vscode-extension-builder-lawvable
Warn
Audited by Gen Agent Trust Hub on Apr 2, 2026
Risk Level: MEDIUMDATA_EXFILTRATIONCOMMAND_EXECUTIONPROMPT_INJECTION
Full Analysis
- [DATA_EXFILTRATION]: The
file-bridgetemplate inassets/file-bridge/src/extension.tsimplements areadFilehandler that accepts afilePathparameter and uses it directly withvscode.workspace.fs.readFilewithout validation. This allows an attacker who can write a JSON command to the watched directory to read any file accessible by the VS Code process, including sensitive credentials or SSH keys. - [COMMAND_EXECUTION]: The
file-bridgetemplate inassets/file-bridge/src/extension.tsimplements awriteFilehandler that acceptsfilePathandcontentparameters. It writes to the specified path without ensuring it stays within the workspace, enabling arbitrary file writes which can be used to achieve persistence or modify system configuration. - [PROMPT_INJECTION]: The
file-bridgepattern creates a large surface for indirect prompt injection. By watching the.vscode/ai-bridge/commands/directory, the extension effectively grants any process or user capable of writing to that directory (including a malicious repository) the ability to influence the extension's behavior and the agent's context through the IPC mechanism. This is particularly risky given the missing boundary markers and lack of sanitization in the template implementation. - Ingestion points:
.vscode/ai-bridge/commands/*.jsonfiles (watched byFileBridgeclass). - Boundary markers: Absent in the implementation code; the system processes any valid JSON found in the folder.
- Capability inventory: File reading (
readFile), file writing (writeFile), and whitelisted command execution (executeCommand) as seen inassets/file-bridge/src/extension.ts. - Sanitization: Path resolution and prefix checks are missing in the template code, although they are suggested in the
references/ai-integration.mddocumentation.
Audit Metadata