vscode-chat-audit
Fail
Audited by Gen Agent Trust Hub on Mar 17, 2026
Risk Level: HIGHDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The skill accesses sensitive application directories including %APPDATA%\Code\User\workspaceStorage. It reads workspace.json to map workspace hashes and parses .jsonl files containing full chat session histories, which can expose private user interactions and code snippets.
- [COMMAND_EXECUTION]: The skill provides PowerShell and Python scripts designed to perform file system traversal and read operations on sensitive system-level configuration files and local SQLite databases (state.vscdb).
- [PROMPT_INJECTION]: The skill is vulnerable to indirect prompt injection because it ingests untrusted historical chat data from .jsonl files (ingestion point: parse_session in SKILL.md). There are no boundary markers or instructions to ignore embedded commands within the processed logs. While the skill's capabilities are limited to local read/write operations (capability inventory: open, read, json.loads, sqlite3.connect), it lacks any sanitization or validation of the historical content before processing it for summaries or classifications.
Recommendations
- AI detected serious security threats
Audit Metadata