registry  /  overmind-mcp  /  3.2.3

overmind-mcp@3.2.3

Orchestrateur universel agents IA multi-modeles via MCP. Inclut le protocole 'Custom-Nickname' pour identifier vos agents avec des surnoms originaux (The Chaos Prophet, Shadow Sniper, etc.), l'isolation mémoire (Private Memory Context) et le support pour

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM treats this as warn-only first-party agent extension lifecycle risk. Install-time behavior is high-risk but package-aligned: it provisions local MCP/database infrastructure and writes first-party Overmind config. No confirmed malicious exfiltration or foreign AI-agent control hijack was found.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install lifecycle postinstall; later overmind CLI/MCP agent commands
Impact
Unprompted install-time system changes and dangerous agent-runner defaults may expand local AI-agent capability surface.
Mechanism
lifecycle provisioning of local MCP config, Docker services, and global helper package
Policy narrative
Installing the package runs postinstall, which creates ~/.overmind, fetches config templates from the project GitHub, writes MCP/env files, and may start Docker PostgreSQL plus install a helper MCP package globally. The runtime agent system can create Claude/Hermes agent files and launches Claude with a permission-skip default, but these paths appear tied to explicit Overmind agent operations rather than hidden lifecycle hijacking.
Rationale
Source inspection confirms risky lifecycle provisioning and agent-extension behavior, but the writes are package-owned and localhost-oriented with no confirmed credential exfiltration, remote payload execution, or unconsented mutation of a foreign broad AI-agent control surface. This fits warn-level agent extension lifecycle risk rather than publish-block malware.
Evidence
package.jsonscripts/postinstall.mjs.mcp.json.exampledist/lib/config.jsdist/services/AgentManager.jsdist/services/HermesProfileManager.jsdist/services/ClaudeRunner.js~/.overmind/.env.example~/.overmind/.mcp.json.example~/.overmind/.env~/.overmind/.env.postgres~/.overmind/.mcp.json<WORKSPACE>/.claude/agents/<name>.md<WORKSPACE>/.claude/settings_<name>.jsonHermes profile .env/SOUL.md/config.yaml
Network endpoints6
raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.exampleraw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.exampleopenrouter.ai/api/v1localhost:3099/mcplocalhost:5433/mcplocalhost:3141/mcp

Decision evidence

public snapshot
AI called this Suspicious at 83.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • package.json runs postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs downloads .env.example and .mcp.json.example from raw.githubusercontent.com during install
  • scripts/postinstall.mjs writes ~/.overmind/.env, ~/.overmind/.env.postgres, and ~/.overmind/.mcp.json
  • scripts/postinstall.mjs can run docker pull/run and npm install -g overmind-postgres-mcp during lifecycle
  • dist/lib/config.js defaults Claude permissions to --dangerously-skip-permissions for runtime agent execution
  • dist/services/AgentManager.js and HermesProfileManager.js create agent prompts/configs under .claude or Hermes profile directories when invoked
Evidence against
  • No import-time execution found beyond exported modules inspected
  • Lifecycle writes are in the package-owned ~/.overmind namespace rather than Claude/Codex/Cursor global config
  • Bundled .mcp.json.example points to localhost MCP servers only
  • No credential harvesting or external exfiltration path confirmed in inspected source
  • Agent/config writes require user-invoked MCP/CLI operations, not postinstall
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 88 file(s), 802 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.minimax.com, api.minimax.io, api.minimaxi.com, api.telegram.org, api.z.ai, deamondev888.github.io, discord.gg, docs.docker.com, github.com, openrouter.ai, podman.io, raw.githubusercontent.com, www.docker.com, www.npmjs.com, www.trae.ai, www.w3.org

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/launch.cjsView file
4L5: const { exec, spawn } = require("child_process"); L6: const fs = require("fs");
High
Child Process

Package source references child process execution.

bin/launch.cjsView on unpkg · L4
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = bin/launch.cjs matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/launch.cjsView on unpkg
dist/lib/InstallHelper.jsView file
2import { promisify } from 'util'; L3: const execAsync = promisify(exec); L4: export const CLIS_METADATA = {
High
Shell

Package source references shell execution.

dist/lib/InstallHelper.jsView on unpkg · L2
1import { exec } from 'child_process'; L2: import { promisify } from 'util'; ... L9: installCmd: 'npm install -g @anthropic-ai/claude-code', L10: url: 'https://www.npmjs.com/package/@anthropic-ai/claude-code', L11: }, ... L30: versionCmd: 'hermes --version', L31: installCmd: process.platform === 'win32' L32: ? 'powershell -Command "irm https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.ps1 | iex"' ... L82: try { L83: const { stdout } = await execAsync(meta.versionCmd); L84: const version = stdout.trim();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/lib/InstallHelper.jsView on unpkg · L1
scripts/postinstall.mjsView file
10Install-time AI-agent control hijack evidence: L10: * - Copie .env.example → .env L11: * - Copie .mcp.json.example → .mcp.json L12: * ═══════════════════════════════════════════════════════════════════════════════ ... L15: import { execSync, spawn } from 'child_process'; L16: import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs'; L17: import { join } from 'path'; ... L236: L237: mkdirSync(INSTALL_DIR, { recursive: true }); L238: ... L241: const envExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.example'; L242: const mcpExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.example'; L243: Payload evidence from dist/services/AgentManager.js: L48: const content = await fs.readFile(mcpPath, 'utf-8'); L49: const json = JSON.parse(content); L50: return Object.keys(json.mcpServers || {}); ... L492: // Resolve auth token: prefer ANTHROPIC_AUTH_TOKEN, fallback to any ANTHROPIC_AUTH_TOKEN_<N> L493: let authToken = process.env.ANTHROPIC_AUTH_TOKEN; L494: if (!authToken) { ... L516: ANTHROPIC_AUTH_TOKEN: authToken, L517: ANTHROPIC_BASE_URL: process.env.ANTHROPIC_BASE_URL || 'https://api.anthropic.com',…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L10
scripts/setup-windows.jsView file
55try { L56: const nodeVersion = execSync('node --version', { encoding: 'utf8' }).trim(); L57: console.log(`✅ Node.js: ${nodeVersion}`); ... L68: console.error('❌ pnpm non trouvé. Installez pnpm:'); L69: console.error(' npm install -g pnpm'); L70: return false;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/setup-windows.jsView on unpkg · L55
bin/test_mcp.batView file
path = bin/test_mcp.bat kind = build_helper sizeBytes = 170 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/test_mcp.batView on unpkg
scripts/verify-install.mjsView file
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = scripts/verify-install.mjs matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/verify-install.mjsView on unpkg
dist/services/ClaudeRunner.jsView file
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = dist/services/ClaudeRunner.js matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/services/ClaudeRunner.jsView on unpkg
dist/services/KiloRunner.jsView file
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = dist/services/KiloRunner.js matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/services/KiloRunner.jsView on unpkg
scripts/auto-install.mjsView file
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = scripts/auto-install.mjs matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/auto-install.mjsView on unpkg

Findings

1 Critical10 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/launch.cjs
HighShelldist/lib/InstallHelper.js
HighSandbox Evasion Gated Capabilitydist/lib/InstallHelper.js
HighRuntime Package Installscripts/setup-windows.js
HighKnown Malware Source Similarityscripts/verify-install.mjs
HighKnown Malware Source Similaritybin/launch.cjs
HighKnown Malware Source Similaritydist/services/ClaudeRunner.js
HighKnown Malware Source Similaritydist/services/KiloRunner.js
HighKnown Malware Source Similarityscripts/auto-install.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/test_mcp.bat
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings