registry  /  overmind-mcp  /  3.2.2

overmind-mcp@3.2.2

Orchestrateur universel agents IA multi-modeles via MCP. Inclut le protocole 'Custom-Nickname' pour identifier vos agents avec des surnoms originaux (The Chaos Prophet, Shadow Sniper, etc.), l'isolation mémoire (Private Memory Context) et le support pour

AI Security Review

scanned 4h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code mutates an MCP control surface and starts persistent local services without an explicit user command. It also fetches mutable remote configuration and globally installs another npm package during lifecycle execution.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
npm install / npm install -g overmind-mcp
Impact
Unconsented agent/MCP registration and persistent local service changes in the user's home/system environment.
Mechanism
postinstall MCP config drop plus persistent Docker/global package setup
Policy narrative
The npm postinstall script automatically runs on package installation. It creates ~/.overmind config files, downloads .env and .mcp.json examples from GitHub main, writes an MCP server configuration, globally installs overmind-postgres-mcp, and starts a Docker PostgreSQL/pgvector container with restart persistence. This is package-aligned functionality, but it is delivered through an unconsented lifecycle hook into an AI-agent/MCP control surface with persistent environment changes.
Rationale
Static inspection confirms lifecycle-triggered MCP configuration mutation plus persistent service/global install behavior, which matches the firewall policy for unconsented AI-agent control-surface mutation. Lack of observed exfiltration lowers the malware family scope but does not remove the blockable install-time control hijack behavior.
Evidence
package.jsonscripts/postinstall.mjs.mcp.json.exampledist/bin/cli.jsdist/lib/InstallHelper.js~/.overmind/.env~/.overmind/.env.example~/.overmind/.env.postgres~/.overmind/.mcp.json~/.overmind/.mcp.json.example
Network endpoints5
raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.exampleraw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.examplelocalhost:3099/mcplocalhost:5433/mcplocalhost:3141/mcp

Decision evidence

public snapshot
AI called this Malicious at 92.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json runs postinstall: node scripts/postinstall.mjs.
  • scripts/postinstall.mjs lifecycle writes ~/.overmind/.mcp.json from downloaded .mcp.json.example.
  • scripts/postinstall.mjs downloads mutable config from raw.githubusercontent.com during install.
  • scripts/postinstall.mjs runs npm install -g overmind-postgres-mcp during install.
  • scripts/postinstall.mjs starts Docker pgvector container with --restart unless-stopped at install time.
  • .mcp.json.example registers local MCP servers including memory, postgres, and serveur_discord.
Evidence against
  • Writes are mostly under ~/.overmind, a package-named directory.
  • No confirmed credential exfiltration or destructive file deletion found in inspected files.
  • Network endpoints are package/config dependency aligned rather than arbitrary C2.
  • dist/bin/cli.js env-token handling appears to classify/local-format .env content, not transmit it.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 88 file(s), 799 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.minimax.com, api.minimax.io, api.minimaxi.com, api.telegram.org, api.z.ai, deamondev888.github.io, discord.gg, docs.docker.com, github.com, openrouter.ai, podman.io, raw.githubusercontent.com, www.docker.com, www.npmjs.com, www.trae.ai, www.w3.org

Source & flagged code

9 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/launch.cjsView file
4L5: const { exec, spawn } = require("child_process"); L6: const fs = require("fs");
High
Child Process

Package source references child process execution.

bin/launch.cjsView on unpkg · L4
dist/lib/InstallHelper.jsView file
2import { promisify } from 'util'; L3: const execAsync = promisify(exec); L4: export const CLIS_METADATA = {
High
Shell

Package source references shell execution.

dist/lib/InstallHelper.jsView on unpkg · L2
1import { exec } from 'child_process'; L2: import { promisify } from 'util'; ... L9: installCmd: 'npm install -g @anthropic-ai/claude-code', L10: url: 'https://www.npmjs.com/package/@anthropic-ai/claude-code', L11: }, ... L30: versionCmd: 'hermes --version', L31: installCmd: process.platform === 'win32' L32: ? 'powershell -Command "irm https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.ps1 | iex"' ... L82: try { L83: const { stdout } = await execAsync(meta.versionCmd); L84: const version = stdout.trim();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/lib/InstallHelper.jsView on unpkg · L1
scripts/postinstall.mjsView file
10Install-time AI-agent control hijack evidence: L10: * - Copie .env.example → .env L11: * - Copie .mcp.json.example → .mcp.json L12: * ═══════════════════════════════════════════════════════════════════════════════ ... L15: import { execSync, spawn } from 'child_process'; L16: import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs'; L17: import { join } from 'path'; ... L236: L237: mkdirSync(INSTALL_DIR, { recursive: true }); L238: ... L241: const envExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.example'; L242: const mcpExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.example'; L243: Payload evidence from dist/services/AgentManager.js: L48: const content = await fs.readFile(mcpPath, 'utf-8'); L49: const json = JSON.parse(content); L50: return Object.keys(json.mcpServers || {}); ... L492: // Resolve auth token: prefer ANTHROPIC_AUTH_TOKEN, fallback to any ANTHROPIC_AUTH_TOKEN_<N> L493: let authToken = process.env.ANTHROPIC_AUTH_TOKEN; L494: if (!authToken) { ... L516: ANTHROPIC_AUTH_TOKEN: authToken, L517: ANTHROPIC_BASE_URL: process.env.ANTHROPIC_BASE_URL || 'https://api.anthropic.com',…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L10
matchType = previous_version_dangerous_delta matchedPackage = overmind-mcp@3.2.1 matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.1 similarity = 0.989 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

scripts/postinstall.mjsView on unpkg
scripts/setup-windows.jsView file
55try { L56: const nodeVersion = execSync('node --version', { encoding: 'utf8' }).trim(); L57: console.log(`✅ Node.js: ${nodeVersion}`); ... L68: console.error('❌ pnpm non trouvé. Installez pnpm:'); L69: console.error(' npm install -g pnpm'); L70: return false;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/setup-windows.jsView on unpkg · L55
bin/test_mcp.batView file
path = bin/test_mcp.bat kind = build_helper sizeBytes = 170 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/test_mcp.batView on unpkg

Findings

2 Critical5 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
CriticalPrevious Version Dangerous Deltascripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/launch.cjs
HighShelldist/lib/InstallHelper.js
HighSandbox Evasion Gated Capabilitydist/lib/InstallHelper.js
HighRuntime Package Installscripts/setup-windows.js
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/test_mcp.bat
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings