Audit all your VS Code extensions in one paste.

You paste the output of `code --list-extensions` into the text box. ExtensionAudit parses the list, then queries the VS Code Marketplace API directly from your browser to fetch publisher verification status, install counts, and last update dates for each extension. The risk signal is calculated based on those two factors. No data is sent to DevEncyclopedia servers.

Green means the publisher is verified and the extension was updated within the last 6 months. Yellow means the publisher is unverified, or the extension hasn't been updated in over 6 months. Red means both — the publisher is unverified and the extension hasn't been updated in over a year. Unknown means the extension wasn't found in the marketplace.

A verified publisher badge (the blue checkmark on the marketplace) means the publisher verified domain ownership and has maintained good standing for at least six months. It's a meaningful signal but not a guarantee — the May 2026 Nx Console breach happened through a verified publisher whose account token was stolen.

Click the marketplace link to review the extension manually. Check whether it's still actively maintained, whether the GitHub repository has recent activity, and whether you actually still need it. Uninstall anything you don't actively use. For extensions you keep, consider enabling them per-workspace rather than globally to limit their access.

Yes. ExtensionAudit processes your list entirely in your browser. The extension names are sent directly to the VS Code Marketplace API (Microsoft's servers) to fetch metadata — the same request the marketplace website makes. DevEncyclopedia never receives or stores your extension list.

Private extensions hosted on a corporate Azure DevOps feed won't appear in the public VS Code Marketplace. ExtensionAudit will show them as 'not found in marketplace' with an unknown risk signal. That's expected behavior — you'll need to evaluate those extensions through your internal channels.