I know that Kathy was tagged here, but hopefully my answer will be of value. This post is being made to help provide a degree of transparency, and good faith for the burgeoning community of Extensions developers.
Let’s start by going back in time, to the first quarter of 2017. At that point, Twitch put out feelers within the developer community (under NDA) for parties that would be interested in working with us to develop third party web-apps that would run on Twitch (what are now called Extensions). In May, Twitch launched a limited beta exploring new interactive experiences (again Extensions under another guise). In September, Extensions were made available to everybody - all developers, and all broadcasters. These early developers weathered a lot of changes in Extensions. For that we were incredibly grateful, as it meant that in May we had a number of Extensions that were made available to a subset of broadcasters, and then again in September, there were a number of Extensions available for all broadcasters to leverage. The constant changes to Extensions endpoints and policies made developers’ lives hard. Some of the changes that came through very late, related to our policy around obfuscated code. In short, in order to support a scalable and implemented internal review process, we introduced change around the requirement for not obfuscating code. There were other policy changes that were also made close to the public release of Extensions. The problem with these changes is that it would have meant that most of the Extensions that had been developed prior to launch would have been rejected based upon the most recent policy changes. As a sign of good faith for the developers who stuck with us, we grandfathered their Extensions through the review process, in the context of policy changes that did not exist when they began their development. This grandfathering has only been extended to a small handful of individual Extensions, and is by no means an all access pass.
Reviews today only leverage uploaded assets. Upon upload, they are fed into our review system, where they are put through a number of automated checks, coupled with several manual review steps. External links, and build scripts cannot currently be ingested and incorporated into our review system. This is an area that we are actively working on improving. The challenge with the approach that you provided was that none of the source entered our review process.
I hope that this at least answers some of your questions.