registry  /  overmind-mcp  /  3.2.0

overmind-mcp@3.2.0

Orchestrateur universel agents IA multi-modeles via MCP. Inclut le protocole 'Custom-Nickname' pour identifier vos agents avec des surnoms originaux (The Chaos Prophet, Shadow Sniper, etc.), l'isolation mémoire (Private Memory Context) et le support pour

AI Security Review

scanned 2d ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time lifecycle performs remote fetches and writes an MCP control file under the user's home directory. It also starts package-managed infrastructure and installs another global npm package without a separate explicit setup command.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install / npm install -g runs postinstall
Impact
Unconsented lifecycle mutation of MCP/AI-agent control surface and host services at install time.
Mechanism
postinstall remote MCP config drop and system setup commands
Policy narrative
On package installation, npm executes scripts/postinstall.mjs. The script downloads package-controlled config from GitHub, writes .env and .mcp.json files under ~/.overmind, installs overmind-postgres-mcp globally, and starts Docker PostgreSQL/pgvector infrastructure. Because .mcp.json is an AI/MCP control-surface file and is created from remote content during lifecycle execution, this is an unconsented install-time control-surface mutation rather than merely user-invoked setup.
Rationale
The package has substantial legitimate MCP orchestration functionality, but the automatic postinstall performs remote MCP config writes and host setup side effects without requiring an explicit setup command. That crosses the firewall boundary for lifecycle AI-agent control-surface mutation. Product guard normalized a non-low false-positive publish_block request to warn-only suspicious.
Evidence
package.jsonscripts/postinstall.mjsdist/lib/config.jsdist/services/AgentManager.js.mcp.json.example~/.overmind/.env.example~/.overmind/.mcp.json.example~/.overmind/.env~/.overmind/.env.postgres~/.overmind/.mcp.json
Network endpoints4
raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.exampleraw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.examplepgvector/pgvector:pg16overmind-postgres-mcp

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs downloads remote .mcp.json.example with curl during install
  • scripts/postinstall.mjs writes ~/.overmind/.mcp.json from downloaded MCP config
  • scripts/postinstall.mjs runs docker pull/run and npm install -g overmind-postgres-mcp during install
  • dist/lib/config.js defaults Claude permissions to --dangerously-skip-permissions for runtime agents
Evidence against
  • No obfuscated payloads or encoded strings found in inspected sources
  • No confirmed credential exfiltration path; env handling mostly local config/read/write
  • Agent profile and .claude writes in dist/services/AgentManager.js are user-invoked tool actions
  • Network endpoints are mostly package-aligned GitHub, Docker, npm, localhost, and provider URLs
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 88 file(s), 799 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.minimax.com, api.minimax.io, api.minimaxi.com, api.telegram.org, api.z.ai, deamondev888.github.io, discord.gg, docs.docker.com, github.com, openrouter.ai, podman.io, raw.githubusercontent.com, www.docker.com, www.npmjs.com, www.trae.ai, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/launch.cjsView file
4L5: const { exec, spawn } = require("child_process"); L6: const fs = require("fs");
High
Child Process

Package source references child process execution.

bin/launch.cjsView on unpkg · L4
dist/lib/InstallHelper.jsView file
2import { promisify } from 'util'; L3: const execAsync = promisify(exec); L4: export const CLIS_METADATA = {
High
Shell

Package source references shell execution.

dist/lib/InstallHelper.jsView on unpkg · L2
1import { exec } from 'child_process'; L2: import { promisify } from 'util'; ... L9: installCmd: 'npm install -g @anthropic-ai/claude-code', L10: url: 'https://www.npmjs.com/package/@anthropic-ai/claude-code', L11: }, ... L30: versionCmd: 'hermes --version', L31: installCmd: process.platform === 'win32' L32: ? 'powershell -Command "irm https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.ps1 | iex"' ... L82: try { L83: const { stdout } = await execAsync(meta.versionCmd); L84: const version = stdout.trim();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/lib/InstallHelper.jsView on unpkg · L1
scripts/postinstall.mjsView file
10Install-time AI-agent control hijack evidence: L10: * - Copie .env.example → .env L11: * - Copie .mcp.json.example → .mcp.json L12: * ═══════════════════════════════════════════════════════════════════════════════ ... L15: import { execSync, spawn } from 'child_process'; L16: import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs'; L17: import { join } from 'path'; ... L229: L230: mkdirSync(INSTALL_DIR, { recursive: true }); L231: ... L234: const envExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.example'; L235: const mcpExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.example'; L236: Payload evidence from dist/services/AgentManager.js: L48: const content = await fs.readFile(mcpPath, 'utf-8'); L49: const json = JSON.parse(content); L50: return Object.keys(json.mcpServers || {}); ... L492: // Resolve auth token: prefer ANTHROPIC_AUTH_TOKEN, fallback to any ANTHROPIC_AUTH_TOKEN_<N> L493: let authToken = process.env.ANTHROPIC_AUTH_TOKEN; L494: if (!authToken) { ... L516: ANTHROPIC_AUTH_TOKEN: authToken, L517: ANTHROPIC_BASE_URL: process.env.ANTHROPIC_BASE_URL || 'https://api.anthropic.com',…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L10
scripts/setup-windows.jsView file
55try { L56: const nodeVersion = execSync('node --version', { encoding: 'utf8' }).trim(); L57: console.log(`✅ Node.js: ${nodeVersion}`); ... L68: console.error('❌ pnpm non trouvé. Installez pnpm:'); L69: console.error(' npm install -g pnpm'); L70: return false;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/setup-windows.jsView on unpkg · L55
bin/test_mcp.batView file
path = bin/test_mcp.bat kind = build_helper sizeBytes = 170 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/test_mcp.batView on unpkg
scripts/verify-install.mjsView file
matchType = previous_version_dangerous_delta matchedPackage = overmind-mcp@3.1.0 matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.1.0 similarity = 0.698 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version.

scripts/verify-install.mjsView on unpkg

Findings

2 Critical5 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
CriticalPrevious Version Dangerous Deltascripts/verify-install.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/launch.cjs
HighShelldist/lib/InstallHelper.js
HighSandbox Evasion Gated Capabilitydist/lib/InstallHelper.js
HighRuntime Package Installscripts/setup-windows.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/test_mcp.bat
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings