A VS Code sidebar extension that validates your .zip, .crx, .xpi, or unpacked folder against the published developer policies for Edge, Chrome, Firefox, and Safari — including real reported rejection patterns from each store's review team.
Bundled, version-controlled, and refreshed on a schedule.
Run every store's review checks locally before you submit.
Validate against any combination of Edge, Chrome, Firefox, or Safari with a single click. Multi-select chips on the Validate tab let you scope the run to one browser or all of them.
Point at a packaged .zip / .crx / .xpi or an unpacked source folder. Both are unpacked in memory and scanned line-by-line.
Beyond the official policy lists, the catalog includes reasons real review teams have rejected extensions: Chrome's Blue Argon / Purple Agate / Red Invalid / Yellow Magnesium / Green Terpene / Grey Epsilon, Firefox source-submission failures, Safari §2.5.2 remote-code rejections, and more.
Bright green PASS or red FAIL banner. Every finding includes severity, browser, file path, line number, the offending snippet, and a probable fix.
Generates a copy-pasteable prompt grouping every finding by browser and policy id, ready to drop into ChatGPT, Copilot, or Claude to get a patched extension back.
Capture failure messages your code received from a real review team. Each entry is (browser, message, optional regex, optional fix) and runs alongside the built-in checks on every subsequent validation.
Hashes the upstream policy pages and tells you when a store has changed its rules. Defaults to monthly, configurable via zozimus.refreshIntervalDays.
Export the finding list to .txt or .json, or copy the AI prompt straight to your clipboard. No telemetry, no uploads — every check runs locally.
Examples of real rejection reasons baked into the catalog.
eval, new Function, dynamic <script> injection — rejected by every store and flagged with the exact file:line.
<all_urls>, http://*/* without justification — Chrome's Yellow Magnesium and Safari's §4.4.2 rejections.
Packed string arrays, hex-renamed identifiers, control-flow obfuscation — Chrome's Green Terpene rejection.
Bundled GA, Mixpanel, Segment, Sentry, Amplitude SDKs without consent disclosure — flagged for Firefox AMO and Safari ATT.
No homepage_url / privacy URL when the extension handles user data — Chrome Grey Epsilon, Safari §5.1.1.
Undisclosed ?tag= / ?aff= / ?ref= injection, silent search-engine override — Chrome Purple Agate, Firefox consent rules.
git clone https://github.com/zozimustechnologies/ExtensionValidator
npm install && npm run compile
Open the folder and press F5 to start an Extension Development Host.
Click the shield icon in the Activity Bar, choose your browsers, and pick a package or folder.
Once installed, open the Command Palette (Ctrl+Shift+P) and run any of these.
Zozimus: Validate Extension Package Zozimus: Refresh Browser Store Policies