registry  /  @twentytwohundred/2200-cli  /  2026.710.904

@twentytwohundred/2200-cli@2026.710.904

A platform for hosting your fleet of always-on Agents.

AI Security Review

scanned 3h ago · by lpm-firewall-ai

Review flagged AI-agent configuration or capability changes. This remains warn-only unless evidence shows foreign-agent hijack through preinstall/install/postinstall, hidden persistence, exfiltration, remote code execution, or other concrete malicious behavior.

Static reason
High-risk behavior combination matched malicious policy.; previous stored version diff introduced dangerous source
Trigger
User runs `2200 daemon start`/agent workflows and an enabled agent invokes `shell_run`; explicit upgrade invokes the upgrade runner.
Impact
An authorized agent can execute commands within its configured project directory; the daemon persists until stopped.
Mechanism
Agent-scoped shell execution, detached local supervisor, and user-invoked self-upgrade.
Rationale
This is not malicious based on the inspected source, but it is a high-impact agent platform with reachable shell execution and persistence. Flag as a warning for dangerous capability rather than block because activation is explicit and no covert exfiltration or lifecycle abuse was confirmed.
Evidence
package.jsondist/index.jsdist/cli/main.jsdist/runtime/agent/bootstrap.jsdist/runtime/supervisor/bootstrap.jsdist/runtime/install/upgrade-runner.js

Decision evidence

public snapshot
AI called this Suspicious at 88.0% confidence as Dangerous Capability with low false-positive risk.
Evidence for warning
  • `dist/runtime/agent/bootstrap.js` exposes `shell_run`, executing `/bin/sh -c` in an agent project directory.
  • `dist/runtime/supervisor/bootstrap.js` starts a detached long-running supervisor and agent processes after explicit CLI actions.
  • `dist/runtime/install/upgrade-runner.js` can run global `npm install -g` during the explicit upgrade flow.
Evidence against
  • `package.json` has no `preinstall`, `install`, `postinstall`, or `prepare` lifecycle hook.
  • `dist/index.js` only discovers and exports the package version on import.
  • `dist/cli/main.js` runs command handling only when directly invoked; daemon startup is under `2200 daemon start`.
  • No source evidence found of credential harvesting, hidden exfiltration, or foreign AI-agent configuration writes.
Behavioral surface
Source
ChildProcessCryptoEnvironmentVarsEvalFilesystemNetworkShellWebSocket
Supply chain
HighEntropyStringsMinifiedTelemetryUrlStrings
Manifest
NoLicense
scanned 9 file(s), 4.26 MB of source, external domains: 100.x.x.x, 127.0.0.1, 192.168.1.42, accounts.google.com, accounts.spotify.com, aistudio.google.com, api.anthropic.com, api.deepseek.com, api.moonshot.ai, api.openai.com, api.search.brave.com, api.slack.com, api.telegram.org, api.x.ai, auth.openai.com, auth.x.ai, brave.com, chatgpt.com, developer.mozilla.org, developer.spotify.com, discord.com, discord.gg, discord.new, generativelanguage.googleapis.com, github.com, grok.com, jimmy.warting.se, nodejs.org, oauth2.googleapis.com, openpub.ai, openrouter.ai, react.dev, register.openscut.ai, registry.npmjs.org, slack.com, www.googleapis.com, www.w3.org
Oversized source lightweight scan
dist/connectors/discord/gateway.cjs3.00 MB file, sampled 256 KB
FilesystemNetworkChildProcessEnvironmentVarsEvalHighEntropyStringsUrlStringsdeveloper.mozilla.orgdiscord.comdiscord.ggdiscord.newgithub.comjimmy.warting.se

Source & flagged code

7 flagged · loading source
dist/runtime/install/upgrade-runner.jsView file
1#!/usr/bin/env node L2: import { spawn } from 'child_process'; L3: import { readFile, mkdir, open, rename, unlink } from 'fs/promises';
High
Child Process

Package source references child process execution.

dist/runtime/install/upgrade-runner.jsView on unpkg · L1
dist/runtime/agent/bootstrap.jsView file
1import { hkdfSync, randomBytes, createHash, createDecipheriv, createCipheriv, randomUUID, sign, createPrivateKey, createPublicKey } from 'crypto'; L2: import { mkdir, writeFile, readFile, rm, readdir, appendFile, rename, chmod, stat, unlink, open } from 'fs/promises'; ... L6: import { stringify, parse } from 'yaml'; L7: import { createConnection } from 'net'; L8: import 'http'; ... L11: import { readFileSync, existsSync, mkdirSync } from 'fs'; L12: import { spawn } from 'child_process'; L13: import Database from 'better-sqlite3'; ... L175: tag: z.string(), L176: metadata: CredentialMetadataSchema L177: }); ... L2838: function activeLevel() {
Critical
Command Output Exfiltration

