Docs
Publishing Guide
Publish your extension to the Omni Marketplace and share it with the community.
Overview
Publishing an extension to the Omni Marketplace makes it available for anyone to discover, install, and use. The process is designed to be simple for developers while maintaining high security standards.
Prerequisites
- -A developer account on the Omni Marketplace
- -A built WASM extension with a valid manifest.toml
- -The Omni CLI installed (
cargo install omni-cli) - -An API key for authentication (see below)
Creating an API Key
API keys authenticate your CLI with the marketplace. You can create multiple keys for different machines or CI pipelines.
Log in to your Dashboard → API Keys
Click Create API Key
Give it a name (e.g., "My Laptop" or "GitHub Actions")
Copy the generated key immediately — it won't be shown again
# Key format:
omni_pk_a1b2c3d4e5f6... (72 characters)
# Store securely:
export OMNI_API_KEY="omni_pk_a1b2c3d4e5f6..."
Keys can be revoked from the dashboard at any time. We store only a SHA-256 hash of your key, never the key itself.
Publishing via CLI
# First-time publish
omni ext publish --api-key $OMNI_API_KEY
# The CLI will:
# 1. Read manifest.toml
# 2. Upload the WASM binary
# 3. Verify SHA-256 checksum
# 4. Create extension entry
# 5. Trigger security scan
# New version with changelog
omni ext publish --api-key $OMNI_API_KEY \
--changelog "Added temperature unit support"
The Security Scan
Every extension submission is automatically scanned by our 4-layer antivirus pipeline. This process typically takes 30-60 seconds.
Signature Scanning
30%Checks the WASM binary against 79+ known malicious patterns — command injection, data exfiltration, cryptomining, and more.
Heuristic Analysis
25%Analyzes permission requests versus extension category. Flags suspicious combinations like a weather tool requesting filesystem write access.
AI Code Review
30%Claude analyzes your extension's manifest, permissions, and embedded strings for data exfiltration risk and hidden functionality.
Sandbox Testing
15%Executes your extension in an isolated environment with synthetic inputs. Monitors memory, CPU, attempted syscalls, and network calls.
Scan Verdicts
Each layer produces a score from 0-100. The overall score is a weighted average, and the verdict determines what happens next:
Auto-approved. Published immediately to the marketplace.
Flagged for manual review. Usually takes 1-3 business days.
Auto-rejected. Detailed scan results explain what was flagged.
View scan results from your Dashboard → Extensions.
Versioning
Extensions follow semantic versioning (semver). The version in your manifest must be higher than the currently published version.
1.0.0 → 1.0.1Bug fixes
1.0.0 → 1.1.0New features
1.0.0 → 2.0.0Breaking changes
Best Practices
Minimize permissions
Only request capabilities your extension actually needs. Scope network access to specific domains. This improves your scan score and builds user trust.
Write clear descriptions
The AI code review checks whether your extension's behavior matches its description. A clear, accurate description helps pass the scan.
Include source code
Set the repository field in your manifest to link to your source code. This builds trust and may help you earn "verified" status.
Write meaningful changelogs
Include a changelog with every version update. Users can see changelogs on the extension detail page.
Respond to reviews
Address reported issues promptly and publish fixes to maintain a good rating.
Troubleshooting
“Suspicious permission combination”
Review your [capabilities] section and remove unused permissions. Scope network access to specific domains.
“Signature match”
Your binary contains patterns matching known malicious signatures. Review the flagged code and refactor if needed.
“Sandbox timeout”
Your extension exceeded CPU time limits. Check for infinite loops or expensive operations. Increase max_cpu_ms_per_call if genuinely needed.
“Version already exists”
Bump the version number in your manifest.toml. Each version must be unique and higher than the previous.