[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Automation 360

Version 4.3.2.0 View in Chrome Web Store

Last scanned: about 4 hours ago

Extension Details

Rating: 3.9 ★ (7 ratings)

Users: 100,000

Context-Aware Verdict

CRITICAL

Overall Risk

Trust Factors:

The extension has a moderate user base of 100,000 users, which suggests some level of adoption. However, several concerning factors undermine trust: the rating is relatively low at 3.9 stars with only 7 reviews (unusually few for 100k users), no visible author or developer information is provided, and the generic name "Automation 360" lacks clear branding or company association. The absence of developer transparency is a significant red flag.

Concerns:

The permission set is extremely invasive and represents a major security risk. The debugger permission is particularly alarming as it allows manipulation of other extensions and deep system access. Combined with webNavigation tracking, tabs manipulation, and unrestricted host permissions across all websites, this extension has capabilities far beyond typical automation tools. The nativeMessaging permission enables communication with local applications, potentially allowing system-level access. Content scripts running on all protocols (including file://) can access local files.

Recommendations:

Do not install this extension on your primary browser profile. If automation functionality is absolutely necessary, create an isolated Chrome profile specifically for this extension with no access to personal accounts, sensitive websites, or important data. Consider alternative automation tools with more limited permissions. Regularly audit what data this extension might access and monitor for unusual browser behavior. Given the critical risk level, most users should seek safer alternatives for automation needs.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: debugger

This extension has the debugger permission. Can debug and manipulate other extensions/apps. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: tabs

This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.

HIGH

High-Risk Permission: webNavigation

This extension has the webNavigation permission. Can track your web navigation. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Raw Manifest

{
  "name": "Automation 360",
  "icons": {
    "16": "images/AAE16.png",
    "48": "images/AAE50.png",
    "128": "images/AAE128.png"
  },
  "action": {
    "default_icon": {
      "19": "images/AAE20.png",
      "38": "images/AAE40.png"
    },
    "default_popup": ""
  },
  "version": "4.3.2.0",
  "background": {
    "service_worker": "ExtensionBackgroundLoader.js"
  },
  "options_ui": {
    "page": "options.html",
    "open_in_tab": true
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Automation 360 extension to automate web applications in Google Chrome (MV3).",
  "permissions": [
    "storage",
    "tabs",
    "webNavigation",
    "scripting",
    "nativeMessaging",
    "debugger",
    "alarms"
  ],
  "content_scripts": [
    {
      "js": [
        "Browser.js",
        "AALogger.js",
        "HTMLRecorder.js",
        "HTMLBridgeAction.js",
        "HTMLExtensionBridge.js",
        "HTMLBrowserAction.js",
        "HTMLActionData.js",
        "HTMLEnum.js",
        "HTMLObject.js",
        "HTMLObjectSearch.js",
        "HTMLResult.js",
        "HTMLExecutor.js",
        "HTMLObjectNode.js",
        "HTMLCommon.js",
        "HTMLFrameInfo.js",
        "HTMLPluginObject.js",
        "HTMLWindowAvatar.js",
        "HTMLObjectPath.js",
        "HTMLJavascriptDOMXPath.js",
        "HTMLAACommon.js",
        "HTMLTrigger.js",
        "ExtensionTriggers.js",
        "DetectFramework.js",
        "HTMLAlertWrapper.js",
        "HTMLMapper.js",
        "HTMLScriptActivation.js",
        "HTMLAPIRecorderAction.js",
        "HTMLXpathGenerator.js",
        "HTMLTable.js",
        "HTMLXPathGenerator_v2.js",
        "AnchorElementFinder.js",
        "SAPActionExecutor.js",
        "HTMLExtractData.js",
        "SurroundingContext.utils.js",
        "SurroundingContext.capture.js",
        "SurroundingContext.validate.js"
      ],
      "run_at": "document_idle",
      "matches": [
        "http://*/*",
        "https://*/*",
        "file://*/*"
      ],
      "all_frames": true
    }
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3,
  "externally_connectable": {
    "ids": [
      "*"
    ],
    "matches": [
      "*://*.supremomono.com/*",
      "*://*.automationanywhere.digital/*"
    ]
  },
  "web_accessible_resources": [
    {
      "matches": [
        "<all_urls>"
      ],
      "resources": [
        "HTMLAlertWrapper.js",
        "HTMLSAPWrapper.js"
      ]
    }
  ]
}

by ✦ Astarte

https://jeckycompay.lightning.force.com/	http://coderepos.org/share/wiki/JavaScript-XPath
https://developer.mozilla.org/en-US/docs/Web/API/Document/querySelectorAll	http://www.w3.org/2000/svg
https://clients2.google.com/service/update2/crx

Automation 360

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (5 total):

Raw Manifest

Detections

Manifest Findings