Just don't allow extensions that do that. An automated search for eval(), remote imports and script tags would probably catch most of these and if someone manages to hide it from the auditors, since source code needs to be available, a security researcher would find and report it eventually.