Extension Risk Scanner
Know what your extensions can do — before they run.
Extension Risk Scanner scans every VS Code extension you install for risky code, suspicious permissions, supply-chain red flags, and prompt-injection patterns. Everything runs on your machine. No cloud uploads. No telemetry.
Works in VS Code, Cursor, VSCodium, and other VS Code–compatible editors.
Why use it
Extensions can read files, run shell commands, and talk to the network. Most are safe — but a compromised or malicious extension is a direct path to credential theft, backdoors, and workspace exfiltration.
Extension Risk Scanner gives you:
- A 0–100 risk score per extension with plain-language explanations
- A security dashboard across all installed extensions
- Pre-install scanning before risky extensions land in your editor
- Optional runtime hooks that block dangerous
child_process / network calls from third-party extensions
Quick start
- Install Extension Risk Scanner from the Marketplace.
- Open the Extension Risk Scanner icon in the Activity Bar (shield).
- Run Guard: Scan All Installed from the Command Palette (
Ctrl+Shift+P / Cmd+Shift+P).
Scores appear under Scored extensions in the sidebar. Click the status bar shield for the full dashboard.
Features
| Feature |
What it does |
| Static analysis |
Scans extension source for malware patterns, obfuscation, dangerous APIs, and manifest abuse |
| Risk scoring |
Combines signals into a single score with severity bands (low → critical) |
| Extension dashboard |
Color-coded overview of every installed extension |
| Per-extension report |
Detailed findings with file paths and plain-language help |
| Pre-install gate |
Scans extensions before install when possible; blocks high-risk installs |
| Runtime protection |
Optional hooks on child_process, network, and filesystem (configurable) |
| Update watcher |
Rescans when extensions update or change on disk |
| Signed reports |
Scan results stored locally in ~/.vscode-auditor/reports/ |
Commands
| Command |
Purpose |
| Guard: Scan All Installed |
Scan every installed extension |
| Guard: Scan Active Extension |
Scan the extension shown in the editor |
| Guard: Security Dashboard |
Open the risk overview panel |
| Guard: Show Report |
Open the detailed report for an extension |
| Guard: Open Reports Folder |
Open ~/.vscode-auditor/reports/ |
| Guard: Open Audit Log |
Open the local audit log |
| Guard: Trust This Extension |
Mark an extension as trusted |
| Guard: Block This Extension |
Block an extension from running |
Privacy
- 100% local — extension bytes never leave your machine for analysis
- No telemetry — Extension Risk Scanner does not phone home
- Offline-capable — core scanning works without network access (optional intel feeds update locally when you choose)
Settings
Search extguard in Settings. Common options:
extguard.autoScanOnInstall — scan new extensions automaticallyextguard.autoScanOnUpdate — rescan after updatesextguard.runtimeHooksEnabled — enable runtime module hooksextguard.blockThreshold — score at which pre-install blocking applies (default: 60)
Compatibility
| Editor |
Supported |
| Visual Studio Code 1.85+ |
Yes |
| Cursor |
Yes |
| VSCodium |
Yes |
| Visual Studio IDE |
No — this is a VS Code extension |
License
MIT — see LICENSE.md.
