registry  /  @twentytwohundred/2200-cli  /  2026.701.2102

@twentytwohundred/2200-cli@2026.701.2102

A platform for hosting your fleet of always-on Agents.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. The package is a CLI-managed AI agent platform with dangerous user-invoked capabilities, but they are aligned with daemon/agent operation and not triggered by installation or import.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User invokes 2200 CLI commands such as daemon start, agent operation, upgrade, OAuth, connector, or tool execution.
Impact
User-authorized agents can run shell commands, access configured credentials, and call configured local/remote services within the product workflow.
Mechanism
Package-aligned AI agent runtime with local daemon, vault, network, and shell tools.
Rationale
Static source inspection found high-risk primitives, but no lifecycle/import-time execution, hidden credential harvesting, persistence outside the declared daemon model, or unaligned exfiltration. The scanner's command-output and listener findings map to explicit agent/daemon features of the CLI product.
Evidence
package.jsondist/index.jsdist/cli/main.jsdist/runtime/agent/bootstrap.jsdist/runtime/supervisor/bootstrap.jsdist/runtime/install/upgrade-runner.js

Decision evidence

public snapshot
AI called this Clean at 82.0% confidence as Benign with low false-positive risk.
Evidence for block
  • dist/runtime/agent/bootstrap.js exposes shell_run and web_fetch/http tools that can execute commands and fetch URLs when an agent is running.
  • dist/runtime/install/upgrade-runner.js can spawn npm install -g and restart the daemon, but only from explicit upgrade flow env/config.
  • dist/runtime/supervisor/bootstrap.js starts local web/connector services and can bind web host from TWENTYTWOHUNDRED_WEB_HOST.
Evidence against
  • package.json has no install/postinstall lifecycle hooks; bin is explicit CLI dist/cli/main.js and main only reads package version.
  • dist/cli/main.js only parses commands when invoked directly; import does not start daemon or agents.
  • dist/runtime/agent/bootstrap.js requires TWENTYTWOHUNDRED_AGENT_NAME, IDENTITY_PATH, SOCKET_PATH, and HOME before starting.
  • Command execution is a named agent tool bounded to ctx.projectDir, not install-time or import-time behavior.
  • Network endpoints are package-aligned AI/search/OAuth/registry/local services and user-invoked connector calls; no hidden exfil endpoint found.
  • Credentials and OAuth tokens are stored in encrypted package state/vault paths, not harvested broadly at install/import time.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
NoLicense
scanned 9 file(s), 4.14 MB of source, external domains: 100.x.x.x, 127.0.0.1, 192.168.1.42, accounts.google.com, accounts.spotify.com, aistudio.google.com, api.anthropic.com, api.deepseek.com, api.moonshot.ai, api.openai.com, api.search.brave.com, api.slack.com, api.telegram.org, api.x.ai, auth.x.ai, brave.com, developer.mozilla.org, developer.spotify.com, discord.com, discord.gg, discord.new, generativelanguage.googleapis.com, github.com, grok.com, jimmy.warting.se, oauth2.googleapis.com, openpub.ai, openrouter.ai, react.dev, register.openscut.ai, registry.npmjs.org, slack.com, www.googleapis.com, www.w3.org
Oversized source lightweight scan
dist/connectors/discord/gateway.cjs3.00 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalHighEntropyStringsUrlStringsdeveloper.mozilla.orgdiscord.comdiscord.ggdiscord.newgithub.comjimmy.warting.se

Source & flagged code

6 flagged · loading source
dist/runtime/install/upgrade-runner.jsView file
1#!/usr/bin/env node L2: import { spawn } from 'child_process'; L3: import { readFile, mkdir, open, rename, unlink } from 'fs/promises';
High
Child Process

Package source references child process execution.

