Extension Details
Context-Aware Verdict
The extension has a moderate user base of 20,000 users and maintains a solid 4.3-star rating from 31 reviews, indicating generally positive user experiences. However, the limited number of reviews relative to the user count suggests many users haven't provided feedback. The developer domain web-paint-smart.com appears to be purpose-built for this extension, but lacks established company reputation or transparency about the development team.
The primary concern is the broad host permissions (<all_urls>) which grants the extension access to all websites you visit. For a web painting tool, this level of access seems excessive and creates potential privacy risks. The combination of storage permissions with universal website access means the extension could theoretically collect and store data from any site you visit. The scripting permission, while necessary for the extension's functionality, combined with broad host access amplifies the potential for misuse.
Consider running this extension in a separate Chrome profile dedicated to web annotation tasks to limit exposure of your primary browsing data. Before installing, verify that the functionality truly requires access to all websites rather than just specific ones where you plan to use the painting features. Monitor the extension's behavior and consider alternatives that request more limited permissions if available. Regularly review what data the extension might be storing locally through Chrome's extension management settings.
Findings
Security Analysis Details
Required Permissions:
- storage
- scripting
- alarms
Host Permissions:
- <all_urls>
Embedded URLs (7 total):
| http://www.w3.org/2000/svg | http://www.w3.org/1999/xlink | |
| http://www.bohemiancoding.com/sketch | https://www.google-analytics.com/mp/collect | |
| https://www.google-analytics.com/debug/mp/collect | https://github.com/uuidjs/uuid#getrandomvalues-not-supported | |
| https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "name": "__MSG_extName__", "icons": { "16": "images/icon-16.png", "48": "images/icon-48.png", "128": "images/icon-128.png" }, "action": { "default_icon": { "16": "images/icon-16.png", "48": "images/icon-48.png", "128": "images/icon-128.png" } }, "author": "Web Paint Smart", "version": "1.8.7", "background": { "service_worker": "js/bg.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_extShortDesc__", "permissions": [ "storage", "scripting", "alarms" ], "default_locale": "en", "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "images/*", "fonts/*" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.