Extension Details
Context-Aware Verdict
The extension has a substantial user base of 400,000 users, indicating reasonable adoption and community trust. However, the rating of 3.5 out of 5 stars with only 114 reviews suggests mixed user satisfaction or limited engagement. The extension appears to serve a legitimate purpose - integrating with reMarkable devices for document reading. The manifest version 3 compliance shows the developer is keeping up with modern security standards.
The primary concern is the broad host permissions flagged as high-risk, though in this case it's specifically scoped to remarkable.com domains rather than all websites. The printerProvider permission, while not flagged in findings, is unusual and could potentially be misused for data exfiltration through print job manipulation. The combination of activeTab, scripting, and storage permissions creates a capability set that could access and store content from any active tab the user interacts with through the extension.
This extension presents moderate risk due to its permission set, but the risk is somewhat mitigated by its specific integration purpose with reMarkable services. Users should monitor what content they send through this extension and avoid using it on sensitive pages. Consider running it in a separate Chrome profile if you frequently handle confidential documents. Regularly review the extension's behavior and remove it if you notice unexpected activity or if you no longer use reMarkable devices.
Findings
Security Analysis Details
Required Permissions:
- activeTab
- contextMenus
- printerProvider
- storage
- scripting
Host Permissions:
- https://*.remarkable.com/
Embedded URLs (54 total):
| http://www.w3.org/2000/svg | https://html2canvas.hertzen.com | |
| https://hertzen.com | https://github.com/zloirock/core-js/blob/v3.24.1/LICENSE | |
| https://github.com/zloirock/core-js | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/1999/xhtml | https://webapp.cloud.remarkable.com | |
| https://internal.cloud.remarkable.com | https://my.remarkable.com | |
| https://feross.org | https://feross.org/opensource | |
| https://stuk.github.io/jszip/documentation/howto/read_zip.html | https://cdnjs.cloudflare.com/ajax/libs/pdfobject/2.1.1/pdfobject.min.js | |
| http://www.w3.org/1999/02/22-rdf-syntax-ns# | http://jspdf.default.namespaceuri/ | |
| https://github.com/uuidjs/uuid#getrandomvalues-not-supported | http://www.idpf.org/2007/ops | |
| http://www.idpf.org/2007/opf | http://purl.org/dc/elements/1.1/ | |
| http://stuartk.com/jszip | https://raw.github.com/Stuk/jszip/main/LICENSE.markdown. | |
| https://github.com/nodeca/pako/blob/main/LICENSE | https://github.com/jamesbrobb | |
| http://opensource.org/licenses/mit-license | https://github.com/deanm/omggif | |
| http://www.fpdf.org/en/script/script37.php | http://www.myersdaily.org/joseph/javascript/md5.js | |
| https://www.cs.cmu.edu/~dst/Adobe/Gallery/anon21jul01-pdf-encryption.txt | https://github.com/foliojs/pdfkit/blob/master/lib/security.js | |
| http://www.phpied.com/rgb-color-parser-in-javascript/ | https://webpjs.appspot.com | |
| https://github.com/MrRio/jsPDF | http://www.yworks.com | |
| https://github.com/HackbrettXXX | https://github.com/acspike | |
| https://github.com/willowsystems | https://github.com/pablohess | |
| https://github.com/fjenett | https://github.com/warrenweckesser | |
| https://github.com/lifof | https://github.com/lsdriscoll | |
| https://github.com/stefslon | https://github.com/jmorel | |
| https://github.com/chris-rock | https://github.com/juanpgaviria | |
| https://github.com/dollaruw | https://github.com/diegocr | |
| https://github.com/Flamenco | https://github.com/Gavvers | |
| https://clients2.google.com/service/update2/crx | https://github.com/lokesh-coder/pretty-checkbox | |
| https://lokesh-coder.github.io/pretty-checkbox | https://my.remarkable.com/#browser |
Raw Manifest
{ "name": "Read on reMarkable", "icons": { "16": "icons/16.png", "48": "icons/48.png", "128": "icons/128.png", "256": "icons/256.png" }, "action": { "default_popup": "popup.html", "default_title": "Read the current page on your reMarkable account." }, "version": "1.2.6", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Read web articles on your reMarkable with a click.", "permissions": [ "activeTab", "contextMenus", "printerProvider", "storage", "scripting" ], "options_page": "options.html", "host_permissions": [ "https://*.remarkable.com/" ], "manifest_version": 3 }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.