launch.cjsView file
4L5: const { exec, spawn } = require("child_process"); L6: const fs = require("fs");
High
Child Process

Package source references child process execution.

bin/launch.cjsView on unpkg · L4
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = bin/launch.cjs matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/launch.cjsView on unpkg
dist/lib/InstallHelper.jsView file
2import { promisify } from 'util'; L3: const execAsync = promisify(exec); L4: export const CLIS_METADATA = {
High
Shell

Package source references shell execution.

dist/lib/InstallHelper.jsView on unpkg · L2
1import { exec } from 'child_process'; L2: import { promisify } from 'util'; ... L9: installCmd: 'npm install -g @anthropic-ai/claude-code', L10: url: 'https://www.npmjs.com/package/@anthropic-ai/claude-code', L11: }, ... L30: versionCmd: 'hermes --version', L31: installCmd: process.platform === 'win32' L32: ? 'powershell -Command "irm https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.ps1 | iex"' ... L82: try { L83: const { stdout } = await execAsync(meta.versionCmd); L84: const version = stdout.trim();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/lib/InstallHelper.jsView on unpkg · L1
scripts/postinstall.mjsView file
10Install-time AI-agent control hijack evidence: L10: * - Copie .env.example → .env L11: * - Copie .mcp.json.example → .mcp.json L12: * ═══════════════════════════════════════════════════════════════════════════════ ... L15: import { execSync, spawn } from 'child_process'; L16: import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs'; L17: import { join } from 'path'; ... L236: L237: mkdirSync(INSTALL_DIR, { recursive: true }); L238: ... L241: const envExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.example'; L242: const mcpExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.example'; L243: Payload evidence from dist/services/AgentManager.js: L48: const content = await fs.readFile(mcpPath, 'utf-8'); L49: const json = JSON.parse(content); L50: return Object.keys(json.mcpServers || {}); ... L492: // Resolve auth token: prefer ANTHROPIC_AUTH_TOKEN, fallback to any ANTHROPIC_AUTH_TOKEN_<N> L493: let authToken = process.env.ANTHROPIC_AUTH_TOKEN; L494: if (!authToken) { ... L516: ANTHROPIC_AUTH_TOKEN: authToken, L517: ANTHROPIC_BASE_URL: process.env.ANTHROPIC_BASE_URL || 'https://api.anthropic.com',…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L10
scripts/setup-windows.jsView file
55try { L56: const nodeVersion = execSync('node --version', { encoding: 'utf8' }).trim(); L57: console.log(`✅ Node.js: ${nodeVersion}`); ... L68: console.error('❌ pnpm non trouvé. Installez pnpm:'); L69: console.error(' npm install -g pnpm'); L70: return false;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/setup-windows.jsView on unpkg · L55
bin/test_mcp.batView file
path = bin/test_mcp.bat kind = build_helper sizeBytes = 170 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/test_mcp.batView on unpkg
scripts/verify-install.mjsView file
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = scripts/verify-install.mjs matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/verify-install.mjsView on unpkg
dist/services/ClaudeRunner.jsView file
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = dist/services/ClaudeRunner.js matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/services/ClaudeRunner.jsView on unpkg
dist/services/KiloRunner.jsView file
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = dist/services/KiloRunner.js matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/services/KiloRunner.jsView on unpkg
scripts/auto-install.mjsView file
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = scripts/auto-install.mjs matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/auto-install.mjsView on unpkg

Findings

1 Critical10 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/launch.cjs
HighShelldist/lib/InstallHelper.js
HighSandbox Evasion Gated Capabilitydist/lib/InstallHelper.js
HighRuntime Package Installscripts/setup-windows.js
HighKnown Malware Source Similarityscripts/verify-install.mjs
HighKnown Malware Source Similaritybin/launch.cjs
HighKnown Malware Source Similaritydist/services/ClaudeRunner.js
HighKnown Malware Source Similaritydist/services/KiloRunner.js
HighKnown Malware Source Similarityscripts/auto-install.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/test_mcp.bat
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings