registry  /  overmind-mcp  /  3.2.6

overmind-mcp@3.2.6

Orchestrateur universel agents IA multi-modeles via MCP. Inclut le protocole 'Custom-Nickname' pour identifier vos agents avec des surnoms originaux (The Chaos Prophet, Shadow Sniper, etc.), l'isolation mémoire (Private Memory Context) et le support pour

AI Security Review

scanned 5h ago · by lpm-firewall-ai

LPM blocks this version under the AI-agent control-surface policy. Install-time code mutates a user-home MCP control file and installs/starts supporting services without an explicit user command. The package also defaults Claude runner execution to permission skipping at runtime.

Static reason
High-risk behavior combination matched malicious policy.; source matched previously finalized malicious package; routed for review
Trigger
npm install / npm install -g lifecycle postinstall
Impact
Can register package-supplied MCP configuration and persistent local services in the user's home environment before the user invokes the CLI.
Mechanism
unconsented lifecycle creation of MCP config plus service installation
Policy narrative
Installing the package runs scripts/postinstall.mjs automatically. That script creates ~/.overmind, downloads a remote .mcp.json.example from GitHub, writes ~/.overmind/.mcp.json, globally installs overmind-postgres-mcp, and starts a Docker pgvector container with restart policy. The runtime config then launches Claude with --dangerously-skip-permissions by default when users invoke agent runs.
Rationale
The decisive issue is lifecycle-triggered mutation of a home MCP control surface and service setup, not scanner similarity alone. Under the install-control-surface policy, unconsented postinstall creation of .mcp.json is blockable even if the content is package-aligned.
Evidence
package.jsonscripts/postinstall.mjsdist/lib/config.jsdist/services/ClaudeRunner.js~/.overmind/.env.example~/.overmind/.mcp.json.example~/.overmind/.env~/.overmind/.env.postgres~/.overmind/.mcp.json
Network endpoints3
raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.exampleraw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.examplepgvector/pgvector:pg16

Decision evidence

public snapshot
AI called this Malicious at 93.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for policy block
  • package.json defines postinstall: node scripts/postinstall.mjs
  • scripts/postinstall.mjs lifecycle writes ~/.overmind/.mcp.json from package-fetched config
  • scripts/postinstall.mjs downloads mutable config from raw.githubusercontent.com during install
  • scripts/postinstall.mjs runs npm install -g overmind-postgres-mcp during install
  • scripts/postinstall.mjs starts Docker pgvector container with --restart unless-stopped
  • dist/lib/config.js defaults Claude permissions to --dangerously-skip-permissions
Evidence against
  • Writes target ~/.overmind package namespace rather than obvious Claude/Cursor home config
  • Agent names are validated before per-agent .claude file paths
  • Runtime runner spawning appears tied to explicit MCP/CLI agent actions
  • No direct credential exfiltration endpoint found in inspected source
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsUrlStrings
ManifestNo manifest risk signals triggered.
scanned 88 file(s), 803 KB of source, external domains: 127.0.0.1, api.anthropic.com, api.minimax.com, api.minimax.io, api.minimaxi.com, api.telegram.org, api.z.ai, deamondev888.github.io, discord.gg, docs.docker.com, github.com, openrouter.ai, podman.io, raw.githubusercontent.com, www.docker.com, www.npmjs.com, www.trae.ai, www.w3.org

Source & flagged code

13 flagged · loading source
package.jsonView file
scripts.postinstall = node scripts/postinstall.mjs
High
Install Time Lifecycle Scripts

Package defines install-time lifecycle scripts.

package.jsonView on unpkg
scripts.postinstall = node scripts/postinstall.mjs
Medium
Ambiguous Install Lifecycle Script

Install-time lifecycle script is not statically allowlisted and needs review.

package.jsonView on unpkg
bin/launch.cjsView file
4L5: const { exec, spawn } = require("child_process"); L6: const fs = require("fs");
High
Child Process

Package source references child process execution.

bin/launch.cjsView on unpkg · L4
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = bin/launch.cjs matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

bin/launch.cjsView on unpkg
dist/lib/InstallHelper.jsView file
2import { promisify } from 'util'; L3: const execAsync = promisify(exec); L4: export const CLIS_METADATA = {
High
Shell

Package source references shell execution.

dist/lib/InstallHelper.jsView on unpkg · L2
1import { exec } from 'child_process'; L2: import { promisify } from 'util'; ... L9: installCmd: 'npm install -g @anthropic-ai/claude-code', L10: url: 'https://www.npmjs.com/package/@anthropic-ai/claude-code', L11: }, ... L30: versionCmd: 'hermes --version', L31: installCmd: process.platform === 'win32' L32: ? 'powershell -Command "irm https://raw.githubusercontent.com/NousResearch/hermes-agent/main/scripts/install.ps1 | iex"' ... L82: try { L83: const { stdout } = await execAsync(meta.versionCmd); L84: const version = stdout.trim();
High
Sandbox Evasion Gated Capability

