Local AI VS Code extension blocks insecure code generation during saves

A developer created a VS Code extension that runs llama3.1:8b-instruct-q4 locally to physically block saves containing insecure AI-generated code. The tool was built after Claude generated a Flask route with a textbook CWE-117 (Log Injection) vulnerability.
How it works
The extension intercepts your save operations in VS Code, runs the llama3.1:8b-instruct-q4 model locally, maps the source-to-sink execution flow of the code, and throws a hard block if the AI generated something dangerous. The entire system operates offline with no cloud dependencies or API keys required.
Specific details from the source
- Model used: llama3.1:8b-instruct-q4
- Platform: VS Code extension
- Trigger: Intercepts save operations
- Analysis method: Maps source-to-sink execution flow
- Action: Throws a hard block on dangerous code
- Example vulnerability caught: CWE-117 Log Injection in a Flask route generated by Claude
- Infrastructure: Completely offline, no cloud, no API keys
This approach addresses a common issue where AI coding assistants like Claude and GitHub Copilot generate code quickly but may introduce security vulnerabilities. The local execution ensures privacy and eliminates dependency on external services.
📖 Read the full source: r/LocalLLaMA
👀 See Also

Anthropic's Multi-Agent Harness Design for Improving Claude's Code Quality
Anthropic's blog post details a harness design using multiple agents to address Claude's context anxiety and self-evaluation bias, with specific agent roles and scoring criteria for frontend and full-stack development.

Leanstral: Open-Source Code Agent for Lean 4 and Formal Proof Engineering
Mistral AI released Leanstral, the first open-source code agent designed for Lean 4, with 6B active parameters and Apache 2.0 licensing. Benchmarks show it outperforms larger open-source models and offers competitive performance to Claude at significantly lower cost.

InsForge: A Backend Semantic Layer for Claude Code Agents
InsForge exposes six backend primitives—authentication, Postgres database, S3-compatible storage, edge/serverless functions, model gateway, and site deployment—as structured components that Claude Code agents can inspect and configure via MCP instead of guessing API integrations.

Skill Scaffolder: Build OpenClaw Skills Without Writing Code
Skill Scaffolder is an open-source tool that lets users create OpenClaw skills by describing what they want in plain English. It handles the entire process—interviewing users, writing skill files, testing, and installation—without requiring YAML, Python, or config files.