Prompt Radar
Scan a workspace for prompt fragments, analyze them for prompt smells with an LLM, and review the findings on an interactive radar.
Prompt Radar scores every prompt across five quality dimensions:
| Dimension |
What it measures |
| Formatting |
Clear structure and explicit output expectations |
| Reliability |
Specific, stable instructions that reduce ambiguity |
| Efficiency |
Concise wording without unnecessary token cost |
| Security |
Reduced risk of leakage, injection, or sensitive exposure |
| Safety |
Lower risk of harmful, biased, or policy-problematic outputs |
Getting started
- Open the Prompt Radar view in the Activity Bar.
- Run Scan Workspace — a local scan (no LLM calls) that finds prompt fragments in Python, TypeScript/JavaScript (incl. JSX/TSX), Java, and C# code, prompt-shaped YAML/JSON, and dedicated prompt files (
*.prompt, *.jinja, *.agent.md, …).
- Click a detected fragment (or run Analyze All Detected Prompts) to analyze it. Every LLM call is an explicit user action.
- Review each finding in the radar panel — agree/disagree/unsure with an optional rationale, jump to the evidence in code, and add smells the detector missed.
How scanning works
Scanning is local and LLM-free. A fast prefilter narrows the workspace to files with a real
signal (an LLM SDK import, a dedicated prompt file, prompt-shaped config, or telltale "You are…"
content), then a tree-sitter parser extracts the actual prompt strings from each candidate. The
parser understands each language's string forms and structure, so it catches prompts that text
matching misses and avoids flagging strings in comments:
| Language |
Detects |
| Python |
f-strings, triple-quoted/raw strings, implicit & + concatenation, {"role","content"} message dicts, prompt-named assignments, OpenAI/Anthropic/LangChain/LiteLLM call sites, PromptTemplate |
| JS / TS / JSX / TSX |
template literals (incl. tagged), [{role, content}] message arrays, prompt-named const/field/property, prompt-ish JSX attributes, chat.completions.create & friends |
| Java |
text blocks ("""…"""), Spring AI ChatClient (.prompt/.system/.user), LangChain4j @SystemMessage/@UserMessage, PromptTemplate |
| C# |
verbatim @"…", raw """…""", and interpolated $"…" strings, Semantic Kernel (InvokePromptAsync, CreateFunctionFromPrompt), ChatHistory.Add*Message, OpenAI/Azure chat-message types |
If a grammar can't load on your machine, the scanner automatically falls back to a precise
regex/heuristic extractor — scanning never fails, it just gets a little less accurate. Grammars
ship with the extension as portable WebAssembly (no native binaries).
LLM providers
VS Code Language Model (default): uses the VS Code Language Model API (e.g. GitHub Copilot). Optionally pin a model family via promptRadar.model.
OpenAI-compatible (BYOK): set promptRadar.provider to openaiCompatible, fill in promptRadar.openai.baseUrl and promptRadar.openai.model, and store your API key with Prompt Radar: Configure API Key. Requests go to {baseUrl}/chat/completions with Authorization: Bearer <key>. Works with any OpenAI-compatible endpoint:
| Provider |
promptRadar.openai.baseUrl |
| OpenAI |
https://api.openai.com/v1 |
| DeepSeek |
https://api.deepseek.com |
| Gemini (AI Studio) |
https://generativelanguage.googleapis.com/v1beta/openai |
| Anthropic |
https://api.anthropic.com/v1 |
| Mistral |
https://api.mistral.ai/v1 |
| Groq |
https://api.groq.com/openai/v1 |
| OpenRouter |
https://openrouter.ai/api/v1 |
| xAI |
https://api.x.ai/v1 |
| Ollama (local) |
http://localhost:11434/v1 |
| LM Studio (local) |
http://localhost:1234/v1 |
Set promptRadar.openai.model to a model the endpoint serves, e.g. gpt-4o, deepseek-chat, or gemini-2.5-pro. The key lives in VS Code Secret Storage — never in settings.json.
Azure OpenAI (BYOK): set promptRadar.provider to azureOpenAI, fill in promptRadar.azure.endpoint / deployment / apiVersion, and store your API key with Prompt Radar: Configure API Key. The key lives in VS Code Secret Storage — never in settings.json.
Key settings
| Setting |
Default |
Description |
promptRadar.provider |
vscodeLM |
LLM provider (vscodeLM, openaiCompatible, or azureOpenAI) |
promptRadar.scan.languages |
python, typescript, javascript, java, csharp |
Languages the scanner extracts fragments from |
promptRadar.scan.minConfidence |
0.6 |
Minimum detection confidence for a fragment to be kept |
promptRadar.scan.codeScope |
auto |
How prompts in source code are grouped before analysis |
promptRadar.maxConcurrent |
2 |
Concurrency limit for batch analysis |
promptRadar.inline.diagnostics |
true |
Show smells as squiggles in analyzed files |
promptRadar.inline.hover |
true |
Show smell details on hover |
Data & privacy
- Scanning is fully local; prompt text is only sent to the configured LLM provider when you explicitly analyze a fragment.
- Analysis results and review responses persist under
.prompt-radar/ in the workspace (add it to .gitignore if you don't want it committed).
- Telemetry is opt-in and off by default. With
promptRadar.telemetry.enabled on, each feedback action you take — agreeing/disagreeing with a detected smell (with any comment) or reporting a missed one — is shared anonymously to help improve the smell catalog, together with the analyzed prompt text, the detected smells, the model used, and VS Code's anonymous machine id. Nothing is sent if you never give feedback. API keys and other workspace content are never sent, and telemetry is also disabled whenever VS Code telemetry (telemetry.telemetryLevel) is off. Full details: Privacy Policy.
License
MIT
| |
