Extension Details
Developer:
kabila.app
Rating:
4.8 ★
(21 ratings)
Users:
2,000
Context-Aware Verdict
This section provides a Claude-based AI analysis that applies additional context to the risk. Results are not guaranteed to be accurate.
HIGH
Overall Risk
Trust Factors:
The extension has a relatively small user base of 2,000 users with a high rating of 4.8 stars from 21 reviews, which suggests positive user experience but limited adoption. The developer domain kabila.app appears to be associated with a cryptocurrency wallet service focused on the Hedera network. However, the small user base and limited review count make it difficult to establish strong trust indicators.
Concerns:
The extension requests overly broad permissions for a wallet application. The tabs permission allows manipulation of browser tabs beyond what's necessary for wallet functionality. Content scripts run on all websites (https://*/*) which is excessive for a wallet that should primarily interact with specific DeFi platforms. The host permissions include localhost and 127.0.0.1 access, which could potentially be exploited. The extensive CSP policy reveals connections to numerous third-party services and CDNs, creating a large attack surface. Google Analytics tracking is embedded, raising privacy concerns for a financial application.
Recommendations:
Given the high-risk classification, consider running this extension in a separate Chrome profile dedicated to cryptocurrency activities. Only install if you specifically need Hedera network wallet functionality and trust the Kabila platform. Regularly monitor your accounts and transactions when using this extension. Consider using hardware wallets for significant cryptocurrency holdings instead of browser-based solutions. Review the extension's actual behavior and network requests before entering sensitive information or conducting transactions.
Findings
This section provides a detailed analysis of the extension's security posture, without broader context. Assumes worst-case impact.
HIGH
Broad Host Permissions
This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.
HIGH
High-Risk Permission: tabs
This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.
MEDIUM
Access to Sensitive Domains
This extension requests access to sensitive domains: https://www.google-analytics.com/*. Ensure you trust this extension with access to these sites.
MEDIUM
Medium-Risk Permission: activeTab
This extension has the activeTab permission. Can access the active tab when clicking the extension icon.
MEDIUM
Medium-Risk Permission: storage
This extension has the storage permission. Can store data locally.
Security Analysis Details
Required Permissions:
- storage
- activeTab
- tabs
Host Permissions:
- https://labs.kabila.app/*
- https://assets.kabila.app/*
- https://onramp.kabila.app/*
- https://www.google-analytics.com/*
Content Security Policy:
- extension_pages: default-src 'self' https://kabila-user-profiles.b-cdn.net https://kabila-proxy-urls.b-cdn.net/ https://cdn.kabila.app https://kabila.b-cdn.net https://kabila-files.b-cdn.net https://assets.kabila.app https://labs.kabila.app https://*.kabilabs.com https://kabila-arweave.b-cdn.net https://khashinals.b-cdn.net https://hcs.kabila.app https://hcs-kabila-app.b-cdn.net https://degenapi.com https://s3.us-east-2.wasabisys.com; script-src 'self'; object-src 'none'; base-uri 'self'; frame-src *; connect-src 'self' https://kabila-market.b-cdn.net https://api.kabila.app https://kabila-user-profiles.b-cdn.net https://kabila-proxy-urls.b-cdn.net/ https://mainnet.hedera.api.hgraph.io https://testnet.hedera.api.hgraph.io https://*.akrd.net https://*.swirldslabs.com https://*.pics.davincigraph.io https://*.ipfs.dweb.link https://www.cloudflare.com https://*.swirlds.com https://*.hedera.com https://status.hedera.com https://status.hedera.com/api http://localhost:3000 https://*.walletconnect.com https://verify.walletconnect.org https://pulse.walletconnect.org https://grpc-web.myhbarwallet.com https://server-verify.hashscan.io https://dns.google https://cloudflare-dns.com https://*.arweave.net https://*.ipfs.io https://arweave.net https://api.coingecko.com https://*.ipfs.nftstorage.link https://www.google-analytics.com