registry  /  overmind-mcp  /  3.1.0

overmind-mcp@3.1.0

Orchestrateur universel agents IA multi-modeles via MCP. Inclut le protocole 'Custom-Nickname' pour identifier vos agents avec des surnoms originaux (The Chaos Prophet, Shadow Sniper, etc.), l'isolation mémoire (Private Memory Context) et le support pour

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. The confirmed risk is install-time system mutation and MCP configuration creation. Even though much of it is package-aligned setup, the postinstall lifecycle unconditionally performs remote config retrieval and writes an MCP control file under the user's home directory.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install / postinstall
Impact
Can alter the user's AI/MCP control surface and start/install supporting services during package installation.
Mechanism
unconsented lifecycle MCP config write plus shell-based dependency setup
Policy narrative
Installing the package triggers scripts/postinstall.mjs, which checks Docker, may pull/run a pgvector container, fetches .env.example and .mcp.json.example from GitHub, writes them under ~/.overmind, creates ~/.overmind/.mcp.json, and may globally install overmind-postgres-mcp. The MCP file write is an AI-agent control-surface mutation performed during lifecycle installation rather than an explicit setup command.
Rationale
Static source inspection confirms install-time MCP control-surface mutation and command execution outside the package directory; this matches the firewall's concrete blocking category even without credential exfiltration. Package-aligned intent lowers false-positive risk somewhat, but postinstall is not an acceptable place to fetch and install AI/MCP config into the user's home directory. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.mjsscripts/setup.mjsscripts/ngrok-webhook.mjsdist/lib/InstallHelper.js~/.overmind/.env.example~/.overmind/.mcp.json.example~/.overmind/.env~/.overmind/.env.postgres~/.overmind/.mcp.json
Network endpoints4
raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.exampleraw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.examplewww.docker.com/products/docker-desktop/docs.docker.com/engine/install/

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • scripts/postinstall.mjs automatically runs on npm install, not just explicit setup.
  • At install time it can run docker pull/run/exec, npm install -g overmind-postgres-mcp, and curl remote files.
  • It writes ~/.overmind/.mcp.json from a remotely fetched .mcp.json.example, creating an MCP control-surface file outside the package.
  • It writes ~/.overmind/.env and ~/.overmind/.env.postgres with service credentials/config.
Evidence against
  • No source evidence of credential harvesting or exfiltration from existing env/files.
  • Network endpoints are mostly package-aligned setup/config/docs and local service URLs.
  • User-invoked bins for ngrok, postgres management, setup, uninstall are visible and aligned with package description.
  • Runtime agent process spawning is core package functionality for an MCP agent orchestrator.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 87 file(s), 787 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.minimax.com, api.minimax.io, api.minimaxi.com, api.telegram.org, api.z.ai, deamondev888.github.io, discord.gg, docs.docker.com, github.com, podman.io, raw.githubusercontent.com, www.docker.com, www.npmjs.com, www.trae.ai, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/launch.cjsView file
4L5: const { exec, spawn } = require("child_process"); L6: const fs = require("fs");
High
Child Process

Package source references child process execution.

bin/launch.cjsView on unpkg · L4
dist/lib/InstallHelper.jsView file
2import { promisify } from 'util'; L3: const execAsync = promisify(exec); L4: export const CLIS_METADATA = {
High
Shell

Package source references shell execution.

dist/lib/InstallHelper.jsView on unpkg · L2
1import { exec } from 'child_process'; L2: import { promisify } from 'util'; ... L9: installCmd: 'npm install -g @anthropic-ai/claude-code', L10: url: 'https://www.npmjs.com/package/@anthropic-ai/claude-code', L11: }, ... L30: versionCmd: 'hermes --version', L31: installCmd: process.platform === 'win32' L32: ? 'powershell -Command "irm https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.ps1 | iex"' ... L82: try { L83: const { stdout } = await execAsync(meta.versionCmd); L84: const version = stdout.trim();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/lib/InstallHelper.jsView on unpkg · L1
scripts/postinstall.mjsView file
10Install-time AI-agent control hijack evidence: L10: * - Copie .env.example → .env L11: * - Copie .mcp.json.example → .mcp.json L12: * ═══════════════════════════════════════════════════════════════════════════════ ... L15: import { execSync, spawn } from 'child_process'; L16: import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs'; L17: import { join } from 'path'; ... L228: L229: mkdirSync(INSTALL_DIR, { recursive: true }); L230: ... L233: const envExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.example'; L234: const mcpExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.example'; L235: Payload evidence from dist/services/AgentManager.js: L48: const content = await fs.readFile(mcpPath, 'utf-8'); L49: const json = JSON.parse(content); L50: return Object.keys(json.mcpServers || {}); ... L474: // Resolve auth token: prefer ANTHROPIC_AUTH_TOKEN, fallback to any ANTHROPIC_AUTH_TOKEN_<N> L475: let authToken = process.env.ANTHROPIC_AUTH_TOKEN; L476: if (!authToken) { ... L498: ANTHROPIC_AUTH_TOKEN: authToken, L499: ANTHROPIC_BASE_URL: process.env.ANTHROPIC_BASE_URL || 'https://api.anthropic.com',…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L10
scripts/setup-windows.jsView file
55try { L56: const nodeVersion = execSync('node --version', { encoding: 'utf8' }).trim(); L57: console.log(`✅ Node.js: ${nodeVersion}`); ... L68: console.error('❌ pnpm non trouvé. Installez pnpm:'); L69: console.error(' npm install -g pnpm'); L70: return false;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/setup-windows.jsView on unpkg · L55
bin/test_mcp.batView file
path = bin/test_mcp.bat kind = build_helper sizeBytes = 170 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/test_mcp.batView on unpkg
scripts/ngrok-webhook.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = overmind-mcp@3.0.4 matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.0.4 similarity = 0.941 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

scripts/ngrok-webhook.mjsView on unpkg

Findings

2 Critical5 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
CriticalPrevious Version Dangerous Deltascripts/ngrok-webhook.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/launch.cjs
HighShelldist/lib/InstallHelper.js
HighSandbox Evasion Gated Capabilitydist/lib/InstallHelper.js
HighRuntime Package Installscripts/setup-windows.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/test_mcp.bat
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings