registry  /  @twentytwohundred/2200-cli  /  2026.703.5

@twentytwohundred/2200-cli@2026.703.5

A platform for hosting your fleet of always-on Agents.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established. Dangerous primitives are present but are package-aligned, user-invoked CLI/daemon/agent capabilities rather than install-time or hidden execution.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs 2200 commands, starts the daemon, creates/starts agents, or invokes update/OAuth/search features.
Impact
User-authorized local agent automation may execute shell/file tools and send tool results to configured model providers; no hidden exfiltration or persistence was found.
Mechanism
Explicit AI-agent runtime with local daemon, tool execution, credential vault, OAuth, and provider API calls.
Rationale
Static inspection shows an AI-agent CLI with broad but explicit runtime features; scanner-highlighted shell, network, daemon, and upgrade behaviors are reached through documented/user-triggered commands rather than npm install/import or covert paths. No credential harvesting/exfiltration, hidden lifecycle execution, destructive persistence, or AI-agent control-surface mutation was confirmed.
Evidence
package.jsondist/index.jsdist/cli/main.jsdist/runtime/agent/bootstrap.jsdist/runtime/supervisor/bootstrap.jsdist/runtime/install/upgrade-runner.js~/.config/2200/runtime.env~/.config/2200/oauth-apps.env<2200_HOME>/state<2200_HOME>/agents<2200_HOME>/state/credentials<2200_HOME>/state/supervisor.pid
Network endpoints10
api.anthropic.comapi.openai.comapi.deepseek.comapi.moonshot.aiopenrouter.ai/apiapi.x.aigenerativelanguage.googleapis.comapi.search.brave.com/res/v1/web/searchwww.googleapis.com/customsearch/v1registry.npmjs.org/

Decision evidence

public snapshot
AI called this Clean at 84.0% confidence as Benign with low false-positive risk.
Evidence for block
    Evidence against
    • package.json has no install/preinstall/postinstall lifecycle hooks; bin is explicit 2200 CLI.
    • dist/index.js only reads package.json to export VERSION.
    • dist/runtime/agent/bootstrap.js shell_run is an agent tool running in ctx.projectDir and requires an agent task path.
    • dist/runtime/supervisor/bootstrap.js web server defaults to 127.0.0.1:2200; 0.0.0.0 is not the daemon default.
    • dist/runtime/install/upgrade-runner.js npm install is gated by TWENTYTWOHUNDRED_* upgrade env vars/user update flow.
    • Network endpoints are aligned with LLM/OAuth/search/registry features of an AI agent platform.
    Behavioral surface
    Source
    ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
    Supply chain
    HighEntropyStringsMinifiedTelemetryUrlStrings
    Manifest
    NoLicense
    scanned 9 file(s), 4.16 MB of source, external domains: 100.x.x.x, 127.0.0.1, 192.168.1.42, accounts.google.com, accounts.spotify.com, aistudio.google.com, api.anthropic.com, api.deepseek.com, api.moonshot.ai, api.openai.com, api.search.brave.com, api.slack.com, api.telegram.org, api.x.ai, auth.x.ai, brave.com, developer.mozilla.org, developer.spotify.com, discord.com, discord.gg, discord.new, generativelanguage.googleapis.com, github.com, grok.com, jimmy.warting.se, nodejs.org, oauth2.googleapis.com, openpub.ai, openrouter.ai, react.dev, register.openscut.ai, registry.npmjs.org, slack.com, www.googleapis.com, www.w3.org
    Oversized source lightweight scan
    dist/connectors/discord/gateway.cjs3.00 MB file, sampled 256 KB
    FilesystemNetworkChildProcessEnvironmentVarsEvalHighEntropyStringsUrlStringsdeveloper.mozilla.orgdiscord.comdiscord.ggdiscord.newgithub.comjimmy.warting.se

    Source & flagged code

    7 flagged · loading source
    dist/runtime/install/upgrade-runner.jsView file
    1#!/usr/bin/env node L2: import { spawn } from 'child_process'; L3: import { readFile, mkdir, open, rename, unlink } from 'fs/promises';
    High
    Child Process

    Package source references child process execution.

    dist/runtime/install/upgrade-runner.jsView on unpkg · L1
    dist/runtime/agent/bootstrap.jsView file
    1import { hkdfSync, randomBytes, createHash, createCipheriv, createDecipheriv, randomUUID, sign, createPrivateKey, createPublicKey } from 'crypto'; L2: import { mkdir, writeFile, readFile, rm, readdir, appendFile, rename, chmod, stat, unlink, open } from 'fs/promises'; ... L6: import { stringify, parse } from 'yaml'; L7: import { createConnection } from 'net'; L8: import { homedir } from 'os'; L9: import { readFileSync, existsSync, mkdirSync } from 'fs'; L10: import { spawn } from 'child_process'; L11: import Database from 'better-sqlite3'; ... L201: tag: z.string(), L202: metadata: CredentialMetadataSchema L203: }); ... L3008: function activeLevel() {
    Critical
    Command Output Exfiltration

