Extension Details
Context-Aware Verdict
The extension comes from clay.com, which appears to be a legitimate company with a professional domain. The 4.9-star rating suggests user satisfaction, though with only 8 reviews the sample size is quite small. The 10,000 user base indicates moderate adoption. However, this is version 1.0.0, suggesting it's a relatively new extension which may not have undergone extensive real-world testing.
The combination of broad host permissions (*://*/*) with clipboard write access creates significant privacy risks. The extension can access all websites and modify clipboard content, potentially capturing sensitive information like passwords or personal data. The tabs permission allows monitoring and manipulation of browsing activity across all sites. While these permissions might be necessary for Clay's functionality (likely a productivity or automation tool), they create a powerful surveillance capability. The content script injection on clay.run domains suggests legitimate business use, but the broad permissions extend far beyond this scope.
Given the high-risk permission combination, consider running this extension in a separate Chrome profile dedicated to Clay-related work. Regularly review what data you copy to your clipboard while the extension is active. Monitor the extension's behavior and disable it when not actively using Clay services. Consider whether the productivity benefits justify the privacy trade-offs, and evaluate if Clay's web interface could meet your needs instead of the browser extension.
Findings
Security Analysis Details
Required Permissions:
- activeTab
- clipboardWrite
- storage
- tabs
- notifications
- scripting
Host Permissions:
- *://*/*
Content Security Policy:
- extension_pages: script-src 'self'; object-src 'self'; frame-src 'self' https://*.netlify.app https://*.clay.run https://*.clay.com http://localhost:8090
Embedded URLs (45 total):
| https://git.io/JUIaE# | https://app.clay.com | |
| https://03f6cac6bbd24af6b95f3aa0b022daeb@o144832.ingest.sentry.io/5192649 | https://api.clay.com/v3 | |
| https://api.clay.com/v1/company/enrich | https://entities-api.clay.run/v5/profiles/linkedin | |
| https://entities-api.clay.run/v5/search | https://entities-api.clay.run/v5/batch/search | |
| https://entities-api.clay.run/v5/pdl | https://urltypeservice-production.clay.run/page-type | |
| https://api.clay.com/v2/sources/webhook/webhook-53173636-76ae-4735-82cb-8b8948e5b8b6 | http://feross.org | |
| https://redux.js.org/api-reference/store#subscribelistener | https://github.com/faisalman/ua-parser-js | |
| https://docs.clay.com/core-components/chrome-extension | https://bit.ly/3cXEKWf | |
| http://mixpanel.com?from=inapp | https://api-js.mixpanel.com | |
| https://mixpanel.com | https://cdn.mxpnl.com | |
| https://mths.be/punycode | https://app.clay.com/workspaces/ | |
| https://reactjs.org/docs/error-decoder.html?invariant= | http://www.w3.org/1999/xlink | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/1999/xhtml | |
| http://www.w3.org/2000/svg | http://www.w3.org/1998/Math/MathML | |
| https://fb.me/react-polyfills | http://fb.me/use-check-prop-types | |
| https://github.com/mholt/PapaParse | https://www.loom.com/share/806c15bc50c14b06989320cb47815d1c | |
| https://lodash.com/ | https://openjsf.org/ | |
| https://lodash.com/license | http://underscorejs.org/LICENSE | |
| https://npms.io/search?q=ponyfill. | https://www.clay.com/build-lists | |
| https://feross.org/opensource | https://hooks.clay.run/wb175fa4749a4d8b | |
| https://github.com/crypto-browserify/crypto-browserify | https://github.com/indutny/elliptic/issues | |
| https://github.com/indutny/elliptic | https://fonts.googleapis.com/css2?family=Inter:wght@400 | |
| https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "name": "Clay for Chrome", "icons": { "16": "assets/img/clay_16px.png", "32": "assets/img/clay_32px.png", "48": "assets/img/clay_48px.png", "128": "assets/img/clay_128px.png" }, "action": { "default_icon": "assets/img/clay_16px.png", "default_title": "Clay for Chrome" }, "author": "Clay Labs Inc.", "version": "1.0.0", "commands": { "_execute_action": { "description": "Open Clay extension sidebar" }, "activate-command-box": { "description": "Toggle feature foo", "suggested_key": { "mac": "Command+Shift+P", "default": "Ctrl+Shift+P" } } }, "background": { "service_worker": "background.js" }, "short_name": "Clay for Chrome", "update_url": "https://clients2.google.com/service/update2/crx", "description": "Turn the entire internet into a data source and pull specific data points from any website straight into Clay.", "permissions": [ "activeTab", "clipboardWrite", "storage", "tabs", "notifications", "scripting" ], "content_scripts": [ { "js": [ "install-checker.js" ], "run_at": "document_start", "matches": [ "https://*.clay.run/*" ], "all_frames": true } ], "host_permissions": [ "*://*/*" ], "manifest_version": 3, "minimum_chrome_version": "88", "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'self'; frame-src 'self' https://*.netlify.app https://*.clay.run https://*.clay.com http://localhost:8090" }, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "assets/img/clay_16px.png", "assets/font/circularstd-book.otf", "assets/img/*.svg", "assets/img/*.png", "assets/img/loading.webp", "popup.html", "google-analytics-bundle.js", "content.js" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.