Plugins
UltraSushiTron plugins are WASM modules that extend agent capabilities. Each plugin declares a type and a set of capabilities that are validated at install time and enforced at runtime.
Plugin Types
Every plugin declares one of four types via the plugin_type field. The type determines which capabilities are valid and how the plugin integrates with the agent runtime.
| Type | Purpose | Examples |
|---|---|---|
tool | Execute actions and transform data | Code formatter, linter, data pipeline |
channel | Bi-directional messaging with external services | Slack bot, Discord bridge, Telegram relay |
provider | LLM or service backends | Custom model adapter, API gateway |
memory | Storage backends for agent memory | Vector DB adapter, key-value store |
If plugin_type is omitted, the plugin defaults to tool.
Manifest Format
Each plugin ships a plugin.json manifest alongside its WASM binary. The manifest declares metadata, capabilities, and the entry point function.
| Field | Type | Required | Description |
|---|---|---|---|
name | string | Yes | Unique plugin identifier |
version | string | Yes | Semver version |
description | string | Yes | Human-readable description |
author | string | Yes | Plugin author or team |
license | string | No | SPDX license identifier |
plugin_type | string | No | One of tool, channel, provider, memory. Defaults to tool |
capabilities | array | Yes | Required capabilities (see below) |
entry | string | Yes | WASM exported function name |
inputs | object | No | Input parameter definitions |
signature | string | No | Ed25519 signature for verified publishers |
repository | string | No | Source repository URL |
Example: Tool Plugin
examples/hello-plugin/plugin.json json
{
"name": "hello-plugin",
"version": "0.1.0",
"description": "Example plugin demonstrating UltraSushiTron plugin system",
"capabilities": [
"logging",
{
"type": "secret_request",
"secret_types": ["api_key", "token"]
}
],
"entry_point": "execute",
"author": "UltraSushiTron Team"
}Example: Browser Agent Plugin
examples/browser-agent/plugin.json json
{
"name": "browser-agent",
"version": "0.1.0",
"description": "Example plugin demonstrating browser automation capabilities",
"capabilities": [
"logging",
{
"type": "browser",
"allowed_domains": ["example.com", "httpbin.org"],
"allowed_actions": ["navigate", "get_text", "click", "wait_for_selector"],
"headless_only": true
}
],
"entry_point": "execute",
"author": "UltraSushiTron Team"
}Capability System
Capabilities are the security boundary between plugins and the host system. Each capability must be declared in the manifest and approved by the user at install time. The runtime enforces these grants — undeclared capabilities are blocked.
| Capability | Parameters | Description |
|---|---|---|
logging | None | Write to the agent log. Granted to all plugins by default. |
filesystem | paths, access (read | write | read_write) | Read/write files within specified paths only. |
network | domains, protocols (optional) | HTTP/WS access restricted to listed domains. |
secret_request | types (SecretType[]), max_duration (optional) | Request secrets from the vault. Requires user approval per access. |
exec | commands, allow_shell (optional) | Execute specific system commands. |
ai | models, max_tokens | Access LLM inference with token budget limits. |
browser | allowed_domains, allowed_actions, headless_only | Browser automation via the companion Playwright service. |
Type-Specific Restrictions
Not all capabilities are valid for all plugin types. The runtime rejects manifests that declare capabilities outside their type's allowed set.
| Plugin Type | Allowed Capabilities | Restricted |
|---|---|---|
tool | All capabilities | None |
channel | logging, network, secret_request | filesystem, exec, browser, ai |
provider | logging, network, ai | filesystem, exec, browser, secret_request |
memory | logging, filesystem, network | exec, browser, secret_request, ai |
Marketplace Catalog
The UltraSushiTron marketplace ships 23 verified plugins across 7 categories. Browse and install them from the Plugin Marketplace.
Security
| Plugin | Type | Description |
|---|---|---|
secret-leak-scanner | tool | Scan files for leaked secrets using 16+ regex patterns |
compliance-auditor | tool | Audit against SOC2, HIPAA, and PCI-DSS frameworks |
sbom-checker | tool | Generate CycloneDX SBOMs and check for CVEs |
Cloud Providers
| Plugin | Type | Description |
|---|---|---|
aws-secrets-sync | provider | Bidirectional sync with AWS Secrets Manager |
gcp-secret-connector | provider | Google Cloud Secret Manager operations |
azure-keyvault-bridge | provider | Azure Key Vault secret and certificate ops |
k8s-secret-operator | provider | Kubernetes Secret resource CRUD |
CI/CD
| Plugin | Type | Description |
|---|---|---|
github-actions-injector | tool | GitHub Actions OIDC and secret injection |
terraform-secret-provider | tool | HCL and Pulumi config generation |
ci-adapter-pack | tool | GitLab CI, Jenkins, CircleCI adapters |
AI Integrations
| Plugin | Type | Description |
|---|---|---|
llm-api-gateway | provider | Multi-provider LLM API key routing |
mcp-secret-provider | tool | MCP server with JSON-RPC secret tools |
Monitoring
| Plugin | Type | Description |
|---|---|---|
notification-hub | channel | Slack, Teams, Discord webhook notifications |
db-credential-generator | tool | Short-lived database credentials |
secret-analytics | tool | Usage analytics and anomaly detection |
Chat Connectors
| Plugin | Type | Description |
|---|---|---|
slack-bot | channel | Bidirectional Slack bot with slash commands and Block Kit responses |
telegram-relay | channel | Telegram bot relay with inline commands and HTML formatting |
discord-bot | channel | Discord bot with slash commands and rich embeds |
Developer Tools
| Plugin | Type | Description |
|---|---|---|
cert-monitor | tool | TLS certificate expiry monitoring |
env-sync-agent | tool | Sync .env files across environments |
connection-string-assembler | tool | Compose connection strings for 6 DB formats |
secret-migration-tool | tool | Cross-environment secret migration |
ide-secret-peek | tool | LSP-compatible secret metadata peek |
WASM Sandbox
All plugins execute inside a WASM sandbox with strict isolation:
- No direct syscalls — plugins communicate with the host exclusively through declared capability imports
- Memory isolation — each plugin instance gets its own linear memory
- Deterministic execution — no access to clocks, random, or non-deterministic APIs unless explicitly granted
- Resource limits — execution time and memory consumption are bounded by the host
Marketplace Security Pipeline
Plugins published to the marketplace undergo automated security analysis before approval:
- WASM binary analysis — imports, exports, memory pages, WASI usage, suspicious imports
- Capability audit — declared capabilities compared against detected usage; mismatches flagged
- LLM review — AI-assisted code review with approve/flag/reject recommendation
- Risk scoring — composite score determining automatic approval or manual review
Admin Controls
Installed plugins can be managed from the mobile admin interface (Plugins tab) or via the Admin API:
- List plugins — view all installed plugins with type, version, and enabled state
- Toggle plugins — enable or disable individual plugins at runtime
- View capabilities — inspect the granted capabilities for each plugin