Source executes local commands and sends command output to an external endpoint.

dist/runtime/agent/bootstrap.jsView on unpkg · L1
1import { hkdfSync, randomBytes, createHash, createDecipheriv, createCipheriv, randomUUID, sign, createPrivateKey, createPublicKey } from 'crypto'; L2: import { mkdir, writeFile, readFile, rm, readdir, appendFile, rename, chmod, stat, unlink, open } from 'fs/promises'; ... L6: import { stringify, parse } from 'yaml'; L7: import { createConnection } from 'net'; L8: import 'http'; ... L11: import { readFileSync, existsSync, mkdirSync } from 'fs'; L12: import { spawn } from 'child_process'; L13: import Database from 'better-sqlite3'; ... L175: tag: z.string(), L176: metadata: CredentialMetadataSchema L177: }); ... L2838: function activeLevel() {
Low
Weak Crypto

Package source references weak cryptographic algorithms.

dist/runtime/agent/bootstrap.jsView on unpkg · L1
dist/runtime/supervisor/bootstrap.jsView file
3Detached bundled service listener: [redacted].js launches a Node helper and exposes a broad-bound HTTP listener. L3: import { z, ZodError } from 'zod'; L4: import { createDecipheriv, randomBytes, createCipheriv, generateKeyPairSync, timingSafeEqual, randomUUID, hkdfSync, sign, createHash, createPrivateKey, createPublicKey, scrypt } fr... L5: import * as YAML from 'yaml'; ... L10: import { CronExpressionParser } from 'cron-parser'; L11: import { createServer as createServer$1 } from 'http'; L12: import { fileURLToPath, URL as URL$1 } from 'url'; L13: import { homedir, tmpdir, hostname } from 'os'; L14: import { spawn, execFileSync } from 'child_process'; L15: import { McpServer } from '@[redacted].js'; ... L157: pid: join(root, "pub.pid"), L158: data: join(root, "data"), L159: adminSecret: join(root, "admin.secret"),
High
Spawned Bundled Service Listener

Source launches a detached bundled service that exposes a broad-bound HTTP listener.

dist/runtime/supervisor/bootstrap.jsView on unpkg · L3
dist/cli/main.jsView file
6Trigger-reachable chain: manifest.bin -> dist/cli/main.js L6: import { z, ZodError } from 'zod'; L7: import { createConnection, createServer as createServer$1 } from 'net'; L8: import { randomBytes, createCipheriv, hkdfSync, createDecipheriv, randomUUID, timingSafeEqual, scrypt, createHash, generateKeyPairSync, sign, createPrivateKey, createPublicKey } fr... L9: import * as YAML from 'yaml'; ... L12: import lockfile from 'proper-lockfile'; L13: import { spawn, execFileSync } from 'child_process'; L14: import { CronExpressionParser } from 'cron-parser'; ... L231: pid: join(root, "pub.pid"), L232: data: join(root, "data"), L233: adminSecret: join(root, "admin.secret"), ... L1684: function activeLevel() { L1685: const raw = (process.env["LOG_LEVEL"] ?? "").toLowerCase();
Critical
Trigger Reachable Dangerous Capability

A package entrypoint or install-time lifecycle script reaches a source file with blocking dangerous behavior.

dist/cli/main.jsView on unpkg · L6
matchType = previous_version_dangerous_delta matchedPackage = @twentytwohundred/2200-cli@2026.703.54 matchedIdentity = npm:[redacted]:2026.703.54 similarity = 0.556 summary = stored previous version shares package body but lacks this dangerous source file
Critical
Previous Version Dangerous Delta

This package version adds a dangerous source file absent from the previous stored version; route for source-aware review.

dist/cli/main.jsView on unpkg
dist/connectors/discord/gateway.cjsView file
path = dist/connectors/discord/gateway.cjs kind = oversized_source_file sizeBytes = 3142834 magicHex = [redacted]
High
Oversized Source File

Package contains source files above the static scanner size ceiling.

dist/connectors/discord/gateway.cjsView on unpkg

Findings

3 Critical4 High3 Medium8 Low
CriticalCommand Output Exfiltrationdist/runtime/agent/bootstrap.js
CriticalTrigger Reachable Dangerous Capabilitydist/cli/main.js
CriticalPrevious Version Dangerous Deltadist/cli/main.js
HighChild Processdist/runtime/install/upgrade-runner.js
HighShell
HighSpawned Bundled Service Listenerdist/runtime/supervisor/bootstrap.js
HighOversized Source Filedist/connectors/discord/gateway.cjs
MediumNetwork
MediumEnvironment Vars
MediumStructural Risk Force Deep Review
LowScripts Present
LowEval
LowWeak Cryptodist/runtime/agent/bootstrap.js
LowFilesystem
LowHigh Entropy Strings
LowTelemetry
LowUrl Strings
LowNo License