registry  /  overmind-mcp  /  3.0.4

overmind-mcp@3.0.4

Orchestrateur universel agents IA multi-modeles via MCP. Inclut le protocole 'Custom-Nickname' pour identifier vos agents avec des surnoms originaux (The Chaos Prophet, Shadow Sniper, etc.), l'isolation mémoire (Private Memory Context) et le support pour

AI Security Review

scanned 4d ago · by lpm-firewall-ai

Install-time behavior is aggressive and mutable but aligned with the package's advertised Docker/PostgreSQL setup. No confirmed malicious exfiltration or unconsented AI-agent hijack was established.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
npm install postinstall; later user-invoked MCP tools
Impact
Can install global dependencies, start Docker services, and write ~/.overmind config during install; runtime MCP tools can spawn configured local agent CLIs when invoked.
Mechanism
install-time Docker/npm/curl setup plus runtime agent orchestration
Rationale
The package has high-risk install-time side effects and mutable remote configuration downloads, so a warning is warranted. Source inspection did not show concrete malicious behavior such as credential exfiltration, hidden persistence, destructive actions, or unconsented mutation of external AI-agent control files.
Evidence
package.jsonscripts/postinstall.mjsdist/bin/cli.jsdist/lib/InstallHelper.jsdist/server.jsdist/tools/run_agent.jsdist/tools/manage_agents.jsbin/launch.cjs~/.overmind/.env~/.overmind/.env.example~/.overmind/.env.postgres~/.overmind/.mcp.json~/.overmind/.mcp.json.example
Network endpoints4
raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.exampleraw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.exampleraw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.shraw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.ps1

Decision evidence

public snapshot
AI called this Suspicious at 78.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json defines postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs runs docker pull/run, curl, and npm install -g overmind-postgres-mcp at install time
  • scripts/postinstall.mjs downloads mutable config from raw.githubusercontent.com into ~/.overmind
  • dist/bin/cli.js exposes MCP tools that can spawn local AI CLIs via run_agent when invoked
Evidence against
  • No credential harvesting or exfiltration found in inspected files
  • dist/bin/cli.js env handling formats/loads local .env rather than transmitting secrets
  • HTTP server defaults to localhost and refuses non-loopback HTTP without SSL
  • Agent config writes are user-invoked MCP tools with name/path validation
  • No obfuscated payloads, native binary loaders, or import-time remote code execution found
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 86 file(s), 776 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.minimax.com, api.minimax.io, api.minimaxi.com, api.z.ai, deamondev888.github.io, discord.gg, docs.docker.com, github.com, podman.io, raw.githubusercontent.com, www.docker.com, www.npmjs.com, www.trae.ai, www.w3.org

Source & flagged code

8 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/launch.cjsView file
4L5: const { exec, spawn } = require("child_process"); L6: const fs = require("fs");
High
Child Process

Package source references child process execution.

bin/launch.cjsView on unpkg · L4
dist/lib/InstallHelper.jsView file
2import { promisify } from 'util'; L3: const execAsync = promisify(exec); L4: export const CLIS_METADATA = {
High
Shell

Package source references shell execution.

dist/lib/InstallHelper.jsView on unpkg · L2
1import { exec } from 'child_process'; L2: import { promisify } from 'util'; ... L9: installCmd: 'npm install -g @anthropic-ai/claude-code', L10: url: 'https://www.npmjs.com/package/@anthropic-ai/claude-code', L11: }, ... L30: versionCmd: 'hermes --version', L31: installCmd: process.platform === 'win32' L32: ? 'powershell -Command "irm https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.ps1 | iex"' ... L82: try { L83: const { stdout } = await execAsync(meta.versionCmd); L84: const version = stdout.trim();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/lib/InstallHelper.jsView on unpkg · L1
scripts/postinstall.mjsView file
10Install-time AI-agent control hijack evidence: L10: * - Copie .env.example → .env L11: * - Copie .mcp.json.example → .mcp.json L12: * ═══════════════════════════════════════════════════════════════════════════════ ... L15: import { execSync, spawn } from 'child_process'; L16: import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs'; L17: import { join } from 'path'; ... L228: L229: mkdirSync(INSTALL_DIR, { recursive: true }); L230: ... L233: const envExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.example'; L234: const mcpExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.example'; L235: Payload evidence from dist/services/AgentManager.js: L48: const content = await fs.readFile(mcpPath, 'utf-8'); L49: const json = JSON.parse(content); L50: return Object.keys(json.mcpServers || {}); ... L474: // Resolve auth token: prefer ANTHROPIC_AUTH_TOKEN, fallback to any ANTHROPIC_AUTH_TOKEN_<N> L475: let authToken = process.env.ANTHROPIC_AUTH_TOKEN; L476: if (!authToken) { ... L498: ANTHROPIC_AUTH_TOKEN: authToken, L499: ANTHROPIC_BASE_URL: process.env.ANTHROPIC_BASE_URL || 'https://api.anthropic.com',…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L10
scripts/setup-windows.jsView file
55try { L56: const nodeVersion = execSync('node --version', { encoding: 'utf8' }).trim(); L57: console.log(`✅ Node.js: ${nodeVersion}`); ... L68: console.error('❌ pnpm non trouvé. Installez pnpm:'); L69: console.error(' npm install -g pnpm'); L70: return false;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/setup-windows.jsView on unpkg · L55
bin/test_mcp.batView file
path = bin/test_mcp.bat kind = build_helper sizeBytes = 170 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/test_mcp.batView on unpkg

Findings

1 Critical5 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/launch.cjs
HighShelldist/lib/InstallHelper.js
HighSandbox Evasion Gated Capabilitydist/lib/InstallHelper.js
HighRuntime Package Installscripts/setup-windows.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/test_mcp.bat
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings