registry  /  @twentytwohundred/2200-cli  /  2026.702.2218

@twentytwohundred/2200-cli@2026.702.2218

A platform for hosting your fleet of always-on Agents.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package contains powerful user-invoked agent runtime capabilities, but they align with the advertised CLI/daemon product and are not triggered at install or import time.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the 2200 CLI, starts the daemon, creates agents, or enables connector/web/OAuth features.
Impact
Authorized agents can run commands, make network requests, and store/use local credentials within the configured 2200 home; no unconsented install-time behavior observed.
Mechanism
User-invoked local AI agent runtime with shell, web, daemon, vault, and connector capabilities.
Rationale
Static source inspection shows a legitimate agent-hosting CLI with dangerous but explicit runtime features, no lifecycle hook execution, and no concrete credential harvesting or exfiltration outside package-aligned workflows. The scanner’s command-output and listener findings map to user-invoked agent tools and authenticated local/connector services rather than covert malware behavior.
Evidence
package.jsondist/index.jsdist/cli/main.jsdist/runtime/agent/bootstrap.jsdist/runtime/supervisor/bootstrap.jsdist/runtime/install/upgrade-runner.js
Network endpoints12
api.anthropic.comapi.openai.comapi.deepseek.comapi.moonshot.aiopenrouter.ai/apiapi.x.aigenerativelanguage.googleapis.comapi.search.brave.com/res/v1/web/searchwww.googleapis.com/customsearch/v1register.openscut.ai127.0.0.1localhost:11434/v1

Decision evidence

public snapshot
AI called this Clean at 86.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/runtime/agent/bootstrap.js defines user/agent tools shell_run and web_fetch that can execute shell commands and fetch URLs.
  • dist/runtime/supervisor/bootstrap.js can spawn detached supervisor and agent processes when daemon commands are used.
  • dist/runtime/mcp connector listener in dist/runtime/supervisor/bootstrap.js defaults to host 0.0.0.0 but requires bearer/OAuth auth.
Evidence against
  • package.json has no install/postinstall/preinstall lifecycle hooks; only bin 2200 and main entrypoints.
  • dist/index.js only reads package.json to export VERSION.
  • dist/cli/main.js top-level freshness check only inspects local dist/src mtimes in dev trees; no network or command execution.
  • Network endpoints are expected for an AI agent platform: OpenAI/Anthropic/DeepSeek/Moonshot/OpenRouter/xAI/Gemini, search APIs, OAuth, local supervisor endpoints.
  • Credential/env access is modeled as encrypted local vault and explicit runtime env loading, not broad harvesting/exfiltration.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
NoLicense
scanned 9 file(s), 4.15 MB of source, external domains: 100.x.x.x, 127.0.0.1, 192.168.1.42, accounts.google.com, accounts.spotify.com, aistudio.google.com, api.anthropic.com, api.deepseek.com, api.moonshot.ai, api.openai.com, api.search.brave.com, api.slack.com, api.telegram.org, api.x.ai, auth.x.ai, brave.com, developer.mozilla.org, developer.spotify.com, discord.com, discord.gg, discord.new, generativelanguage.googleapis.com, github.com, grok.com, jimmy.warting.se, nodejs.org, oauth2.googleapis.com, openpub.ai, openrouter.ai, react.dev, register.openscut.ai, registry.npmjs.org, slack.com, www.googleapis.com, www.w3.org
Oversized source lightweight scan
dist/connectors/discord/gateway.cjs3.00 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalHighEntropyStringsUrlStringsdeveloper.mozilla.orgdiscord.comdiscord.ggdiscord.newgithub.comjimmy.warting.se

Source & flagged code

6 flagged · loading source
dist/runtime/install/upgrade-runner.jsView file
1#!/usr/bin/env node L2: import { spawn } from 'child_process'; L3: import { readFile, mkdir, open, rename, unlink } from 'fs/promises';
High
Child Process

Package source references child process execution.

