I run a small programming YouTube channel and someone with a Gmail address asked if they could sponsor me.<p>They wanted me to review this VSCode extension[1].<p>Everything seems super dodgy: The extension only has 2 reviews, the linked repo[2] doesn't actually contain the source code.<p>I downloaded the sources from the extension marketplace, but the code is minified and obfuscated. I tried a de-minifier but the file is a few thousand lines long so it's hard to say if there's malicious code.<p>Is there a way to determine if this extension is safe to use? Simply installing it could give an attacker full access to my machine, right?<p>[1] https://marketplace.visualstudio.com/items?itemName=solomonkinard.git-blame
[2] https://github.com/solomonkinard/public
100% stay away from it.<p>I think a better question is: "How can you ensure any VS Code extension is safe to use?"<p>Understanding exactly what an extension does and getting clarity around how it operates is something that I'd like to better understand as well.<p>It makes me think that moving to other editors like Neovim might be a safer way to go, if Microsoft has created an environment where malicious plug-ins can operate.
I obviously cannot vouch for the safety of this extension, but I'll just post this quote from the VS Code docs:<p>> The Marketplace runs a virus scan on each extension package that's published to ensure its safety. The virus scan is run for each new extension and for each extension update. Until the scan is all clear, the extension won't be published in the Marketplace for public usage.<p>Source: <a href="https://code.visualstudio.com/docs/editor/extension-marketplace#_can-i-trust-extensions-from-the-marketplace" rel="nofollow">https://code.visualstudio.com/docs/editor/extension-marketpl...</a>