registry  /  @twentytwohundred/2200-cli  /  2026.703.54

@twentytwohundred/2200-cli@2026.703.54

A platform for hosting your fleet of always-on Agents.

AI Security Review

scanned 8d ago · by lpm-firewall-ai

No confirmed malicious attack surface was established by source inspection. The package is a user-invoked AI agent runtime with expected dangerous capabilities: local daemon, child agent processes, shell/http tools, OAuth vaults, and connector listeners.

Static reason
High-risk behavior combination matched malicious policy.
Trigger
User runs the 2200 CLI, starts the daemon, creates/runs agents, enables connectors, or invokes update/OAuth commands.
Impact
Agents can execute commands, access configured files/credentials, and call network services as part of the advertised product when the operator configures and runs them.
Mechanism
Package-aligned local AI-agent runtime capabilities, not hidden lifecycle execution.
Rationale
Static inspection found high-risk primitives, but they are documented, user-invoked, and aligned with an agent-hosting CLI rather than hidden install/import-time malware. I found no unconsented credential harvesting, persistence beyond the advertised daemon, covert endpoint, or lifecycle-triggered exfiltration.
Evidence
package.jsondist/index.jsdist/cli/main.jsdist/runtime/agent/bootstrap.jsdist/runtime/supervisor/bootstrap.jsdist/runtime/install/upgrade-runner.jsREADME.mdextensions-catalog/v1.json
Network endpoints11
api.anthropic.comapi.openai.comapi.deepseek.comapi.moonshot.aiopenrouter.ai/apiapi.x.aigenerativelanguage.googleapis.comregister.openscut.airegistry.npmjs.org127.0.0.1localhost:11434/v1

Decision evidence

public snapshot
AI called this Clean at 78.0% confidence as Benign with medium false-positive risk.
Evidence for block
  • dist/runtime/agent/bootstrap.js defines agent tools including shell_run and http_request, allowing user-created agents to run commands and make network requests.
  • dist/runtime/supervisor/bootstrap.js starts a connector MCP listener on 0.0.0.0 by default when enabled, gated by bearer/OAuth auth.
  • dist/runtime/install/upgrade-runner.js can run npm install -g during the explicit update flow.
Evidence against
  • package.json has no install/postinstall lifecycle hooks; executable entrypoint is the user-invoked bin dist/cli/main.js.
  • dist/index.js only reads package.json to export VERSION; no import-time network, process spawn, or credential access.
  • README.md describes these primitives as the product: local always-on agents, local supervisor daemon, OAuth/credential vault, connectors, and update command.
  • dist/runtime/agent/bootstrap.js requires supervisor-provided TWENTYTWOHUNDRED_* env vars and runs only as an agent child process, not on package import/install.
  • Shell execution is exposed as an agent tool bounded to the agent project directory and returned through the agent loop, not hidden install-time exfiltration.
  • Credential HTTP helper injects vault secrets into user-requested HTTP calls and redacts echoed values before returning them.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
NoLicense
scanned 9 file(s), 4.16 MB of source, external domains: 100.x.x.x, 127.0.0.1, 192.168.1.42, accounts.google.com, accounts.spotify.com, aistudio.google.com, api.anthropic.com, api.deepseek.com, api.moonshot.ai, api.openai.com, api.search.brave.com, api.slack.com, api.telegram.org, api.x.ai, auth.x.ai, brave.com, developer.mozilla.org, developer.spotify.com, discord.com, discord.gg, discord.new, generativelanguage.googleapis.com, github.com, grok.com, jimmy.warting.se, nodejs.org, oauth2.googleapis.com, openpub.ai, openrouter.ai, react.dev, register.openscut.ai, registry.npmjs.org, slack.com, www.googleapis.com, www.w3.org
Oversized source lightweight scan
dist/connectors/discord/gateway.cjs3.00 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalHighEntropyStringsUrlStringsdeveloper.mozilla.orgdiscord.comdiscord.ggdiscord.newgithub.comjimmy.warting.se

Source & flagged code

6 flagged · loading source
dist/runtime/install/upgrade-runner.jsView file
1#!/usr/bin/env node L2: import { spawn } from 'child_process'; L3: import { readFile, mkdir, open, rename, unlink } from 'fs/promises';
High
Child Process

Package source references child process execution.

