vscode-extension-guide
Pass
Audited by Gen Agent Trust Hub on May 12, 2026
Risk Level: SAFE
Full Analysis
- [SAFE]: The skill focuses on providing best practices for secure development and project management.\n
- It provides detailed instructions on implementing Content Security Policy (CSP) and nonces to secure Webviews.\n
- It includes guidance on sanitizing JSON data to prevent XSS attacks when passing information between the extension host and Webviews.\n
- It explicitly warns users against pasting sensitive credentials like Personal Access Tokens (PATs) into chat and demonstrates secure storage using environment variables.\n- [EXTERNAL_DOWNLOADS]: The guide references standard development dependencies and tools from the official npm registry.\n
- Recommends the use of @vscode/vsce for extension packaging and publishing.\n
- Suggests the use of yo and generator-code for project scaffolding.\n
- Mentions development dependencies like typescript, mocha, and glob.\n- [COMMAND_EXECUTION]: The documentation contains standard shell commands for the extension development lifecycle.\n
- Includes build commands like npm run compile and npm run watch.\n
- Includes publishing commands like vsce publish and vsce package.\n
- Includes testing commands such as xvfb-run npm test for Linux environments.
Audit Metadata