Skip to main content

Introduction

ShieldX is an extension that audits the extensions already installed in your editor for risk signals, known vulnerabilities, and policy violations. It runs locally inside your editor, reads installed extension metadata, and produces a risk-scored dashboard plus exportable reports.

What ShieldX does

  • Inventories every installed extension and its publisher
  • Analyzes package metadata, suspicious code patterns, and declared dependencies
  • Looks up npm publisher reputation and OSV vulnerability records
  • Aggregates signals into a risk score with a human-readable recommendation
  • Compares the current scan to the previous scan and surfaces what changed
  • Enforces a workspace policy file (allowlist, blocklist, max risk level)

What ShieldX does not do

  • It does not guarantee that a flagged extension is malicious
  • It does not prevent installation of extensions in real time
  • It does not quarantine or remove extensions on its own
  • It does not sandbox extension code

A high score means "something here is worth checking", not "this is malware". Treat results as a starting point for a manual review.

How a scan is triggered

  • Automatically on startup, when shieldx.autoScanOnStartup is enabled
  • Manually from the command palette: ShieldX: Scan installed extensions
  • Automatically when a new extension is installed or changed in the workspace
  • Programmatically by other commands (export, policy check)

Next steps