registry  /  @t2000/cli  /  5.24.1

@t2000/cli@5.24.1

Agent Wallet for AI agents on Sui — gasless USDC + USDsui sends, Cetus swap, MPP paid API access, MCP integration, scriptable from any shell.

AI Security Review

scanned 5d ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
One or more suspicious static signals were detected.; previous stored version diff introduced dangerous source
Trigger
User runs `t2 mcp install`, `t2 skills install`, or starts the MCP server/prompts.
Impact
AI clients may gain t2000 wallet/payment tools and t2000-provided prompts after explicit CLI setup; spending limits are documented and enforced for writes.
Mechanism
user-invoked AI-client MCP/skill configuration and payment-capable agent tools
Policy narrative
The package is an AI-agent wallet CLI. It can explicitly configure MCP clients and install skill prompts, including remote/live t2000 skill text, enabling an AI client to use wallet/payment tools. This is dangerous agent-facing capability, but inspection did not find install-time hooks, stealth mutation, credential exfiltration, or broad unconsented control-surface writes.
Rationale
Source inspection shows package-aligned wallet/MCP behavior with explicit CLI triggers, no lifecycle scripts, and no concrete exfiltration or hidden persistence. Because it installs agent prompts/configs and exposes payment-capable MCP tools, warn rather than block.
Evidence
package.jsondist/index.jsdist/dist-57KQG4RN.js~/Library/Application Support/Claude/claude_desktop_config.json~/.cursor/mcp.json~/.codeium/windsurf/mcp_config.json.agents/skills~/.agents/skills.cursor/rules~/.cursor/rules.claude/skills~/.claude/skills~/.t2000/wallet.key
Network endpoints8
t2000.ai/.well-known/agent-skills/index.jsont2000.ai/skillsapi.t2000.ai/v1mpp.t2000.aifullnode.mainnet.sui.io:443graphql.mainnet.sui.io/graphqlpccs.phala.networkapi.trustedservices.intel.com

Decision evidence

public snapshot
AI called this Suspicious at 86.0% confidence as Dangerous Capability with medium false-positive risk.
Evidence for warning
  • dist/index.js exposes user-invoked `t2 mcp install` that writes t2000 MCP entries into Claude Desktop, Cursor, and Windsurf configs.
  • dist/index.js exposes `t2 skills install` that fetches remote skills and can write `.agents/skills`, `.cursor/rules`, or `.claude/skills`.
  • dist/dist-57KQG4RN.js MCP prompts can fetch live skill text from `https://t2000.ai/skills` unless `T2000_SKILLS_OFFLINE=1`.
  • Baked setup prompt instructs agents to route paid external API use through `t2000_pay`, creating agent-facing payment capability risk.
Evidence against
  • package.json has no npm lifecycle hooks; activation is CLI/bin use, not install-time execution.
  • MCP and skill writes are explicit subcommands, not hidden import-time or install-time mutations.
  • Network endpoints are package-aligned t2000/Sui/verification services for wallet, model, MCP, and skill features.
  • Wallet key is generated/imported locally to `~/.t2000/wallet.key` with mode 0600; no source evidence of credential harvesting/exfiltration.
  • child_process findings are bundled commander behavior or MCP subprocess configuration, not unsolicited process execution.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsFilesystemNetworkShell
Supply chain
HighEntropyStringsMinifiedObfuscatedUrlStrings
ManifestNo manifest risk signals triggered.
scanned 14 file(s), 4.76 MB of source, external domains: accounts.google.com, agents.t2000.ai, api-sui.cetus.zone, api.example.com, api.t2000.ai, api.trustedservices.intel.com, crypto.stackexchange.com, developers.t2000.ai, docs.sui.io, eprint.iacr.org, example.com, fullnode.mainnet.sui.io, fullnode.testnet.sui.io, github.com, graphql.mainnet.sui.io, hermes.pyth.network, hyperelliptic.org, mainnet.mvr.mystenlabs.com, mpp.t2000.ai, my-agent.example, nodejs.org, pccs.phala.network, suiscan.xyz, suspicious-site.com, t2000.ai, testnet.mvr.mystenlabs.com, www.w3.org, x.com, x402.t2000.ai
Oversized source lightweight scan
dist/dist-57KQG4RN.js4.12 MB file, sampled 256 KB
FilesystemNetworkEnvironmentVarsCryptoHighEntropyStringsUrlStringsagents.t2000.aiapi.example.comapi.t2000.aidevelopers.t2000.aidocs.sui.ioexample.commpp.t2000.aimy-agent.examplenodejs.orgsuiscan.xyzsuspicious-site.comt2000.aix.comx402.t2000.ai

