Skip to content
AI Butler

Plugins

AI Butler plugins are WebAssembly modules. They run in an Extism sandbox with no filesystem, no network, and no syscalls by default — every capability flows through a host interface that’s checked against the plugin’s declared permissions.

Why WASM?

Section titled “Why WASM?”
  • Any language — write plugins in Rust, Go/TinyGo, JavaScript, Python, AssemblyScript
  • Safe by default — zero-privilege sandbox, grant capabilities explicitly in the manifest
  • Cross-platform — the same .wasm file runs on Linux, macOS, Raspberry Pi, Docker
  • Hot-reloadable — enable, disable, or swap plugins without restarting the agent

Plugin Management CLI

Section titled “Plugin Management CLI”
Terminal window
aibutler plugin install <path-or-url>   # install from file or URL
aibutler plugin list                    # list installed plugins
aibutler plugin enable <id>             # enable a disabled plugin
aibutler plugin disable <id>            # disable without removing
aibutler plugin remove <id>             # uninstall entirely
aibutler plugin info <id>               # show manifest + declared capabilities

Writing a Plugin

Section titled “Writing a Plugin”

Minimal Rust plugin that adds a hello tool:

use extism_pdk::*;


#[plugin_fn]
pub fn hello(name: String) -> FnResult<String> {
    Ok(format!("Hello, {}!", name))
}

Build to WASM:

Terminal window
cargo build --target wasm32-unknown-unknown --release

Install:

Terminal window
aibutler plugin install ./target/wasm32-unknown-unknown/release/hello.wasm

Plugin Manifest

Section titled “Plugin Manifest”

Every plugin ships with a manifest declaring its tools, permissions, and metadata:

name: hello-world
version: 0.1.0
author: you@example.com
description: Example plugin


tools:
  - name: hello
    description: Say hello to someone
    parameters:
      name:
        type: string
        required: true


capabilities:
  - network: ["api.example.com"]     # allow-list of hosts
  - storage: kv                       # scoped KV store
  - vault: ["example_api_key"]        # specific vault keys only

Capability Gating

Section titled “Capability Gating”

Plugins start with zero privileges. Each capability must be explicitly requested in the manifest. Plugins that try to use a capability they haven’t declared get an error from the host and the attempt is logged.

CapabilityWhat it grants
network: [hosts]HTTP requests to specific domains
storage: kvPlugin-scoped persistent KV store
vault: [keys]Read specific vault keys
tool: [names]Call specific built-in tools
memory: readRead memory (search only, no export)
channel: sendSend messages via channel adapters

Security Scanner

Section titled “Security Scanner”

On install, plugins are scanned for:

  • Dangerous imports and syscall attempts
  • Undeclared network access
  • Capability escalation patterns
  • Size and complexity limits

Plugins failing the scan are refused.

Configuration

Section titled “Configuration”
configurations:
  plugins:
    auto_enable: true          # enable plugins automatically on install
    plugin_dir: /data/plugins  # override plugin directory

Reference Implementation

Section titled “Reference Implementation”

See internal/plugin/ in the repo for the plugin runtime, host functions, capability checks, and the Extism integration. The plugin system is one of the most-audited parts of the codebase — start there if you’re evaluating security.