Chrome Extension Reviewer
This skill guides the agent through a systematic code review and remediation process for Chrome Extensions, focusing on Manifest V3 compliance, security, and best practices.
Process Overview
- •Analysis: Audit the codebase against the Review Checklist.
- •Remediation: Automatically fix identified issues where safe.
- •Reporting: Generate a comprehensive report of findings and actions.
1. Analysis Phase
Step-by-step audit of the extension architecture:
- •
Manifest Audit (
manifest.json):- •Verify
manifest_versionis 3. - •Check for unnecessary
permissionsandhost_permissions. - •Validate
web_accessible_resources. - •Ensure CSP allows only local resources (no remote script injection).
- •Verify
- •
Service Worker Audit (
background.js):- •Check for persistent listeners (good) vs persistent state variables (bad - SWs are ephemeral).
- •Ensure
chrome.storageis used for state persistence. - •Verify
chrome.runtime.onInstalledis used for initialization.
- •
Content & Popup Script Audit:
- •Check for direct DOM manipulation best practices.
- •Verify message passing (
chrome.runtime.sendMessage) includes error handling (if (chrome.runtime.lastError) ...). - •Ensure no use of
evalorinnerHTML(unless sanitized).
2. Remediation Phase
For every issue found in the Analysis Phase:
- •Auto-fix: If the fix is clear and safe (e.g., updating manifest syntax, wrapping generic event listeners, adding error checks), apply it directly using
replace_file_content. - •Flag: If the fix requires architectural changes or user input, document it as a "Manual Action Required".
3. Reporting Phase
Create a report artifact using the structure in Report Template.
- •File Path:
<appDataDir>/brain/<conversation-id>/code_review_report.md - •Include a summary of all executed fixes.
- •List any logic improvements made.
- •Highlight any manual steps the user needs to take.
Usage Tips
- •Be Proactive: Don't just list errors; fix them.
- •Context Matters: If the extension uses a framework (React/Vue/Tailwind), respect the build process constraints (e.g., no external CDNs in MV3).