vscode-doctor
Warn
Audited by Gen Agent Trust Hub on Jun 19, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The diagnostic script
collect_vscode_diagnostics.shgathers extensive system data, including full process lists (ps aux), hardware/memory specifications, and workspace file details. It also captures contents from editor settings and log files. While the skill instructs the agent to redact this information before sharing, the collection process itself exposes sensitive local paths, project names, and potential credentials found in logs or settings to the AI agent context. - [COMMAND_EXECUTION]: The skill uses the
Bashtool to run a local script that executes various system utilities such asuptime,sysctl,ps,du,find,rg, andgit. - [COMMAND_EXECUTION]: The
collect_vscode_diagnostics.shscript dynamically executes commands passed through theEDITOR_COMMANDSenvironment variable. These commands are executed in a loop (for cmd in $EDITOR_COMMANDS; do ... "$cmd" --status ... done) without validation or escaping. If the variable is populated with shell metacharacters or subshell commands (e.g., via backticks or$()), it could lead to arbitrary command execution. - [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted data from the local environment, such as editor log files and workspace settings, and processes it using the agent.
- Ingestion points: Data is read via
collect_vscode_diagnostics.shfrom log files and settings files. - Boundary markers: No explicit delimiters or 'ignore embedded instructions' warnings are used when the gathered data is presented to the model.
- Capability inventory: The skill has access to the
BashandReadtools, and the diagnostic script can execute various system commands and read files. - Sanitization: There is no evidence of sanitization or filtering of the content read from files before it is processed by the AI agent.
Audit Metadata