extension-check

extension-check

An agent skill from Knostic that audits installed Cursor, VS Code, and Copilot extensions against AgentMesh, a reputation serice providing threat intelligence on agentic supply-chain risks, including extensions, skills, and MCP servers.

The core of this repository is a single skill: skills/extension-check/SKILL.md. The skill enforces a structured AgentMesh search per extension (publisher:X name:Y), parses the rendered search results, matches versions, and produces a tabular audit report.

As a skill, extension-check may not be 100% consistent. We have an API on AgentMesh for you to ingest data directly. See LICENSE.

For convenience, the skill is also packaged as a Claude Code plugin (this repo doubles as a Claude Code plugin marketplace), and the same skill folder installs directly into Cursor's native Agent Skills system.

And if you like what we do and are looking to discover and defend your agents and coding assistants:

• Check out Knostic for a demo
• Or, you can use Kirin for free, for up to five users.

And some of our other open source:

• OpenAnt, professionally scan your code using LLMs.
• AgentSonar, discover and classify your shadow AI.

What the skill does

• Detects the editor(s) to audit (Cursor / VS Code / VS Code Insiders)
• Lists installed extensions via the editor CLI or extensions.json fallback
• Builds a structured AgentMesh search query for each extension
• Matches the AgentMesh result row to the installed extension and compares version
• Reports MATCH, VERSION_MISMATCH, NOT_FOUND, or PARTIAL with risk labels

See skills/extension-check/SKILL.md for the full workflow.

Installation

The same skills/extension-check/ folder works in two hosts:

• Claude Code — installable either as a plugin (via the bundled marketplace) or as a plain user skill.
• Cursor — installable as a native Cursor Agent Skill by dropping the folder into .cursor/skills/ (project) or ~/.cursor/skills/ (global). Cursor has no plugin marketplace; skills are discovered from those directories.

Claude Code

This repository ships a Claude Code plugin marketplace manifest at .claude-plugin/marketplace.json, serving a single plugin (extension-check).

Option A — install from a remote git repository (recommended)

In a Claude Code session:

/plugin marketplace add <your-git-host>/<owner>/extension-check-skill
/plugin install extension-check@knostic-extension-check

Replace <your-git-host>/<owner>/extension-check-skill with the URL of wherever this repository is hosted (e.g. github.com/knostic/extension-check-skill).

To update later:

/plugin marketplace update knostic-extension-check
/plugin install extension-check@knostic-extension-check

Option B — install from a local clone

Clone (or download) this repository and point Claude Code at the local path:

git clone <repo-url> ~/code/extension-check-skill

Then in Claude Code:

/plugin marketplace add ~/code/extension-check-skill
/plugin install extension-check@knostic-extension-check

Any local path that points at the directory containing .claude-plugin/marketplace.json works.

Option C — drop the skill into your user skills directory

If you don't want to use the plugin marketplace at all, copy just the skill folder into your Claude Code skills directory:

cp -R skills/extension-check ~/.claude/skills/extension-check

Restart Claude Code (or start a new session) and the extension-check skill will be available.

Verifying the install (Claude Code)

After installation, run:

/plugin marketplace list
/plugin list

You should see knostic-extension-check listed as a marketplace and extension-check listed as an installed plugin.

Cursor

Cursor (≥ 2.4) supports Agent Skills as SKILL.md folders discovered from .cursor/skills/ and ~/.cursor/skills/. There is no plugin or marketplace mechanism — installation is just dropping the folder in the right place.

Option A — install globally (all Cursor projects)

git clone <repo-url> /tmp/extension-check-skill
mkdir -p ~/.cursor/skills
cp -R /tmp/extension-check-skill/skills/extension-check ~/.cursor/skills/extension-check

Option B — install per project

From the root of a project where you want the skill available:

mkdir -p .cursor/skills
cp -R <path-to-this-repo>/skills/extension-check .cursor/skills/extension-check