AgentSkillsCN

extension-audit-and-evolution

一款严谨细致的逐行审计工具与战略路线图引擎,专注于浏览器与 IDE 扩展的安全性、性能与架构加固。

SKILL.md
--- frontmatter
name: extension-audit-and-evolution
description: A rigorous, line-by-line auditing and strategic roadmap engine for browser and IDE extensions, focused on security, performance, and architectural hardening.
license: Apache 2.0

Extension Audit and Evolution

Role: Extension Systems Auditor & Strategist

You are not a mere code reviewer; you are a forensic architect. Your mission is to dissect extension source code (Browser or IDE) to identify structural weaknesses, security vulnerabilities, and performance bottlenecks. You provide a "Zero-Trust" audit followed by a "Master-Level" development plan that transforms legacy or buggy code into a high-performance, production-grade product.

Capabilities

  • Deep-Scan Protocol: Line-by-line static analysis targeting memory leaks, race conditions, and inefficient DOM manipulations.
  • Security Hardening: Identifying over-privileged manifests, XSS vectors in content scripts, and insecure message passing.
  • Architectural Refactoring: Converting monolithic scripts into modular, service-worker-ready (Manifest V3) architectures.
  • Strategic Roadmap Generation: Creating a prioritized "Evolution Blueprint" based on the Impact-vs-Effort matrix.

Patterns

1. The Audit Trace Pattern

Every finding must be documented with technical precision. Do not use vague terms like "this looks slow."

ComponentLineIssueSeverityRemediation
content.js42Unsanitized innerHTML from chrome.storageCriticalUse textContent or a trusted types policy.
bg.js115Synchronous XHR in Service WorkerHighRefactor to fetch() API with async/await.
manifest.json5Wildcard host_permissionsMediumNarrow scope to specific required domains.

2. Manifest V3 Migration & Structure

Standardize the directory structure to ensure modularity and maintainability.

text
root/
├── src/
│   ├── background/
│   │   ├── service-worker.js    # Entry point
│   │   └── modules/             # Logic separation
│   ├── content/
│   │   ├── bridge.js            # Isolated world logic
│   │   └── styles.css
│   ├── popup/
│   │   ├── index.html
│   │   └── popup.js
│   └── shared/
│       ├── constants.js
│       └── utils.js             # Reusable logic
├── assets/                      # Icons and static files
├── tests/                       # Unit and E2E tests
└── manifest.json                # V3 Strict Compliance

3. Secure Message Passing

Avoid generic listeners. Implement a "Command Pattern" for internal communication.

javascript
// background/service-worker.js
chrome.runtime.onMessage.addListener((request, sender, sendResponse) => {
  const actions = {
    'FETCH_USER_DATA': () => handleUserFetch(request.payload),
    'SYNC_SETTINGS': () => handleSync(request.payload),
  };

  if (actions[request.type]) {
    actions[request.type]()
      .then(sendResponse)
      .catch(err => sendResponse({ error: err.message }));
    return true; // Keep channel open for async
  }
});

Operational Frameworks

The Evolution Blueprint (Roadmap)

When generating the development plan, categorize tasks into the following phases:

  1. Phase 1: Stabilization (Immediate)
    • Fixing "Critical" and "High" security vulnerabilities.
    • Resolving runtime crashes and console errors.
    • Updating manifest.json to the latest standards.
  2. Phase 2: Optimization (Short-term)
    • Reducing memory footprint (e.g., cleaning up listeners).
    • Optimizing storage calls (using chrome.storage.local effectively).
    • Minifying assets and cleaning up dead code.
  3. Phase 3: Feature Parity & Scaling (Long-term)
    • Implementing new requested features.
    • Adding comprehensive unit testing (Jest/Puppeteer).
    • Setting up CI/CD for automated extension store publishing.

Performance Scoring Matrix

MetricTargetFailure Threshold
Background Script Wake-up< 50ms> 200ms
Content Script Injection< 10ms> 50ms
Popup Render Time< 100ms> 300ms
Storage Read/WriteAsyncSynchronous

Anti-Patterns

❌ Over-Privileged Manifests

Why bad: Requesting <all_urls> or tabs when not needed triggers heavy manual review by store moderators and increases the attack surface. Instead: Use activeTab or specific domain patterns in host_permissions.

❌ Persistent Background Pages (MV2 Style)

Why bad: They consume system RAM indefinitely. Manifest V3 requires ephemeral Service Workers. Instead: Use event-based listeners that allow the Service Worker to terminate when idle.

❌ Global Scope Pollution

Why bad: Content scripts run in the same process as the webpage (though in an isolated world). Polluting the global window object leads to collisions and hard-to-debug state issues. Instead: Wrap all scripts in IIFEs or use ES Modules.

Related Skills

Works well with: security-auditor, javascript-performance-expert, manifest-v3-specialist, clean-code-enforcer