Delays with extension reviews

Developers Developer Announcements
1

We’d like to let you know that we are aware of delays with getting extension reviews done and we apologise for any delays you are experiencing.

There are a few things going on that are causing this:

  • We’re trying to bring more automation to our extension review process but this has had a few teething problems and we are still working through these. Over the medium term we are hoping to make early-process triage all automated so you can get any fail results straight away with good enough feedback to fix identified issues.
  • We have been seeing a big increase in submissions, which is great but which has taken us a bit by surprise.
  • The increase in submissions is coming with a higher degree of variance in quality. If you are heavily relying on AI to create your extensions, please make sure that you are still offering something useful and original. Please use our review guidelines to help the extension arrive in a state more likely to be approved.

To help us process extension submissions we will be prioritising the following:

  1. Reviews for submissions from vendors for paid extensions are being given highest priority
  2. Reviews for submissions from subscribers are being given the next level of priority
  3. Reviews for submissions which are updates to existing popular extensions are given the next level of priority.

Obviously we want to be able to promptly provide feedback quickly on all extension submissions and this is where we are aiming to be. We are really excited to see a lot of interest in submitting proposals - just be sure to review the criteria before submitting to help us limit delays.

Thanks - Extensibility team

(Resources)
Requirements:
https://ruby.sketchup.com/file.extension_requirements.html
Best security practices:
https://developer.sketchup.com/article-security-best-practises

2

Hi Andrew @corney,

Thank you for the explanation, I can imagine you have full hands of vibe coded extensions to review :slight_smile:

How about if you put Claude Mythos to work? I’m sure Trimble is big enough to get access to it.

And then we can also see if it’s a real deal or a marketing hype :smiling_face_with_sunglasses:

Cheers
Jernej

3

I wish! No mythos here yet unfortunately Jernej.

Thanks for understanding!

4

To: Andrew @corney, @thomthom, @eneroth3, @jiminybillybob, @Matheron

TL;DR

I’d like to propose two complementary tools that move first-pass validation out of your queue and into developers’ local workflows — before the Submit button is ever pressed. Both are designed to be community-built, open-source, and low-maintenance for your team.

Context: How Other Ecosystems Handle This

You’re not alone in this challenge. Every major extension/plugin marketplace has wrestled with the same surge-quality-security trilemma:

  • VS Code Marketplace (Microsoft): Runs automated malware scans on every submission and recently added secret scanning in their vsce CLI tool so developers catch credential leaks before upload. They also introduced a Trusted Publisher badge system to fast-track trusted vendors — directly analogous to your paid/subscriber prioritization.

  • Open VSX Registry (Eclipse Foundation): Just rolled out mandatory pre-publication security checks in early 2026 — scanning for namespace impersonation, accidental secrets, and known malicious patterns. Suspicious submissions are quarantined for manual review rather than blocked entirely. Their key insight: shift from reactive to proactive.

  • npm: The publish-please / npm audit ecosystem lets developers dry-run a publish and catch vulnerabilities, uncommitted changes, version mismatches, and sensitive files before anything reaches the registry. The prepublish hook enforces this automatically.

  • GitHub Marketplace Actions: Enforces automatic version-tag-to-manifest matching as a publish prerequisite. No mismatch, no publish. Simple, zero-review-team overhead.

The pattern is consistent: the most effective triage is the triage developers do themselves, when given good tooling and fast feedback loops.

Proposal 1 — ew-preflight: A Local Pre-Submit CLI

A command-line tool (Ruby gem) that developers run before packaging their .rbz. It wraps existing tools and adds EW-specific checks.

Tier 1 — Instant checks (< 5 seconds)

These run on every invocation and catch the most common rejection reasons:

Check What it catches
rubocop-sketchup --only SketchupRequirements Namespace pollution, exit!, $LOAD_PATH modification, Gem.install, missing SketchupExtension registration, SketchupRequire with file extension
RBZ structure validation Single root .rb + matching subfolder; root file only registers, doesn’t load
Version consistency check SketchupExtension.new version string vs. EW submission metadata — catches the 1.3.2/1.4.6 class of mismatch your team flagged
Metadata completeness Extension name uniqueness within local namespace; description non-empty; support URL present
Binary / compiled file detection Flags .so, .bundle, .dll files and prompts developer to confirm they have trusted-vendor status
Secret scanning Regex sweep for API keys, tokens, passwords in source (mirrors what VS Code’s vsce now does)

