Skip to content
/ isnad-vscode Public

VS Code extension for isnad-scan — inline security diagnostics for AI agent skills

License

View license
0 stars 0 forks Branches Tags Activity
Star
Notifications You must be signed in to change notification settings

counterspec/isnad-vscode

BranchesTags

Folders and files

NameName
Last commit message
Last commit date

Latest commit

 

History

1 Commit
src
src
 
 
.gitignore
.gitignore
 
 
.vscodeignore
.vscodeignore
 
 
LICENSE
LICENSE
 
 
README.md
README.md
 
 
package-lock.json
package-lock.json
 
 
package.json
package.json
 
 
tsconfig.json
tsconfig.json
 
 

Repository files navigation

ISNAD Scan — VS Code Extension

Inline security warnings for AI agent skills. Automatically detects code injection, prompt injection, credential exfiltration, and supply chain attacks as you edit.

Status Bar

Features

  • Inline diagnostics — Security findings appear directly in the editor with squiggly underlines
  • Auto-scan on save — Every save triggers a scan of the current skill
  • Workspace scan — Scan your entire workspace with one command
  • Status bar — Shows current trust level (Safe / Caution / Danger)
  • Smart skill detection — Automatically finds SKILL.md root directories

Requirements

  • isnad-scan installed (pip install isnad-scan)
  • Python 3.8+

Usage

  1. Open a workspace containing AI agent skills
  2. The extension auto-activates when it finds SKILL.md or AGENTS.md
  3. Security findings appear as inline warnings/errors

Commands

  • ISNAD: Scan Workspace — Full workspace scan
  • ISNAD: Scan Current File — Scan the current file's skill directory

Settings

Setting Default Description
isnad-scan.pythonPath python3 Python interpreter path
isnad-scan.scanOnSave true Auto-scan on file save
isnad-scan.scanOnOpen true Auto-scan when opening files
isnad-scan.showInfoFindings false Show INFO-level findings

What It Detects

Category Examples
Code Injection eval(), exec(), __import__(), dynamic code execution
Prompt Injection Hidden instructions, override keywords, suppression patterns
Credential Exfiltration Obfuscated URLs, env harvesting, encoded payloads
Supply Chain Suspicious dependencies, typosquatting, install hooks
Network Unauthorized HTTP calls, WebSocket C2, DNS exfiltration

How It Works

The extension runs isnad-scan --json on your skill directories and maps findings to VS Code diagnostics. Each finding includes:

  • Severity — Error (DANGER), Warning (WARN), or Info
  • Pattern ID — Machine-readable identifier (e.g., eval_usage, hidden_url_html)
  • Description — Human-readable explanation
  • Line — Exact line number in the source file
  • Match — The specific text that triggered the finding

Trust Levels

Level Meaning
🟢 SAFE No issues found
🟡 CAUTION Minor issues, review recommended
🔴 DANGER Security issues detected — do not run this skill

Contributing

This extension is part of the ISNAD Protocol — the trust layer for AI agent skills.

License

MIT

About

VS Code extension for isnad-scan — inline security diagnostics for AI agent skills

Resources

Readme

License

View license
Activity
Custom properties

Stars

0 stars

Watchers

0 watching

Forks

0 forks
Report repository

Releases

No releases published

Packages

 
 
 

Contributors

Languages