Back to Commands
Slash Command
Community

/validate-extension

From browser-extension-dev
6
Install
1
Install the plugin
$
npx claudepluginhub arustydev/agents --plugin browser-extension-dev

Want just this command?

Then install: npx claudepluginhub u/[userId]/[slug]

Description

Validate browser extension for manifest issues, CSP violations, and cross-browser compatibility

Argument
[path] [--browsers chrome,firefox,safari] [--fix] [--strict]
Allowed Tools
ReadWriteEditGlobGrepBash(npx:*)Bash(web-ext:*)Bash(wxt:*)Bash(cat:*)Bash(jq:*)Bash(ls:*)AskUserQuestion
Command Content

Validate Browser Extension

Comprehensive validation of browser extensions checking manifest compatibility, CSP issues, API usage, and cross-browser support.

Arguments

  • $1 - Path to extension directory (default: current directory)
  • --browsers - Target browsers to validate against (default: chrome,firefox). Options: chrome, firefox, safari, edge, all
  • --fix - Attempt to auto-fix issues where possible
  • --strict - Fail on warnings (not just errors)
  • --output - Output format: terminal, json, markdown (default: terminal)

Workflow

Step 1: Detect Extension Type

Determine if this is a WXT project or raw extension:

# Check for WXT
if [ -f "wxt.config.ts" ] || [ -f "wxt.config.js" ]; then
  TYPE="wxt"
  # Build first to get manifest
  npx wxt build --analyze
else
  TYPE="raw"
fi

Locate the manifest:

# WXT: dist/<browser>-mv3/manifest.json
# Raw: manifest.json or src/manifest.json

Step 2: Run Web-ext Lint

For all extension types:

npx web-ext lint --source-dir <dist-path> --output json

Parse and categorize results:

SeverityAction
errorMust fix before submission
warningShould fix, may cause rejection
noticeBest practice recommendation

Step 3: Validate Manifest

3.1 Required Fields

Check presence of required fields:

manifest_version: 3
name: <string, max 45 chars>
version: <semver>
description: <string, max 132 chars>
icons: { 16, 32, 48, 128 }

3.2 Permission Audit

Check against hardening rules:

CheckSeverityRule
Uses <all_urls>errorAvoid broad host permissions
Uses *://*/*errorNarrow to specific domains
Unused permissions declaredwarningRemove unnecessary permissions
Sensitive permissions without justificationwarningDocument in store listing
Missing optional_permissions for upgradeable permsnoticeBetter UX

Sensitive permissions that require justification:

tabs, history, bookmarks, downloads, webRequest,
webRequestBlocking, management, debugger, proxy,
cookies, clipboardRead, clipboardWrite, geolocation

3.3 Browser-Specific Checks

Firefox:

// Required for AMO submission
browser_specific_settings: {
  gecko: {
    id: "<email-format-id>",  // Required
    strict_min_version: "109.0"  // Recommended
  }
}

// Required since Nov 2025
data_collection_permissions: {
  required: [],
  optional: []
}

Chrome:

// Recommended
minimum_chrome_version: "116"

// MV3 required
background: {
  service_worker: "background.js"
}

Safari:

// Check for PrivacyInfo.xcprivacy in Xcode project
// Not in manifest, but required for App Store

Step 4: Validate CSP

4.1 Check content_security_policy

// BAD: Allows unsafe-eval
"content_security_policy": {
  "extension_pages": "script-src 'self' 'unsafe-eval'"
}

// GOOD: Strict CSP
"content_security_policy": {
  "extension_pages": "script-src 'self'; object-src 'self'"
}
CheckSeverityRule
Contains unsafe-evalerrorStore rejection
Contains unsafe-inlineerrorStore rejection
External script URLserrorRemote code execution
Missing CSP (MV3)warningUse strict default

4.2 Scan Source Files

Check for CSP violations in code:

# Find eval() usage
grep -r "eval(" --include="*.js" --include="*.ts"

# Find new Function()
grep -r "new Function" --include="*.js" --include="*.ts"

# Find innerHTML with variables
grep -r "innerHTML\s*=" --include="*.js" --include="*.ts"

# Find document.write
grep -r "document.write" --include="*.js" --include="*.ts"

Step 5: API Compatibility Check

5.1 Detect Used APIs

Scan source files for browser API usage:

# Extract API calls
grep -roh "browser\.\w\+\.\w\+" --include="*.js" --include="*.ts" | sort -u
grep -roh "chrome\.\w\+\.\w\+" --include="*.js" --include="*.ts" | sort -u

5.2 Check Compatibility Matrix

APIChromeFirefoxSafariEdge
sidePanel.*114+--114+
offscreen.*109+--109+
scripting.executeScriptFullFullLimitedFull
declarativeNetRequestFullPartialLimitedFull
action.* (MV3)FullFullFullFull
browserAction.* (MV2)MV2MV2/3MV2MV2
storage.session102+115+16.4+102+

Report incompatible APIs:

