The codewhisperer-for-command-line-companion extension is automatically installed in VS Code

This content originally appeared on DEV Community and was authored by TORIFUKU Kaiou

If a mysterious Amazon Q-related extension suddenly appears in your VS Code, don’t panic. Here’s what it is, why it shows up, and how to control it.

TL;DR

You might see amazonwebservices.codewhisperer-for-command-line-companion appear without manually installing it.
It’s auto-installed by Amazon Q Developer: when launching the Desktop app on macOS or when running q integrations install vscode.
The extension is bundled as a local VSIX (not from Marketplace) and installed via the code CLI.
It’s safe to remove and re-install: code --uninstall-extension amazonwebservices.codewhisperer-for-command-line-companion then q integrations install vscode.
Proof with source links and line numbers is included below.

Summary

If you use Amazon Q Developer and have Visual Studio Code installed, the “amazonwebservices.codewhisperer-for-command-line-companion” extension gets installed automatically.
It’s likely harmless.
If you’re worried, you can uninstall it once and then manually reinstall it with q integrations install vscode.

Introduction

While browsing my Visual Studio Code extensions, I noticed an extension that looked vaguely familiar but that I didn’t remember installing myself.

amazonwebservices.codewhisperer-for-command-line-companion: Not available on the Marketplace (404)

I use the CLI version of Amazon Q Developer heavily, so I did have a lead. But, as shown above, the “amazonwebservices” publisher didn’t have a verification badge and the extension wasn’t on the Marketplace. That made me suspicious.

“Oh no! Did I install something like malware by mistake?!” I panicked in the middle of the night.

For the time being I uninstalled it, and since I do use Amazon Q Developer, I investigated under the hypothesis that “maybe it’s being added automatically.” In short: yes, it is—so it’s harmless. Amazon Q Developer adds it automatically.

Investigation Report

Using Codex CLI, I analyzed the public GitHub repo https://github.com/aws/amazon-q-developer-cli-autocomplete.

When the extension gets installed

The “amazonwebservices.codewhisperer-for-command-line-companion” extension is installed in Visual Studio Code at the following times:

When the Amazon Q Desktop app (macOS) is launched
When you run the q integrations install vscode command

Key source code points

Below are the relevant source code locations.

Extension artifact

https://github.com/aws/amazon-q-developer-cli-autocomplete/blob/466adcd4146fecf74cf13eeb4d4201bda1e4bd49/crates/fig_integrations/src/vscode/mod.rs

This file contains the extension payload itself.

Auto-install when launching the Amazon Q Desktop app (macOS)

https://github.com/aws/amazon-q-developer-cli-autocomplete/blob/466adcd4146fecf74cf13eeb4d4201bda1e4bd49/crates/fig_desktop/src/install.rs#L149-L161

You can see vscode::variants_installed() being used here.

Installation when running `q integrations install vscode`

https://github.com/aws/amazon-q-developer-cli-autocomplete/blob/466adcd4146fecf74cf13eeb4d4201bda1e4bd49/crates/q_cli/src/cli/integrations.rs#L193-L201

Again, this uses vscode::variants_installed().

Closing Thoughts

I was pretty scared—thinking I might have installed something shady. I hope this saves time for anyone who had the same concern.

Thanks to tools like Codex CLI, analyzing complex source code has become much easier. I’m on the Amazon Q Developer Pro plan, but I hit the monthly limit at the end of the month, so I leaned on Codex CLI for help.