Back to plugin

Security audit

UMG Envoy Agent

Security checks across malware telemetry and agentic risk

Overview

The plugin is not clearly malicious, but it exposes local process execution and file-writing bridge features more broadly than its public safety description suggests.

Install only if you specifically need this UMG compiler-bridge workflow. Keep bridge and relation-matrix write features gated, restrict compilerCliPath and outputDir to trusted locations, and treat the plugin as capable of local process execution despite the benign inspection-focused framing.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal

Static analysis

Detected: suspicious.dangerous_exec

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
.compare-approved-tarball/package/dist/compiler/compiler-process.js:25
Evidence
const child = spawn(invocation.command, invocation.args, {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
ARTIFACT-ARCHIVE/.publish-folder-candidate/umg-envoy-agent-0.3.0-alpha.2/dist/compiler/compiler-process.js:25
Evidence
const child = spawn(invocation.command, invocation.args, {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
dist/compiler/compiler-process.js:25
Evidence
const child = spawn(invocation.command, invocation.args, {

Shell command execution detected (child_process).

Critical
Code
suspicious.dangerous_exec
Location
src/compiler/compiler-process.ts:31
Evidence
const child = spawn(invocation.command, invocation.args, {