    Source executes local commands and sends command output to an external endpoint.

    dist/runtime/agent/bootstrap.jsView on unpkg · L1
    1import { hkdfSync, randomBytes, createHash, createCipheriv, createDecipheriv, randomUUID, sign, createPrivateKey, createPublicKey } from 'crypto'; L2: import { mkdir, writeFile, readFile, rm, readdir, appendFile, rename, chmod, stat, unlink, open } from 'fs/promises'; ... L6: import { stringify, parse } from 'yaml'; L7: import { createConnection } from 'net'; L8: import { homedir } from 'os'; L9: import { readFileSync, existsSync, mkdirSync } from 'fs'; L10: import { spawn } from 'child_process'; L11: import Database from 'better-sqlite3'; ... L201: tag: z.string(), L202: metadata: CredentialMetadataSchema L203: }); ... L3008: function activeLevel() {
    Low
    Weak Crypto

    Package source references weak cryptographic algorithms.

    dist/runtime/agent/bootstrap.jsView on unpkg · L1
    dist/runtime/supervisor/bootstrap.jsView file
    3Detached bundled service listener: [redacted].js launches a Node helper and exposes a broad-bound HTTP listener. L3: import { z, ZodError } from 'zod'; L4: import { createDecipheriv, randomBytes, createCipheriv, generateKeyPairSync, timingSafeEqual, randomUUID, hkdfSync, sign, createHash, createPrivateKey, createPublicKey, scrypt } fr... L5: import * as YAML from 'yaml'; ... L12: import { fileURLToPath } from 'url'; L13: import { spawn, execFileSync } from 'child_process'; L14: import { McpServer } from '@[redacted].js'; ... L18: import { Buffer as Buffer$1 } from 'buffer'; L19: import { createServer } from 'net'; L20: import fastifyWebsocketImport from '@fastify/websocket'; ... L156: pid: join(root, "pub.pid"), L157: data: join(root, "data"), L158: adminSecret: join(root, "admin.secret"),
    High
    Spawned Bundled Service Listener

    Source launches a detached bundled service that exposes a broad-bound HTTP listener.

    dist/runtime/supervisor/bootstrap.jsView on unpkg · L3
    dist/cli/main.jsView file
    6Trigger-reachable chain: manifest.bin -> dist/cli/main.js L6: import { z, ZodError } from 'zod'; L7: import { createConnection, createServer } from 'net'; L8: import { randomBytes, createCipheriv, hkdfSync, createDecipheriv, createHash, randomUUID, timingSafeEqual, scrypt, generateKeyPairSync, sign, createPrivateKey, createPublicKey } fr... L9: import * as YAML from 'yaml'; ... L12: import lockfile from 'proper-lockfile'; L13: import { spawn, execFileSync } from 'child_process'; L14: import { CronExpressionParser } from 'cron-parser'; ... L231: pid: join(root, "pub.pid"), L232: data: join(root, "data"), L233: adminSecret: join(root, "admin.secret"), ... L1684: function activeLevel() { L1685: const raw = (process.env["LOG_LEVEL"] ?? "").toLowerCase();
    Critical
    Trigger Reachable Dangerous Capability

    A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

    dist/cli/main.jsView on unpkg · L6
    matchType = previous_version_dangerous_delta matchedPackage = @twentytwohundred/2200-cli@2026.702.2310 matchedIdentity = npm:[redacted]:2026.702.2310 similarity = 0.889 summary = stored previous version shares package body but lacks this dangerous source file
    Critical
    Previous Version Dangerous Delta

    This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

    dist/cli/main.jsView on unpkg
    dist/connectors/discord/gateway.cjsView file
    path = dist/connectors/discord/gateway.cjs kind = oversized_source_file sizeBytes = 3142834 magicHex = [redacted]
    High
    Oversized Source File

    Package contains source files above the static scanner size ceiling.

    dist/connectors/discord/gateway.cjsView on unpkg

    Findings

    3 Critical4 High3 Medium8 Low
    CriticalCommand Output Exfiltrationdist/runtime/agent/bootstrap.js
    CriticalTrigger Reachable Dangerous Capabilitydist/cli/main.js
    CriticalPrevious Version Dangerous Deltadist/cli/main.js
    HighChild Processdist/runtime/install/upgrade-runner.js
    HighShell
    HighSpawned Bundled Service Listenerdist/runtime/supervisor/bootstrap.js
    HighOversized Source Filedist/connectors/discord/gateway.cjs
    MediumNetwork
    MediumEnvironment Vars
    MediumStructural Risk Force Deep Review
    LowScripts Present
    LowEval
    LowWeak Cryptodist/runtime/agent/bootstrap.js
    LowFilesystem
    LowHigh Entropy Strings
    LowTelemetry
    LowUrl Strings
    LowNo License