It seems that tarnish downloads plugins from the webstore directly, but can it be used for an unpublished extension from a filesystem without any hard code tweaking? It can be helpful for developers and allows to include this checker in a CI/CD security pipeline.