dist/runtime/install/upgrade-runner.jsView on unpkg · L1
dist/runtime/agent/bootstrap.jsView file
1import { hkdfSync, randomBytes, createHash, createCipheriv, createDecipheriv, randomUUID, sign, createPrivateKey, createPublicKey } from 'crypto'; L2: import { mkdir, writeFile, readFile, rm, readdir, appendFile, rename, chmod, stat, unlink, open } from 'fs/promises'; ... L6: import { stringify, parse } from 'yaml'; L7: import { createConnection } from 'net'; L8: import { homedir } from 'os'; L9: import { readFileSync, existsSync, mkdirSync } from 'fs'; L10: import { spawn } from 'child_process'; L11: import Database from 'better-sqlite3'; ... L201: tag: z.string(), L202: metadata: CredentialMetadataSchema L203: }); ... L3008: function activeLevel() {
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/runtime/agent/bootstrap.jsView on unpkg · L1
1import { hkdfSync, randomBytes, createHash, createCipheriv, createDecipheriv, randomUUID, sign, createPrivateKey, createPublicKey } from 'crypto'; L2: import { mkdir, writeFile, readFile, rm, readdir, appendFile, rename, chmod, stat, unlink, open } from 'fs/promises'; ... L6: import { stringify, parse } from 'yaml'; L7: import { createConnection } from 'net'; L8: import { homedir } from 'os'; L9: import { readFileSync, existsSync, mkdirSync } from 'fs'; L10: import { spawn } from 'child_process'; L11: import Database from 'better-sqlite3'; ... L201: tag: z.string(), L202: metadata: CredentialMetadataSchema L203: }); ... L3008: function activeLevel() {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/runtime/agent/bootstrap.jsView on unpkg · L1
dist/runtime/supervisor/bootstrap.jsView file
3Detached bundled service listener: [redacted].js launches a Node helper and exposes a broad-bound HTTP listener. L3: import { z, ZodError } from 'zod'; L4: import { createDecipheriv, randomBytes, createCipheriv, generateKeyPairSync, timingSafeEqual, randomUUID, hkdfSync, sign, createHash, createPrivateKey, createPublicKey, scrypt } fr... L5: import * as YAML from 'yaml'; ... L12: import { fileURLToPath } from 'url'; L13: import { spawn, execFileSync } from 'child_process'; L14: import { McpServer } from '@[redacted].js'; ... L18: import { Buffer as Buffer$1 } from 'buffer'; L19: import { createServer } from 'net'; L20: import fastifyWebsocketImport from '@fastify/websocket'; ... L156: pid: join(root, "pub.pid"), L157: data: join(root, "data"), L158: adminSecret: join(root, "admin.secret"),
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/runtime/supervisor/bootstrap.jsView on unpkg · L3
dist/cli/main.jsView file
6Trigger-reachable chain: manifest.bin -> dist/cli/main.js L6: import { z, ZodError } from 'zod'; L7: import { createConnection, createServer } from 'net'; L8: import { randomBytes, hkdfSync, createCipheriv, createDecipheriv, createHash, randomUUID, timingSafeEqual, scrypt, generateKeyPairSync, sign, createPrivateKey, createPublicKey } fr... L9: import * as YAML from 'yaml'; ... L12: import lockfile from 'proper-lockfile'; L13: import { spawn, execFileSync } from 'child_process'; L14: import { CronExpressionParser } from 'cron-parser'; ... L231: pid: join(root, "pub.pid"), L232: data: join(root, "data"), L233: adminSecret: join(root, "admin.secret"), ... L1684: function activeLevel() { L1685: const raw = (process.env["LOG_LEVEL"] ?? "").toLowerCase();
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/main.jsView on unpkg · L6
dist/connectors/discord/gateway.cjsView file
path = dist/connectors/discord/gateway.cjs kind = oversized_source_file sizeBytes = 3142834 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/connectors/discord/gateway.cjsView on unpkg

Findings

2 Critical4 High3 Medium8 Low
CriticalCommand Output Exfiltrationdist/runtime/agent/bootstrap.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/main.js
HighChild Processdist/runtime/install/upgrade-runner.js
HighShell
HighSpawned Bundled Service Listenerdist/runtime/supervisor/bootstrap.js
HighOversized Source Filedist/connectors/discord/gateway.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptodist/runtime/agent/bootstrap.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License
@twentytwohundred/2200-cli@2026.702.2218: Clean npm security | LPM Firewall