Source gates dangerous network, credential, or execution behavior behind CI, host, platform, time, or geo fingerprint checks.

dist/lib/InstallHelper.jsView on unpkg · L1
scripts/postinstall.mjsView file
10Install-time AI-agent control hijack evidence: L10: * - Copie .env.example → .env L11: * - Copie .mcp.json.example → .mcp.json L12: * ═══════════════════════════════════════════════════════════════════════════════ ... L15: import { execSync, spawn } from 'child_process'; L16: import { existsSync, mkdirSync, writeFileSync, readFileSync } from 'fs'; L17: import { join } from 'path'; ... L239: L240: mkdirSync(INSTALL_DIR, { recursive: true }); L241: ... L244: const envExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.env.example'; L245: const mcpExampleUrl = 'https://raw.githubusercontent.com/DeamonDev888/overmind-mcp/main/.mcp.json.example'; L246: Payload evidence from dist/services/AgentManager.js: L48: const content = await fs.readFile(mcpPath, 'utf-8'); L49: const json = JSON.parse(content); L50: return Object.keys(json.mcpServers || {}); ... L492: // Resolve auth token: prefer ANTHROPIC_AUTH_TOKEN, fallback to any ANTHROPIC_AUTH_TOKEN_<N> L493: let authToken = process.env.ANTHROPIC_AUTH_TOKEN; L494: if (!authToken) { ... L516: ANTHROPIC_AUTH_TOKEN: authToken, L517: ANTHROPIC_BASE_URL: process.env.ANTHROPIC_BASE_URL || 'https://api.anthropic.com',…
Critical
Ai Agent Control Hijack

Install-time source drops package-supplied AI-agent/MCP control files or instructions.

scripts/postinstall.mjsView on unpkg · L10
scripts/setup-windows.jsView file
55try { L56: const nodeVersion = execSync('node --version', { encoding: 'utf8' }).trim(); L57: console.log(`✅ Node.js: ${nodeVersion}`); ... L68: console.error('❌ pnpm non trouvé. Installez pnpm:'); L69: console.error(' npm install -g pnpm'); L70: return false;
High
Runtime Package Install

Package source invokes a package manager install command at runtime.

scripts/setup-windows.jsView on unpkg · L55
bin/test_mcp.batView file
path = bin/test_mcp.bat kind = build_helper sizeBytes = 170 magicHex = [redacted]
Medium
Ships Build Helper

Package ships non-JavaScript build or shell helper files.

bin/test_mcp.batView on unpkg
scripts/verify-install.mjsView file
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = scripts/verify-install.mjs matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/verify-install.mjsView on unpkg
dist/services/ClaudeRunner.jsView file
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = dist/services/ClaudeRunner.js matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/services/ClaudeRunner.jsView on unpkg
dist/services/KiloRunner.jsView file
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = dist/services/KiloRunner.js matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

dist/services/KiloRunner.jsView on unpkg
scripts/auto-install.mjsView file
matchType = normalized_sha256 matchedPackage = overmind-mcp@3.2.2 matchedPath = scripts/auto-install.mjs matchedIdentity = npm:b3Zlcm1pbmQtbWNw:3.2.2 similarity = 1.000 summary = normalized source hash matched finalized malicious source
High
Known Malware Source Similarity

Source file is highly similar to a previously finalized malicious package; route for source-aware review.

scripts/auto-install.mjsView on unpkg

Findings

1 Critical10 High5 Medium5 Low
CriticalAi Agent Control Hijackscripts/postinstall.mjs
HighInstall Time Lifecycle Scriptspackage.json
HighChild Processbin/launch.cjs
HighShelldist/lib/InstallHelper.js
HighSandbox Evasion Gated Capabilitydist/lib/InstallHelper.js
HighRuntime Package Installscripts/setup-windows.js
HighKnown Malware Source Similarityscripts/verify-install.mjs
HighKnown Malware Source Similaritybin/launch.cjs
HighKnown Malware Source Similaritydist/services/ClaudeRunner.js
HighKnown Malware Source Similaritydist/services/KiloRunner.js
HighKnown Malware Source Similarityscripts/auto-install.mjs
MediumAmbiguous Install Lifecycle Scriptpackage.json
MediumNetwork
MediumEnvironment Vars
MediumShips Build Helperbin/test_mcp.bat
MediumStructural Risk Force Deep Review
LowNon Install Lifecycle Scripts
LowScripts Present
LowFilesystem
LowHigh Entropy Strings
LowUrl Strings