dist/runtime/install/upgrade-runner.jsView on unpkg · L1
dist/runtime/agent/bootstrap.jsView file
1import { hkdfSync, randomBytes, createHash, createCipheriv, createDecipheriv, randomUUID, sign, createPrivateKey, createPublicKey } from 'crypto'; L2: import { mkdir, writeFile, readFile, rm, readdir, appendFile, rename, chmod, stat, unlink, open } from 'fs/promises'; ... L6: import { stringify, parse } from 'yaml'; L7: import { createConnection } from 'net'; L8: import { homedir } from 'os'; L9: import { readFileSync, existsSync, mkdirSync } from 'fs'; L10: import { spawn } from 'child_process'; L11: import Database from 'better-sqlite3'; ... L201: tag: z.string(), L202: metadata: CredentialMetadataSchema L203: }); ... L3008: function activeLevel() {
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/runtime/agent/bootstrap.jsView on unpkg · L1
1import { hkdfSync, randomBytes, createHash, createCipheriv, createDecipheriv, randomUUID, sign, createPrivateKey, createPublicKey } from 'crypto'; L2: import { mkdir, writeFile, readFile, rm, readdir, appendFile, rename, chmod, stat, unlink, open } from 'fs/promises'; ... L6: import { stringify, parse } from 'yaml'; L7: import { createConnection } from 'net'; L8: import { homedir } from 'os'; L9: import { readFileSync, existsSync, mkdirSync } from 'fs'; L10: import { spawn } from 'child_process'; L11: import Database from 'better-sqlite3'; ... L201: tag: z.string(), L202: metadata: CredentialMetadataSchema L203: }); ... L3008: function activeLevel() {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/runtime/agent/bootstrap.jsView on unpkg · L1
dist/runtime/supervisor/bootstrap.jsView file
3Detached bundled service listener: [redacted].js launches a Node helper and exposes a broad-bound HTTP listener. L3: import { z, ZodError } from 'zod'; L4: import { createDecipheriv, randomBytes, createCipheriv, generateKeyPairSync, timingSafeEqual, randomUUID, hkdfSync, sign, createHash, createPrivateKey, createPublicKey, scrypt } fr... L5: import * as YAML from 'yaml'; ... L12: import { fileURLToPath } from 'url'; L13: import { spawn, execFileSync } from 'child_process'; L14: import { McpServer } from '@[redacted].js'; ... L18: import { Buffer as Buffer$1 } from 'buffer'; L19: import { createServer } from 'net'; L20: import fastifyWebsocketImport from '@fastify/websocket'; ... L156: pid: join(root, "pub.pid"), L157: data: join(root, "data"), L158: adminSecret: join(root, "admin.secret"),
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/runtime/supervisor/bootstrap.jsView on unpkg · L3
dist/cli/main.jsView file
6Trigger-reachable chain: manifest.bin -> dist/cli/main.js L6: import { z, ZodError } from 'zod'; L7: import { createConnection, createServer } from 'net'; L8: import { randomBytes, createCipheriv, hkdfSync, createDecipheriv, createHash, randomUUID, timingSafeEqual, scrypt, generateKeyPairSync, sign, createPrivateKey, createPublicKey } fr... L9: import * as YAML from 'yaml'; ... L12: import lockfile from 'proper-lockfile'; L13: import { spawn, execFileSync } from 'child_process'; L14: import { CronExpressionParser } from 'cron-parser'; ... L231: pid: join(root, "pub.pid"), L232: data: join(root, "data"), L233: adminSecret: join(root, "admin.secret"), ... L1684: function activeLevel() { L1685: const raw = (process.env["LOG_LEVEL"] ?? "").toLowerCase();
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/main.jsView on unpkg · L6
dist/connectors/discord/gateway.cjsView file
path = dist/connectors/discord/gateway.cjs kind = oversized_source_file sizeBytes = 3142834 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/connectors/discord/gateway.cjsView on unpkg

Findings

2 Critical4 High3 Medium8 Low
CriticalCommand Output Exfiltrationdist/runtime/agent/bootstrap.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/main.js
HighChild Processdist/runtime/install/upgrade-runner.js
HighShell
HighSpawned Bundled Service Listenerdist/runtime/supervisor/bootstrap.js
HighOversized Source Filedist/connectors/discord/gateway.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptodist/runtime/agent/bootstrap.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License