create-gsd-extension

The manifest/specification contains no direct malicious code but documents behaviors that create significant supply-chain risk: automatic 'npm install' (and thus lifecycle script execution), auto-loading of .js/.ts extensions, and permissive install sources (npm, git, local). These design choices make it straightforward for a malicious or compromised upstream package to execute arbitrary code on users' machines or exfiltrate data. Without additional safeguards (signatures, sandboxing, explicit lifecycle script governance, and stricter dependency pinning), packages distributed under this model should be treated as potentially dangerous.

The fragment defines powerful extension hooks that legitimately enable per-turn customization of the LLM prompt and context but simultaneously create a high-risk attack surface for prompt-injection and context-manipulation attacks. There is no direct evidence of classic malware (network exfiltration, reverse shell, hard-coded credentials) in the provided code, but a malicious or compromised extension using these APIs could cause the model to leak information, ignore safety rules, or hide prior context. Treat these APIs as privileged: enforce strict extension vetting, limit modification privileges, and audit all returned prompt/context changes at runtime.