registry  /  @twentytwohundred/2200-cli  /  2026.702.32

@twentytwohundred/2200-cli@2026.702.32

A platform for hosting your fleet of always-on Agents.

AI Security Review

scanned 9d ago · by lpm-firewall-ai

No confirmed malicious attack surface was found. The package exposes powerful agent runtime capabilities, but they are package-aligned and activated by explicit CLI/daemon/agent use rather than installation or import.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs 2200 CLI commands such as daemon start, agent task execution, connector use, or upgrade.
Impact
Potentially broad local and network actions when an operator configures and runs agents, but no source evidence of unconsented harvesting or exfiltration.
Mechanism
User-invoked agent runtime with shell, HTTP, vault, daemon, and connector subprocess capabilities
Rationale
Static inspection confirms high-risk primitives, but they match the package's stated agent hosting purpose and are not triggered at install/import time. I found no concrete unconsented credential harvesting, persistence beyond the user-started daemon, or exfiltration endpoint.
Evidence
package.jsondist/index.jsdist/cli/main.jsdist/runtime/agent/bootstrap.jsdist/runtime/install/upgrade-runner.jsdist/runtime/supervisor/bootstrap.js
Network endpoints9
api.anthropic.comapi.openai.comapi.deepseek.comapi.moonshot.aiopenrouter.ai/apiapi.x.aigenerativelanguage.googleapis.comlocalhost:11434/v1registry.npmjs.org/@twentytwohundred%2F2200-cli

Decision evidence

public snapshot
AI called this Clean at 83.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/runtime/agent/bootstrap.js defines user/agent-invoked shell_run using /bin/sh and returns stdout/stderr.
  • dist/runtime/agent/bootstrap.js defines http_request that can inject vault credentials into outbound requests.
  • dist/runtime/supervisor/bootstrap.js can spawn bundled connector gateway processes with vault-derived env vars.
  • dist/runtime/install/upgrade-runner.js can run npm install -g and restart the daemon when upgrade flow is triggered.
Evidence against
  • package.json has no install/postinstall/preinstall lifecycle hooks; bin is explicit 2200 CLI.
  • dist/index.js only reads package.json to export VERSION.
  • Dangerous primitives are part of an advertised always-on agent runtime and are gated by CLI/daemon/agent task flows, not import/install time.
  • Credential code stores secrets in encrypted vault files and redacts injected credential values from http_request responses.
  • Network endpoints are package-aligned LLM/search/platform APIs rather than hardcoded exfiltration hosts.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
NoLicense
scanned 9 file(s), 4.14 MB of source, external domains: 100.x.x.x, 127.0.0.1, 192.168.1.42, accounts.google.com, accounts.spotify.com, aistudio.google.com, api.anthropic.com, api.deepseek.com, api.moonshot.ai, api.openai.com, api.search.brave.com, api.slack.com, api.telegram.org, api.x.ai, auth.x.ai, brave.com, developer.mozilla.org, developer.spotify.com, discord.com, discord.gg, discord.new, generativelanguage.googleapis.com, github.com, grok.com, jimmy.warting.se, nodejs.org, oauth2.googleapis.com, openpub.ai, openrouter.ai, react.dev, register.openscut.ai, registry.npmjs.org, slack.com, www.googleapis.com, www.w3.org
Oversized source lightweight scan
dist/connectors/discord/gateway.cjs3.00 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalHighEntropyStringsUrlStringsdeveloper.mozilla.orgdiscord.comdiscord.ggdiscord.newgithub.comjimmy.warting.se

Source & flagged code

6 flagged · loading source
dist/runtime/install/upgrade-runner.jsView file
1#!/usr/bin/env node L2: import { spawn } from 'child_process'; L3: import { readFile, mkdir, open, rename, unlink } from 'fs/promises';
High
Child Process

Package source references child process execution.