Source & flagged code

6 flagged · loading source
dist/chunk-R6QER65C.jsView file
1333*/ L1334: fork() { L1335: this.stack.push({ chunks: this.chunks, buf: this.buf });
High
Child Process

Package source references child process execution.

dist/chunk-R6QER65C.jsView on unpkg · L1333
dist/index.jsView file
matchType = previous_version_dangerous_delta matchedPackage = @t2000/cli@5.23.0 matchedIdentity = npm:QHQyMDAwL2NsaQ:5.23.0 similarity = 0.929 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/index.jsView on unpkg
2054} L2055: const execArgv = process5.execArgv ?? []; L2056: if (execArgv.includes("-e") || execArgv.includes("--eval") || execArgv.includes("-p") || execArgv.includes("--print")) {
High
Shell

Package source references shell execution.

dist/index.jsView on unpkg · L2054
1Cross-file remote execution chain: dist/index.js spawns dist/chunk-R6QER65C.js; helper contains network access plus dynamic code execution. L1: #!/usr/bin/env node L2: import { createRequire as __createRequire } from 'module'; import { fileURLToPath as __fileURLToPath } from 'url'; import { dirname as __pathDirname } from 'path'; const require = ... L3: import { ... L30: deriveDynamicFieldID, L31: fromBase64 as fromBase642, L32: suiBcs, ... L99: * Constructs the CommanderError class L100: * @param {number} exitCode suggested exit code which could be used with process.exit L101: * @param {string} code an id string representing the error ... L1214: var EventEmitter2 = __require("events").EventEmitter; L1215: var childProcess = __require("child_process"); L1216: var path2 = __require("path");
High
Cross File Remote Execution Context

Source spawns a local helper that also contains network and dynamic execution context; review data flow before blocking.

dist/index.jsView on unpkg · L1
dist/src-FIYSHJR4.jsView file
1import { createRequire as __createRequire } from 'module'; import { fileURLToPath as __fileURLToPath } from 'url'; import { dirname as __pathDirname } from 'path'; const require = ... L2: import { ... L92: var PLATFORM_ISSUER_ID = "platform"; L93: var TRUSTED_ROOT_CA_DER_BASE64 = "[redacted]... L94: var TRUSTED_ROOT_CA_DER = Buffer2.from(TRUSTED_ROOT_CA_DER_BASE64, "base64"); ... L279: reserved4: reader.readBytes(60), L280: reportData: reader.readBytes(64) L281: }); ... L4232: 2: "context", L4233: 3: "private" L4234: }; ... L6614: bugs: {
High
Base64 Obscured Url

Source decodes a Base64-obscured HTTP endpoint at runtime.

dist/src-FIYSHJR4.jsView on unpkg · L1
dist/dist-57KQG4RN.jsView file
path = dist/dist-57KQG4RN.js kind = oversized_source_file sizeBytes = 4315507 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/dist-57KQG4RN.jsView on unpkg

Findings

1 Critical5 High3 Medium5 Low
CriticalPrevious Version Dangerous Deltadist/index.js
HighChild Processdist/chunk-R6QER65C.js
HighShelldist/index.js
HighCross File Remote Execution Contextdist/index.js
HighBase64 Obscured Urldist/src-FIYSHJR4.js
HighOversized Source Filedist/dist-57KQG4RN.js
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowFilesystem
LowObfuscated
LowHigh Entropy Strings
LowUrl Strings