extension-review
Extension Review (Pre-Submission Scanner)
Scan extension source code and predict Chrome Web Store rejection risks. Generate a clear report.
Reference: https://developer.chrome.com/docs/webstore/troubleshooting
Workflow (Execute This)
Step 1: Ask report format
Ask user: Markdown or HTML report? (default: Markdown)
Step 2: Locate and scan extension
# Find extension root
ls manifest.json wxt.config.ts plasmo.config.ts package.json 2>/dev/null
Step 3: Run all checks
Execute these scans in order (see references/scan-checklist.md for grep patterns):
| # | Check | Violation Code | Severity |
|---|---|---|---|
| 1 | Remote code execution (eval, external scripts) | Blue Argon | CRITICAL |
| 2 | Code obfuscation (base64, char encoding) | Red Titanium | CRITICAL |
| 3 | Excessive/unused permissions | Purple Potassium | HIGH |
| 4 | Missing privacy policy | Purple Lithium | HIGH |
| 5 | Missing metadata (icons, description, screenshots) | Yellow Zinc | HIGH |
| 6 | Single purpose violation | Red Magnesium | HIGH |
| 7 | Deceptive behavior (description ≠ functionality) | Red Nickel | HIGH |
| 8 | Insecure data transmission (HTTP) | Purple Copper | HIGH |
| 9 | Keyword stuffing in manifest | Yellow Argon | MEDIUM |
| 10 | Minimum functionality check | Yellow Potassium | MEDIUM |
| 11 | Undisclosed affiliate links | Grey Titanium | MEDIUM |
| 12 | Cryptocurrency mining code | Grey Silicon | CRITICAL |
| 13 | Copyright circumvention (download helpers) | Blue Zinc | CRITICAL |
| 14 | Notification spam patterns | Yellow Nickel | MEDIUM |
| 15 | Data collection without consent | Purple Nickel | HIGH |
Step 4: Generate report
Output report using template in references/report-template.md.
Report structure per issue:
## Issue: [Name]
- **Severity**: CRITICAL / HIGH / MEDIUM
- **Violation Code**: [Chrome code, e.g. Blue Argon]
- **Root Cause**: [What in your code triggers this]
- **File(s)**: [Exact file paths and line numbers]
- **Solution**: [Step-by-step fix]
Report summary:
| Severity | Count |
|----------|-------|
| CRITICAL | X |
| HIGH | X |
| MEDIUM | X |
| PASS | X |
Verdict: LIKELY APPROVED / NEEDS FIXES / WILL BE REJECTED
Step 5: Save report
- Markdown: save as
extension-review-report.mdin project root - HTML: save as
extension-review-report.htmlwith simple, readable styling
References
references/scan-checklist.md— Grep patterns and detection logic for all 15 checksreferences/violation-codes.md— All Chrome Web Store violation codes with descriptionsreferences/report-template.md— Markdown and HTML report templates
Related Skills
extension-analyze— Deeper security audit (code quality, XSS, CSP)extension-publish— Full publishing workflow after review passesextension-manifest— Fix manifest issues found in review
More from quangpl/browser-extension-skills
extension-ui
Build polished Chrome extension UIs (popup/sidepanel/options). Analyze existing UI, suggest improvements, set up design systems, enforce a11y and UX best practices.
21extension-analyze
Audit Chrome extensions for security issues, best practice violations, performance problems, and CWS compliance. Scans manifest, code, CSP, message handlers, storage, and dependencies.
20extension-create
Auto-scaffold Chrome extensions with WXT or Plasmo. Ask user for name/features, scaffold, configure entrypoints. Use when: create extension, scaffold, new extension.
19extension-manifest
Generate and validate manifest.json with optimal permissions for Chrome MV3 extensions. Analyzes code to determine minimum permissions. Use when: manifest, permissions, manifest.json.
18extension-dev
Detect Chrome extension framework/stack, find proper docs, implement features, and debug across service worker, content script, and popup contexts.
17extension-assets
Generate and manage all Chrome extension assets: icons (16–128px), CWS listing images, promotional tiles, and public/ folder setup. Supports ImageMagick, Gemini API, and manual prompt templates.
16