FAQ
Why does "High risk" not always mean malicious?
The score combines visible signals — missing repo, suspicious patterns, low publisher reputation, known CVEs. A legitimate extension can hit several of these (e.g. a new publisher with a small audience). Treat High as "review this", not "delete this".
Why do some extensions show no OSV results?
OSV indexes specific ecosystems. Extensions that bundle their dependencies, ship without declared dependencies, or use ecosystems OSV does not cover will return no advisories. Absence is not a clean bill of health.
Why is PDF export unavailable?
PDF rendering requires a Chrome-compatible browser binary. If ShieldX cannot find one on PATH and shieldx.pdfBrowserPath is empty, it falls back to HTML. Install Chrome/Chromium/Edge/Brave, or set the path explicitly.
Why do old history entries disappear?
History retention is capped by shieldx.maxHistoryItems. Default is 10. Raise it if you want longer local history, up to 100.
Why does the allowlist flag every other extension?
That is its job. allowedExtensions, when non-empty, switches the workspace into a closed-list mode. Add the extensions you want, or use maxRiskLevel instead for a softer policy.
Why is the dashboard showing old results?
Until you run a scan in a new session, ShieldX shows the cached last-scan to avoid a blank UI. Click Scan now to refresh. Auto-scan on startup (when enabled) handles this for you.
Why is a scan slow?
Network lookups dominate scan time. The OSV API and npm download endpoints can be rate-limited or slow. Disable shieldx.enableOsvScan for a faster but less complete scan.
Why does a popular extension still register as risky?
Popularity is a trust signal, not a guarantee. ShieldX does not down-weight risk factors just because an extension is widely installed. Read the detail panel to see what triggered the score.