COACH by Dropzone AI
Version 0.8.5 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has a perfect 5.0 rating but with only 7 reviews, which is a very small sample size. With just 654 users, this is a relatively new or niche extension. The lack of visible developer information and company details reduces transparency. The "Dropzone AI" branding suggests an AI-powered coaching tool, but without more context about the company's reputation, trust assessment is limited.
The extension requests access to a specific AWS API endpoint (execute-api.us-west-2.amazonaws.com), which suggests it's sending data to external servers for processing. This raises privacy concerns about what data is being transmitted and how it's handled. The combination of storage and activeTab permissions means the extension can both access your current webpage content and store that information locally. The scripting permission allows code injection into web pages, which could potentially be misused.
Given the medium risk level and limited user base, consider running this extension in a separate Chrome profile to isolate it from your main browsing activities. Before installing, research Dropzone AI's privacy policy and data handling practices. Monitor what data the extension accesses by checking Chrome's extension activity logs. If you proceed with installation, regularly review the extension's behavior and consider removing it if you notice unexpected activity or if your trust level decreases.
Findings
Security Analysis Details
Required Permissions:
- storage
- scripting
- sidePanel
- activeTab
Optional Permissions:
- tabs
Host Permissions:
- https://gr1yg059sf.execute-api.us-west-2.amazonaws.com/ajr/dz/coach
Embedded URLs (49 total):
| https://gr1yg059sf.execute-api.us-west-2.amazonaws.com/ajr/dz/coach | https://clients2.google.com/service/update2/crx | |
| http://www.w3.org/TR/2001/REC-SVG-20010904/DTD/svg10.dtd | http://www.w3.org/2000/svg | |
| https://github.com/facebook/react/issues/3236 | https://reactjs.org/link/special-props | |
| https://reactjs.org/link/strict-mode-string-ref | https://reactjs.org/link/invalid-hook-call | |
| https://reactjs.org/link/warning-keys | https://github.com/facebook/react/issues | |
| https://reactjs.org/docs/error-decoder.html?invariant= | http://www.w3.org/1999/xlink | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/1999/xhtml | https://reactjs.org/link/controlled-components | |
| https://reactjs.org/link/dangerously-set-inner-html | https://reactjs.org/link/invalid-aria-props | |
| https://reactjs.org/link/attribute-behavior | https://reactjs.org/link/crossorigin-error | |
| https://reactjs.org/link/react-devtools | https://reactjs.org/link/unsafe-component-lifecycles | |
| https://reactjs.org/link/derived-state | https://reactjs.org/link/legacy-context | |
| https://reactjs.org/link/refs-must-have-owner | https://reactjs.org/link/rules-of-hooks | |
| https://reactjs.org/link/error-boundaries | https://reactjs.org/link/hooks-data-fetching | |
| https://reactjs.org/link/setstate-in-render | https://reactjs.org/link/wrap-tests-with-act | |
| https://reactjs.org/link/strict-mode-find-node | https://reactjs.org/link/switch-to-createroot | |
| https://reactjs.org/link/react-polyfills | https://reactjs.org/link/react-devtools-faq | |
| https://fonts.googleapis.com | https://fonts.gstatic.com | |
| https://go.dropzone.ai/coach | https://go.dropzone.ai/coach/cta/ | |
| https://go.dropzone.ai/coach-privacy | https://github.com/focus-trap/tabbable/blob/master/LICENSE | |
| https://github.com/date-fns/date-fns/blob/master/docs/unicodeTokens.md | http://fb.me/use-check-prop-types | |
| https://github.com/focus-trap/focus-trap/blob/master/LICENSE | http://jedwatson.github.io/classnames | |
| https://fb.me/react-warning-dont-call-proptypes | https://your-lambda-endpoint.amazonaws.com/path | |
| https://github.com/markedjs/marked. | https://fonts.googleapis.com/css2?family=Roboto+Mono&display=swap | |
| https://fonts.googleapis.com/css2?family=Inter:wght@400 |
Raw Manifest
{ "name": "__MSG_extensionName__", "icons": { "16": "favicon-16x16.png", "32": "favicon-32x32.png", "192": "android-chrome-192x192.png", "512": "android-chrome-512x512.png" }, "action": { "default_icon": { "16": "favicon-16x16.png", "32": "favicon-32x32.png", "192": "android-chrome-192x192.png", "512": "android-chrome-512x512.png" }, "default_popup": "popup/index.html" }, "version": "0.8.5", "background": { "type": "module", "service_worker": "background.js" }, "side_panel": { "default_path": "side-panel/index.html" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_extensionDescription__", "permissions": [ "storage", "scripting", "sidePanel", "activeTab" ], "default_locale": "en", "content_scripts": [], "host_permissions": [ "https://gr1yg059sf.execute-api.us-west-2.amazonaws.com/ajr/dz/coach" ], "manifest_version": 3, "optional_permissions": [ "tabs" ], "web_accessible_resources": [ { "matches": [ "*://*/*" ], "resources": [ "*.js", "*.css", "*.svg", "icon-*.png", "*.png", "*.webp" ] } ], "browser_specific_settings": { "gecko": { "id": "coach@dropzone.ai", "strict_min_version": "109.0" } }, "optional_host_permissions": [ "<all_urls>" ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.