Audit all your VS Code extensions in one paste.
After the GitHub breach, you should know what's running inside your editor. ExtensionAudit checks your entire installed list for unverified publishers and stale extensions, instantly, no install required.
Run in terminal
code --list-extensionsPaste the output
into the box belowSee your risk report
per extension, in seconds
What the risk signals mean
Low risk
Publisher is verified on the marketplace AND the extension was updated within the last 6 months.
Review recommended
Publisher is unverified, or the extension hasn't been updated in 6โ12 months. Worth a manual check.
High risk
Publisher is unverified AND the extension hasn't been updated in over a year. Strong candidate for uninstalling.
Unknown
Not found in the public marketplace. Could be a private, corporate, or typo'd extension ID.
What to do with each result
Green: No action needed
- Continue using. Publisher is verified and the extension is actively maintained.
Yellow: Review recommended
- Click the marketplace link and check the extension's GitHub repository for recent activity.
- If you still need it: enable it per-workspace only instead of globally, press Ctrl+Shift+P โ "Enable Extension (Workspace Only)".
- If you don't use it: uninstall it. Unused extensions are pure attack surface.
Red: Evaluate carefully
- Check the last commit date on the GitHub repository. Abandoned + unverified = high risk.
- Ask yourself: have you used this extension in the last 90 days? If no, uninstall it now.
- If you keep it: enable per-workspace only, Ctrl+Shift+P โ "Enable Extension (Workspace Only)".
Unknown: Not in the public marketplace
- This is expected for corporate or private extensions hosted on Azure DevOps.
- If you don't recognise the extension ID, investigate: it may be a typo, a renamed extension, or something you don't remember installing.
- Verify the source through your internal security channels before keeping it.
Make this a quarterly habit
Run code --list-extensions every 3 months and re-paste here. Extensions get compromised after you install them: a verified publisher today is not a guarantee for tomorrow.
Frequently Asked Questions
How does ExtensionAudit work?
- Run
code --list-extensionsin your terminal and paste the output into the text box. - ExtensionAudit parses the list, then queries the VS Code Marketplace API directly from your browser.
- It fetches publisher verification status, install counts, and last update dates for each extension.
- The risk signal is calculated from those factors. No data is sent to DevEncyclopedia servers.
What does the risk signal mean?
| Signal | Meaning |
|---|---|
| ๐ข Green | Publisher verified + updated within 6 months |
| ๐ก Yellow | Publisher unverified, or not updated in 6โ12 months |
| ๐ด Red | Publisher unverified AND not updated in 1+ year |
| โซ Unknown | Not found in the public marketplace |
What is a verified publisher?
The blue checkmark means the publisher verified domain ownership and has maintained good standing for at least six months.
I have red or yellow extensions. What should I do?
- Click the marketplace link and review the extension's GitHub repository for recent activity.
- Ask yourself: have you used this extension in the last 90 days? If no, uninstall it: unused extensions are pure attack surface.
- If you keep it: enable it per-workspace only, press
Ctrl+Shift+Pโ "Enable Extension (Workspace Only)".
Is my extension list private?
ExtensionAudit processes your list entirely in your browser. Extension names are sent directly to the VS Code Marketplace API to fetch metadata. DevEncyclopedia never receives or stores your extension list.
What about private or corporate extensions?
Private extensions hosted on a corporate Azure DevOps feed will not appear in the public VS Code Marketplace. ExtensionAudit shows them as Unknown, that is expected. Evaluate those extensions through your internal security channels.