UMG Envoy Agent

Security checks across malware telemetry and agentic risk

Overview

The plugin is not clearly malicious, but it exposes local process execution and file-writing bridge features more broadly than its public safety description suggests.

Install only if you specifically need this UMG compiler-bridge workflow. Keep bridge and relation-matrix write features gated, restrict compilerCliPath and outputDir to trusted locations, and treat the plugin as capable of local process execution despite the benign inspection-focused framing.

SkillSpector

By NVIDIA

Vulnerability Patterns

Trigger AbuseOverly Broad Trigger, Shadow Command Trigger, Keyword Baiting Trigger
MCP Tool PoisoningHidden Instructions, Unicode Deception, Parameter Description Injection
Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
Privilege EscalationExcessive Permissions, Sudo/Root Execution, Credential Access

Findings (23)

Intent-Code Divergence

Medium

Confidence: 95% confidence
Finding: The code tells the model to use only approved read-only tools, but it programmatically exposes every tool in `approvedTools` without verifying that those tools are actually read-only. An LLM instruction is not a security boundary, so if any state-changing or sensitive tool is present, prompt injection or normal agent behavior could cause unauthorized actions despite the prompt wording.

Intent-Code Divergence

Medium

Confidence: 92% confidence
Finding: The returned warning is materially misleading: in dry-run mode the adapter claims it does not execute tools until bindings are attached, yet elsewhere in the same function it will execute a hardcoded allowlisted tool once an executor is present. This can cause integrators or security reviewers to rely on an incorrect safety guarantee, increasing the chance that a bound executor is deployed under the false assumption that no tool execution path exists.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: This is a true issue: the dashboard hard-codes `File Contents: no` for local read-only inspection, but the inspection scope can be created with `include_file_contents`. That creates a misleading security boundary in the UI/output, which can cause reviewers or operators to approve or rely on an execution summary that understates data exposure risk.

Intent-Code Divergence

Medium

Confidence: 91% confidence
Finding: The type surface declares payload and execution-boundary guarantees such as `contains_file_contents: false` and `file_contents_read: false`, yet the API accepts `include_file_contents?: boolean` on planning and execution functions. That mismatch can cause callers, reviewers, or policy engines to trust a read-only metadata-only contract while code paths may be configured to read file contents, creating an authorization and data-exposure risk.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The preflight/mock result types state `local_inspection_performed: false` and `statement: "No local inspection performed."`, but the same module exposes scan execution functions that perform local filesystem inspection. Even if those particular structs are intended for dry-run use, the conflicting contract is dangerous because downstream systems may rely on these declarations for audit, gating, or user consent and mistakenly believe no inspection occurred.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The agent is told via system prompt to use only approved read-only tools, but the code does not verify that the adapted tools are actually read-only before exposing them to the model. If any approved tool has side effects, the model may invoke it under the false safety assumption created by the prompt, enabling unintended writes, state changes, or external actions.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: This is a true vulnerability because the dashboard hard-codes `File Contents: no` for `local_readonly_inspection` even though the scope builder accepts `include_file_contents` and may authorize content collection. That creates a misleading security/UI assertion that can hide actual data exposure, causing operators or downstream systems to believe no file content was accessed when it may have been.

Intent-Code Divergence

Medium

Confidence: 88% confidence
Finding: The dry-run compiler derives sensitive tool bindings directly from untrusted task text, including `mcp.real_remote_execution`, and persists them into the compiled spec. Even though governance later marks some tools as blocked or approval-gated, recording and propagating inferred high-risk capabilities in a dry-run path can taint downstream policy, logging, routing, or approval systems and create a confused-deputy condition if another component treats the structured spec as authoritative.

Intent-Code Divergence

Medium

Confidence: 96% confidence
Finding: The rendered dashboard hard-codes 'File Contents: no' for local read-only inspection, but the inspection scope is configurable with include_file_contents. This creates a misleading security boundary in the UI/output: operators may believe only metadata is exposed when file contents may actually be included, increasing risk of accidental sensitive data disclosure and unsafe approvals.

Intent-Code Divergence

High

Confidence: 96% confidence
Finding: The type contract presents this as a read-only metadata scan, but the API surface explicitly accepts include_file_contents in multiple builders and execution functions. That mismatch can let callers request file contents while upstream policy, approval, or audit logic assumes contents are never read, creating an authorization bypass and possible sensitive local data exposure.

Intent-Code Divergence

Medium

Confidence: 90% confidence
Finding: The declared execution boundary states that no local inspection is performed, yet the module exports functions to plan and execute local metadata scans. Security controls or reviewers relying on these declarations may incorrectly treat the operation as non-executing or side-effect free, weakening governance, logging, and approval decisions around local filesystem access.

