vscode-extension-builder
Pass
Audited by Gen Agent Trust Hub on Feb 17, 2026
Risk Level: SAFE
Full Analysis
- Security Best Practices (SAFE): The webview template in
webview-extension/extension.tscorrectly implements a Content Security Policy (CSP) and uses a cryptographically generated nonce to whitelist scripts, which is the standard defense against Cross-Site Scripting (XSS) in VS Code extensions. - Dependencies (SAFE): The
package.jsonfiles for both templates only include standard development-time dependencies such astypescript,@types/vscode, and@types/nodefrom the npm registry. - Input Handling (SAFE): While the templates include mechanisms for receiving user input (
vscode.window.showInputBoxandonDidReceiveMessage), these are implemented using standard VS Code APIs for their intended educational and functional purposes as templates. - No Malicious Command Execution (SAFE): No instances of unauthorized command execution, persistence mechanisms, or attempts to access sensitive system files were found across the analyzed files.
Audit Metadata