Tier 2 — Deep scan (opt-in, --deep flag, ~30–60 seconds)

Runs an LLM-assisted review against an EW-specific system prompt. Think of it as a local CodeRabbit for SketchUp extensions:

  • Checks for AI-generated “slop” patterns: generic boilerplate, lack of SketchUp API usage, copy-paste from tutorials
  • Flags use of undocumented SketchUp APIs
  • Detects obfuscated code blocks that would trigger your security concern about compiled/encrypted submissions
  • Reviews observer callbacks for missing start_operation with transparent flag
  • Can run locally via Ollama (no cloud dependency) or OpenAI-compatible endpoint

Output example

$ ew-preflight build/my_extension.rbz

EW Preflight v1.0 — AgiliCity
================================
✅  RBZ structure valid
✅  Single root .rb loader
✅  SketchupExtension registered (load-default: true)
✅  No global namespace pollution detected
⚠️  VERSION MISMATCH — loader: 2.1.0 / EW metadata: 2.0.9
❌  SketchupRequire: remove .rb extension on line 14 of main.rb
❌  Binary detected: libs/x64/my_solver.so — confirm trusted-vendor status
ℹ️  Run with --deep for AI-assisted quality review

2 errors, 1 warning. Fix errors before submitting.

Distribution

  • Ruby gem: gem install ew-preflight
  • GitHub Action: uses: sketchup-community/ew-preflight@v1 — runs on every push/tag
  • Works offline; no EW account required

Proposal 2 — Open a Subset of ew-review to the Community

We understand your internal ew-review tool is the gold standard, and we’re not asking for full access. A more modest ask:

Publish a read-only “developer preview” mode — a subset of your review checklist as a structured JSON/YAML spec that community tools (including ew-preflight) can consume.

Specifically:

  1. A machine-readable list of auto-rejection rules — the things that are always a hard NO, expressed as a schema developers can validate against locally. Version mismatch format, binary restrictions, namespace requirements, etc.

  2. A versioned “what changed” log — when rules change (like the current version-string policy), developers get notified via gem update rather than finding out after a 3-week queue wait.

  3. Optional: a sandboxed API endpointPOST /ew-review/preflight that accepts an .rbz and returns the Tier 1 results your automated pipeline already produces, without entering the human-review queue. This is essentially what you described as “AI review on submission with feedback visible within a few minutes” — we’d just make it callable by developers before submission too.

This is the model the Open VSX Registry is moving toward, and it has the significant advantage that you control the spec — community tools stay in sync automatically when you update it.

What This Gives Your Team

Current situation With this tooling
Version mismatches discovered in review Blocked at preflight, developer fixes in minutes
Binary files from unknown developers enter queue Flagged locally, developer aware before submitting
AI slop detected manually Tier 2 scan surfaces low-effort submissions
New team member doesn’t know unwritten rules Rules are in the gem; always current
Human reviewer reads every SketchupRequire offense rubocop-sketchup already catches this; just needs a wrapper

The goal is not to replace your review — it’s to ensure that what reaches your queue has already passed the mechanical checks, leaving your reviewers free to focus on the things that actually require human judgment: originality, safety intent, UX quality.

Proposed Next Steps

  1. We build ew-preflight v0.1 (Tier 1 only) — open source, MIT license, community-maintained. We’re happy to build this without any commitment from your team.

  2. We’d welcome a 30-minute call to understand which of your current rejection reasons could be expressed as machine-readable rules. Even a rough list shared informally would let us cover 80% of the cases.

  3. If the sandboxed API endpoint (Proposal 2, item 3) is on your roadmap anyway, we’d love to be early testers.

We recognize you’re stretched thin right now, so we’ve deliberately designed this as something the developer community builds for you — not something that requires your team’s engineering time to maintain.

Thanks for all you do keeping the ecosystem healthy!

Disclaimer: I’m posting this on behalf of AgiliCity | Modelur, not as Extensioneers Guild member. But I’m pretty sure some Extensioneers would be interested in contributing if we are to move forward with this.