dist/runtime/install/upgrade-runner.jsView on unpkg · L1
dist/runtime/agent/bootstrap.jsView file
1import { hkdfSync, randomBytes, createHash, createCipheriv, createDecipheriv, randomUUID, sign, createPrivateKey, createPublicKey } from 'crypto'; L2: import { mkdir, writeFile, readFile, rm, readdir, appendFile, rename, chmod, stat, unlink, open } from 'fs/promises'; ... L6: import { stringify, parse } from 'yaml'; L7: import { createConnection } from 'net'; L8: import { homedir } from 'os'; L9: import { readFileSync, existsSync, mkdirSync } from 'fs'; L10: import { spawn } from 'child_process'; L11: import Database from 'better-sqlite3'; ... L201: tag: z.string(), L202: metadata: CredentialMetadataSchema L203: }); ... L3008: function activeLevel() {
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/runtime/agent/bootstrap.jsView on unpkg · L1
1import { hkdfSync, randomBytes, createHash, createCipheriv, createDecipheriv, randomUUID, sign, createPrivateKey, createPublicKey } from 'crypto'; L2: import { mkdir, writeFile, readFile, rm, readdir, appendFile, rename, chmod, stat, unlink, open } from 'fs/promises'; ... L6: import { stringify, parse } from 'yaml'; L7: import { createConnection } from 'net'; L8: import { homedir } from 'os'; L9: import { readFileSync, existsSync, mkdirSync } from 'fs'; L10: import { spawn } from 'child_process'; L11: import Database from 'better-sqlite3'; ... L201: tag: z.string(), L202: metadata: CredentialMetadataSchema L203: }); ... L3008: function activeLevel() {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/runtime/agent/bootstrap.jsView on unpkg · L1
dist/runtime/supervisor/bootstrap.jsView file
3Detached bundled service listener: [redacted].js launches a Node helper and exposes a broad-bound HTTP listener. L3: import { z, ZodError } from 'zod'; L4: import { createDecipheriv, randomBytes, createCipheriv, generateKeyPairSync, timingSafeEqual, randomUUID, hkdfSync, sign, createHash, createPrivateKey, createPublicKey, scrypt } fr... L5: import * as YAML from 'yaml'; ... L12: import { fileURLToPath } from 'url'; L13: import { spawn, execFileSync } from 'child_process'; L14: import { McpServer } from '@[redacted].js'; ... L18: import { Buffer as Buffer$1 } from 'buffer'; L19: import { createServer } from 'net'; L20: import fastifyWebsocketImport from '@fastify/websocket'; ... L156: pid: join(root, "pub.pid"), L157: data: join(root, "data"), L158: adminSecret: join(root, "admin.secret"),
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/runtime/supervisor/bootstrap.jsView on unpkg · L3
dist/cli/main.jsView file
6Trigger-reachable chain: manifest.bin -> dist/cli/main.js L6: import { z, ZodError } from 'zod'; L7: import { createConnection, createServer } from 'net'; L8: import { randomBytes, hkdfSync, createCipheriv, createDecipheriv, createHash, randomUUID, timingSafeEqual, scrypt, generateKeyPairSync, sign, createPrivateKey, createPublicKey } fr... L9: import * as YAML from 'yaml'; ... L12: import lockfile from 'proper-lockfile'; L13: import { spawn, execFileSync } from 'child_process'; L14: import { CronExpressionParser } from 'cron-parser'; ... L231: pid: join(root, "pub.pid"), L232: data: join(root, "data"), L233: adminSecret: join(root, "admin.secret"), ... L1684: function activeLevel() { L1685: const raw = (process.env["LOG_LEVEL"] ?? "").toLowerCase();
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/main.jsView on unpkg · L6
dist/connectors/discord/gateway.cjsView file
path = dist/connectors/discord/gateway.cjs kind = oversized_source_file sizeBytes = 3142834 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/connectors/discord/gateway.cjsView on unpkg

Findings

2 Critical4 High3 Medium8 Low
CriticalCommand Output Exfiltrationdist/runtime/agent/bootstrap.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/main.js
HighChild Processdist/runtime/install/upgrade-runner.js
HighShell
HighSpawned Bundled Service Listenerdist/runtime/supervisor/bootstrap.js
HighOversized Source Filedist/connectors/discord/gateway.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptodist/runtime/agent/bootstrap.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License