dist/runtime/install/upgrade-runner.jsView on unpkg · L1
dist/runtime/agent/bootstrap.jsView file
1import { hkdfSync, randomBytes, createHash, createCipheriv, createDecipheriv, randomUUID, sign, createPrivateKey, createPublicKey } from 'crypto'; L2: import { mkdir, writeFile, readFile, rm, readdir, appendFile, rename, chmod, stat, unlink, open } from 'fs/promises'; ... L6: import { stringify, parse } from 'yaml'; L7: import { createConnection } from 'net'; L8: import { homedir } from 'os'; L9: import { readFileSync, existsSync, mkdirSync } from 'fs'; L10: import { spawn } from 'child_process'; L11: import Database from 'better-sqlite3'; ... L201: tag: z.string(), L202: metadata: CredentialMetadataSchema L203: }); ... L3008: function activeLevel() {
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/runtime/agent/bootstrap.jsView on unpkg · L1
1import { hkdfSync, randomBytes, createHash, createCipheriv, createDecipheriv, randomUUID, sign, createPrivateKey, createPublicKey } from 'crypto'; L2: import { mkdir, writeFile, readFile, rm, readdir, appendFile, rename, chmod, stat, unlink, open } from 'fs/promises'; ... L6: import { stringify, parse } from 'yaml'; L7: import { createConnection } from 'net'; L8: import { homedir } from 'os'; L9: import { readFileSync, existsSync, mkdirSync } from 'fs'; L10: import { spawn } from 'child_process'; L11: import Database from 'better-sqlite3'; ... L201: tag: z.string(), L202: metadata: CredentialMetadataSchema L203: }); ... L3008: function activeLevel() {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/runtime/agent/bootstrap.jsView on unpkg · L1
dist/runtime/supervisor/bootstrap.jsView file
3Detached bundled service listener: [redacted].js launches a Node helper and exposes a broad-bound HTTP listener. L3: import { z, ZodError } from 'zod'; L4: import { createDecipheriv, randomBytes, createCipheriv, generateKeyPairSync, timingSafeEqual, randomUUID, hkdfSync, sign, createHash, createPrivateKey, createPublicKey, scrypt } fr... L5: import * as YAML from 'yaml'; ... L12: import { fileURLToPath } from 'url'; L13: import { spawn, execFileSync } from 'child_process'; L14: import { McpServer } from '@[redacted].js'; ... L18: import { Buffer as Buffer$1 } from 'buffer'; L19: import { createServer } from 'net'; L20: import fastifyWebsocketImport from '@fastify/websocket'; ... L156: pid: join(root, "pub.pid"), L157: data: join(root, "data"), L158: adminSecret: join(root, "admin.secret"),
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/runtime/supervisor/bootstrap.jsView on unpkg · L3
dist/cli/main.jsView file
6Trigger-reachable chain: manifest.bin -> dist/cli/main.js L6: import { z, ZodError } from 'zod'; L7: import { createConnection, createServer } from 'net'; L8: import { randomBytes, hkdfSync, createCipheriv, createDecipheriv, createHash, randomUUID, timingSafeEqual, scrypt, generateKeyPairSync, sign, createPrivateKey, createPublicKey } fr... L9: import * as YAML from 'yaml'; ... L12: import lockfile from 'proper-lockfile'; L13: import { spawn, execFileSync } from 'child_process'; L14: import { CronExpressionParser } from 'cron-parser'; ... L231: pid: join(root, "pub.pid"), L232: data: join(root, "data"), L233: adminSecret: join(root, "admin.secret"), ... L1684: function activeLevel() { L1685: const raw = (process.env["LOG_LEVEL"] ?? "").toLowerCase();
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/main.jsView on unpkg · L6
dist/connectors/discord/gateway.cjsView file
path = dist/connectors/discord/gateway.cjs kind = oversized_source_file sizeBytes = 3142834 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/connectors/discord/gateway.cjsView on unpkg

Findings

2 Critical4 High3 Medium8 Low
CriticalCommand Output Exfiltrationdist/runtime/agent/bootstrap.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/main.js
HighChild Processdist/runtime/install/upgrade-runner.js
HighShell
HighSpawned Bundled Service Listenerdist/runtime/supervisor/bootstrap.js
HighOversized Source Filedist/connectors/discord/gateway.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptodist/runtime/agent/bootstrap.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License