Starting analysis...
Open AI Chat GPT For Email - Chatgpt Email - GMPlus
Version 2.0.21 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has a moderate user base of 40,000 users and a decent rating of 4.2 stars, suggesting reasonable user satisfaction. The developer provides a website (gmplus.io) which adds some legitimacy. However, the relatively low number of reviews (83) compared to the user count may indicate limited user engagement or feedback.
The primary concern is the broad host permissions that allow access to all OpenAI domains (*.openai.com), which could potentially be exploited beyond the stated email functionality. While access to Gmail is expected for an email enhancement tool, the combination of Gmail and OpenAI access creates a pathway for sensitive email data to be processed by external AI services. The storage permission, while necessary for functionality, allows the extension to retain user data locally.
The extension's access to Gmail content scripts means it can read and modify email content, which is inherently sensitive. The broad OpenAI permissions raise questions about data handling and whether user emails might be sent to OpenAI servers without explicit user awareness.
Consider using this extension in a separate Chrome profile dedicated to non-sensitive email accounts. Review the extension's privacy policy carefully to understand how your email data is processed. Monitor your OpenAI account for any unexpected API usage if you have one linked. Regularly review what data the extension has stored locally through Chrome's extension management settings.
Findings
Security Analysis Details
Required Permissions:
- storage
Host Permissions:
- https://*.openai.com/
- https://mail.google.com/*
Embedded URLs (49 total):
| https://developer.mozilla.org/docs/Mozilla/Add-ons/WebExtensions/API/runtime/onMessage | https://api.kodepay.io | |
| https://kodepay.io | https://github.com/uuidjs/uuid#getrandomvalues-not-supported | |
| https://chat.openai.com/backend-api | https://extensiondock.com/chatgpt/v3/question? | |
| https://mail.google.com/mail/u/0/#inbox?compose=new | https://gmplus.io/user/default/sync-user2-kodepay | |
| https://chat.openai.com/api/auth/session | https://chat.openai.com/backend-api/conversation | |
| https://docs.google.com/forms/d/e/1FAIpQLSf74kogv7POug_dihgC-EQqXtxoehiCXCmT6g5HxaeOzxuW9Q/viewform | https://feross.org | |
| http://developer.yahoo.com/yui/license.html | https://kjur.github.io/jsrsasign/license/ | |
| http://www.w3.org/2000/svg | https://ssl.gstatic.com/mail/sprites/general_black-16bf964ab5b51c4b7462e4429bfa7fe8.png | |
| https://mailfoogae.appspot.com/build/images/listIndicator.png | http://fb.me/use-check-prop-types | |
| https://github.com/highlightjs/highlight.js/issues/2277 | https://github.com/highlightjs/highlight.js/wiki/security | |
| https://github.com/remarkjs/react-markdown/blob/main/changelog.md | https://chat.openai.com/ | |
| https://chat.openai.com | https://gmplus.io | |
| https://gmplus.io/gmplus/google_login_new.html | http://www.w3.org/1999/xlink | |
| https://gmplus.io/contact | https://gmplus.io/gmplus-openai-chatgpt-for-gmail-use-guide | |
| https://chat.whatsapp.com/JwYlvPizvzFKtdXs6ypBeq | https://discord.gg/4ve4x85Y | |
| https://chrome.google.com/webstore/detail/gmplus-email-finder-email/aihgkhchhecmambgbonicffgneidgclh?utm_source=gpt_email | https://xxvid.download/xx-video-downloader-for-desktop?utm-source=xxvid-desktop | |
| http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd | http://jedwatson.github.io/classnames | |
| https://lodash.com/ | https://openjsf.org/ | |
| https://lodash.com/license | http://underscorejs.org/LICENSE | |
| https://github.com/facebook/regenerator/blob/main/LICENSE | https://mail.google.com/ | |
| https://clients2.google.com/service/update2/crx | https://mail.google.com/sync | |
| https://mail.google.com | https://mail.google.com/mail/u/0/ | |
| https://mail.google.com/mail | https://github.com/kefirjs/kefir/issues/145 | |
| https://github.com/kefirjs/kefir/issues/149 | https://github.com/kefirjs/kefir/issues/150 | |
| https://fonts.googleapis.com/css?family=Roboto:300 |
Raw Manifest
{ "name": "__MSG_name__", "icons": { "16": "logo.png", "32": "logo.png", "48": "logo.png", "128": "logo.png" }, "action": { "default_icon": "logo.png" }, "version": "2.0.21", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_description__", "permissions": [ "storage" ], "default_locale": "en", "content_scripts": [ { "js": [ "content-script.js" ], "css": [ "content-script.css" ], "run_at": "document_start", "matches": [ "https://mail.google.com/*" ] } ], "host_permissions": [ "https://*.openai.com/", "https://mail.google.com/*" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "https://mail.google.com/*" ], "resources": [ "logo.png", "logo_128.png", "free_bg.png" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.