⚠️ chrome.sidePanel used but not available in Firefox, Safari
⚠️ chrome.offscreen used but not available in Firefox, Safari

5.3 Polyfill Check

Verify webextension-polyfill usage for cross-browser:

# Check if polyfill is installed
grep "webextension-polyfill" package.json

# Check if browser.* is used (polyfill) vs chrome.* (Chrome-only)

Step 6: Content Script Analysis

6.1 Match Pattern Validation

// Validate match patterns
content_scripts: [{
  matches: ["*://*.example.com/*"],  // Valid
  matches: ["<all_urls>"],  // Warning: very broad
  matches: ["*://*/*"],  // Warning: very broad
}]

6.2 Run-at Timing

// Check run_at setting
run_at: "document_idle"  // Recommended (default)
run_at: "document_start"  // Warning: may cause issues
run_at: "document_end"  // OK

6.3 World Setting

// MV3 world setting
world: "ISOLATED"  // Default, safe
world: "MAIN"  // Warning: security implications

Step 7: Generate Report

Terminal Output (default)

╭──────────────────────────────────────────────────────────────╮
│  Extension Validation Report                                  │
│  my-extension v1.0.0                                         │
╰──────────────────────────────────────────────────────────────╯

📋 Manifest Validation
  ✓ Required fields present
  ✓ Icons all sizes present
  ⚠ Missing gecko.data_collection_permissions (Firefox 2025+)
  ✗ Uses <all_urls> - narrow to specific domains

🔒 CSP Validation
  ✓ No unsafe-eval
  ✓ No unsafe-inline
  ✗ Found eval() in src/utils.js:42

🌐 Cross-Browser Compatibility
  Chrome:  ✓ Compatible
  Firefox: ⚠ 2 issues
    - Missing gecko.id
    - Uses chrome.sidePanel (not supported)
  Safari:  ⚠ 3 issues
    - Uses chrome.offscreen (not supported)
    - Uses chrome.sidePanel (not supported)
    - No PrivacyInfo.xcprivacy detected

📊 Summary
  Errors:   2
  Warnings: 5
  Notices:  3

Run with --fix to auto-fix applicable issues.

JSON Output

{
  "extension": {
    "name": "my-extension",
    "version": "1.0.0",
    "manifestVersion": 3
  },
  "results": {
    "manifest": {
      "errors": [],
      "warnings": [
        {
          "code": "MISSING_GECKO_DATA_COLLECTION",
          "message": "Missing gecko.data_collection_permissions",
          "fix": "auto"
        }
      ]
    },
    "csp": {
      "errors": [
        {
          "code": "EVAL_USAGE",
          "file": "src/utils.js",
          "line": 42,
          "fix": "manual"
        }
      ]
    },
    "compatibility": {
      "chrome": { "supported": true, "issues": [] },
      "firefox": { "supported": true, "issues": [...] },
      "safari": { "supported": false, "issues": [...] }
    }
  },
  "summary": {
    "errors": 2,
    "warnings": 5,
    "notices": 3,
    "fixable": 3
  }
}

Step 8: Auto-Fix (if --fix)

Fixable issues:

IssueFix
Missing gecko.idGenerate from package name
Missing gecko.strict_min_versionAdd "109.0"
Missing gecko.data_collection_permissionsAdd empty arrays
Missing minimum_chrome_versionAdd "116"
Missing icon sizesGenerate from largest

Non-fixable (manual required):

IssueGuidance
<all_urls> usageNarrow to specific domains
eval() in codeRefactor to static code
Unsupported API usageFeature detection or polyfill

Validation Rules Reference

Store Rejection Rules

RuleChromeFirefoxSafari
Obfuscated codeRejectRejectReject
Remote code executionRejectRejectReject
Broad host permissions without justificationRejectRejectReject
eval() / new Function()RejectRejectReject
Missing privacy policy (if collecting data)RejectRejectReject
Missing gecko.idN/ARejectN/A
Missing PrivacyInfo.xcprivacyN/AN/AReject

Performance Checks

CheckThresholdSeverity
Total bundle size>5MBwarning
Single file size>1MBwarning
Content script size>500KBwarning
Icon files missinganyerror

Examples

# Validate current directory
/validate-extension

# Validate specific path
/validate-extension ./my-extension

# Validate for all browsers
/validate-extension --browsers all

# Strict mode (fail on warnings)
/validate-extension --strict

# Auto-fix issues
/validate-extension --fix

# JSON output for CI
/validate-extension --output json > validation.json

Integration with CI

# GitHub Actions example
- name: Validate Extension
  run: |
    npx wxt build
    npx web-ext lint --source-dir dist/chrome-mv3
    # Additional custom checks from this command

Related

  • /create-extension - Scaffold new extension with proper defaults
  • extension-anti-patterns skill - Common mistakes to avoid
  • wxt-framework-patterns skill - Framework patterns and hardening rules
Stats
Stars6
Forks2
Last CommitMar 18, 2026

Other plugins with /validate-extension