vscode-copilot-customization
Pass
Audited by Gen Agent Trust Hub on Mar 31, 2026
Risk Level: SAFECOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [COMMAND_EXECUTION]: The skill includes a Node.js utility script (
scripts/ensure-hook-setting.js) designed to automate the configuration of.vscode/settings.jsonwithin the workspace. The instructions direct the agent to execute this script to register hook file locations automatically. - [PROMPT_INJECTION]: The skill contains a directive instructing the agent to suppress manual configuration instructions in favor of automated script execution ("Do not tell the user to update settings.json manually — run the script instead"). This is categorized as a concealment pattern under prompt injection, though it serves a legitimate utility purpose for developer experience in this context.
Audit Metadata