Intent-Code Divergence

Medium

Confidence: 94% confidence
Finding: The finding is valid: createProposedActionGate sets allowlistSatisfied based solely on policy.directExecutionAllowed and can return finalDecision='allow_direct' without verifying explicit capability allowlist membership. Elsewhere in the file, low-risk direct execution correctly requires an explicit allowlist tag, so this inconsistency can cause downstream consumers to misinterpret a merely low-risk policy classification as an allowlisted authorization to execute.

Intent-Code Divergence

Medium

Confidence: 93% confidence
Finding: The registry entry for `umg_envoy_load_sleeve` explicitly notes that it is internal-only, not declared in the public manifest, and excluded from the first public low-risk adapter set, yet the code still includes it in the exported seed and makes it discoverable through the exported resolver. That creates a policy/implementation mismatch: any consumer using this registry as an authorization source may treat the tool as an available capability, bypassing intended surface restrictions and exposing an incompletely reviewed tool.

Description-Behavior Mismatch

High

Confidence: 97% confidence
Finding: The manifest description asserts the plugin 'does not provide arbitrary dispatch, writes, deletes, or external transmission,' but the configuration explicitly includes allowRuntimeWrites and relation-matrix temp-write support, and the tool list includes emit/runner capabilities. This kind of capability misrepresentation is dangerous because security decisions, allowlisting, and user trust may rely on the manifest text; operators may enable or install the plugin under false assumptions and unintentionally grant file-write behavior.

Description-Behavior Mismatch

High

Confidence: 98% confidence
Finding: The manifest claims there is no arbitrary dispatch, yet configSchema exposes an external compiler bridge with command/path settings and the declared tools include umg_envoy_compile_ir_bridge. Even if disabled by default, this creates a high-risk execution surface that contradicts the safety description; in practice, administrators or agents could be misled into approving a plugin that can invoke external tooling and potentially execute unintended commands or process untrusted inputs.

Vague Triggers

Medium

Confidence: 83% confidence
Finding: The trigger text is broad and underspecified: 'normal public envoy compilation behavior' does not define clear activation boundaries or concrete user intents. Ambiguous triggers can cause unintended activation, making the agent invoke behavior in contexts the author did not mean, which can expand capability exposure or interfere with safer routing logic.

Vague Triggers

Medium

Confidence: 90% confidence
Finding: The manifest enables a trigger block (`trigger.sample`) but does not define any trigger phrases, scopes, or activation constraints in this file. That ambiguity can cause the skill to activate in unintended contexts or rely on external/default trigger behavior that is harder to audit, increasing the risk of prompt injection or unauthorized invocation.

Vague Triggers

Medium

Confidence: 87% confidence
Finding: The package description exposes a broad code-executing agent with many runtime, compilation, orchestration, and approval-related tools, but it does not specify clear invocation boundaries, authorized use cases, or trigger constraints. In this context, the lack of explicit constraints increases the risk that a host agent or user invokes powerful capabilities in unsafe or unintended situations, especially given the package advertises code execution and runtime orchestration features.

Vague Triggers

Medium

Confidence: 82% confidence
Finding: The example trigger "Scan the project folder" is overly broad and conflicts with the document's own requirement for exact path scope and explicit approval. In agent settings, ambiguous examples often become de facto accepted behavior, which can lead to unintended directory enumeration or approval bypass if implementers or downstream prompts treat the phrase as sufficient authorization.

Vague Triggers

Medium

Confidence: 88% confidence
Finding: The trigger text uses broad natural-language criteria ('when the user asks for normal public envoy compilation behavior') without clear, testable boundaries. This can cause the trigger to activate in unintended contexts, leading to incorrect routing or invocation of behavior the user did not explicitly request.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The schema case builds a filesystem path directly from the untrusted artifactId using artifactId.replaceAll('/', path.sep) and then later checks that path with fs.existsSync. Because there is no normalization-and-containment check against libraryRoot, an attacker can supply values such as '../' segments to traverse outside the intended library directory and probe for file existence on the host. In this resolver context the immediate effect is arbitrary path existence disclosure rather than file contents, but it still expands the trust boundary and may aid further attacks.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: The script forcefully deletes whatever path is supplied in StageRoot using Remove-Item -Recurse -Force, with no validation that the target is a safe staging subdirectory. If StageRoot is changed accidentally or influenced by another process, the script could recursively wipe arbitrary filesystem locations, causing destructive data loss during packaging or release workflows.

Missing User Warnings

Medium

Confidence: 93% confidence
Finding: This code can write a relation matrix file to disk when `allowRelationMatrixEmit` is enabled, using paths influenced by request/config values, without any disclosure, consent, or audit signal in this code path. Because the emitted matrix contains runtime structure, route, capabilities, diagnostics, and identifiers, it may persist sensitive internal data in temporary or caller-specified locations where other users, processes, or later tooling can access it.

VirusTotal

62/62 vendors flagged this plugin as clean.

View on VirusTotal