https://mainnet.hashio.io/api https://testnet.hashio.io/api https://kabila-arweave.b-cdn.net https://cdn.kabila.app https://kabila.b-cdn.net https://khashinals.b-cdn.net https://hcs.kabila.app https://kabila-files.b-cdn.net https://assets.kabila.app https://hcs-kabila-app.b-cdn.net https://vblb9e8h48.execute-api.us-east-2.amazonaws.com https://dhgy0gxwfa.execute-api.us-east-2.amazonaws.com https://labs.kabila.app https://dev-labs.kabila.app https://api.kabilabs.com https://onramp.kabila.app https://ahoracrypto.com https://api.eta.finance https://api.letsexchange.io https://ipfs-cdn.sentx.io/ https://hashpack.b-cdn.net https://degenapi.com https://s3.us-east-2.wasabisys.com https://api.blockaid.io wss: blob:; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; form-action 'self'; worker-src 'none'; upgrade-insecure-requests; media-src 'self' https://kabila-user-profiles.b-cdn.net https://cdn.kabila.app https://kabila.b-cdn.net https://kabila-files.b-cdn.net https://assets.kabila.app https://kabila-arweave.b-cdn.net https://khashinals.b-cdn.net https://hcs.kabila.app https://hcs-kabila-app.b-cdn.net https://ipfs-cdn.sentx.io/ https://hashpack.b-cdn.net https://s3.us-east-2.wasabisys.com blob:;
- sandbox: sandbox allow-scripts; script-src 'self'; object-src 'self'
Embedded URLs (166 total):
| https://kabila-user-profiles.b-cdn.net | https://kabila-proxy-urls.b-cdn.net/ | |
| https://cdn.kabila.app | https://kabila.b-cdn.net | |
| https://kabila-files.b-cdn.net | https://assets.kabila.app | |
| https://labs.kabila.app | https://kabila-arweave.b-cdn.net | |
| https://khashinals.b-cdn.net | https://hcs.kabila.app | |
| https://hcs-kabila-app.b-cdn.net | https://ipfs-cdn.sentx.io/ | |
| https://hashpack.b-cdn.net | https://degenapi.com | |
| https://s3.us-east-2.wasabisys.com | https://fonts.googleapis.com | |
| https://fonts.gstatic.com | https://kabila-market.b-cdn.net | |
| https://api.kabila.app | https://mainnet.hedera.api.hgraph.io | |
| https://testnet.hedera.api.hgraph.io | https://www.cloudflare.com | |
| https://verify.walletconnect.org | https://pulse.walletconnect.org | |
| https://grpc-web.myhbarwallet.com | https://server-verify.hashscan.io | |
| https://dns.google | https://cloudflare-dns.com | |
| https://arweave.net | https://api.coingecko.com | |
| https://www.google-analytics.com | https://mainnet.hashio.io/api | |
| https://testnet.hashio.io/api | https://dev-labs.kabila.app | |
| https://api.kabilabs.com | https://vblb9e8h48.execute-api.us-east-2.amazonaws.com | |
| https://dhgy0gxwfa.execute-api.us-east-2.amazonaws.com | https://api.eta.finance | |
| https://api.dexscreener.com | https://dwk1opv266jxs.cloudfront.net | |
| https://fonts.googleapis.com/css2?family=Montserrat:wght@300 | https://eips.ethereum.org/EIPS/eip-6963 | |
| https://github.com/hashgraph/hedera-wallet-connect | http://www.w3.org/2000/svg | |
| https://kabila.app | https://assets.kabila.app/icons/main/default.svg | |
| http://127.0.0.1 | https://wallet.kabila.app | |
| http://127.0.0.1/ | https://status.hedera.com | |
| https://status.hedera.com/api | https://onramp.kabila.app | |
| https://ahoracrypto.com | https://api.letsexchange.io | |
| https://api.blockaid.io | https://labs.kabila.app/ | |
| https://assets.kabila.app/ | https://onramp.kabila.app/ | |
| https://www.google-analytics.com/ | https://clients2.google.com/service/update2/crx | |
| http://www.w3.org/1999/xhtml | http://www.apache.org/licenses/LICENSE-2.0 | |
| https://github.com/google/model-viewer/pull/755#issuecomment-536597893 | https://github.com/h5bp/html5-boilerplate/blob/ceb4620c78fc82e13534fc44202a3f168754873f/dist/css/main.css#L122-L133 | |
| http://www.w3.org/1999/xlink | http://schema.org/ | |
| https://101arrowz.github.io/fflate | https://github.com/101arrowz/fflate/blob/master/LICENSE | |
| https://www.gstatic.com/draco/versioned/decoders/1.5.6/ | https://www.gstatic.com/basis-universal/versioned/2021-04-15-ba1c3e4/ | |
| https://cdn.jsdelivr.net/npm/three@0.149.0/examples/jsm/loaders/LottieLoader.js | https://status.hedera.com/api/v2/scheduled-maintenances/upcoming.json | |
| https://www.apache.org/licenses/LICENSE-2.0 | https://www.tradingview.com/?utm_medium=lwc-link&utm_campaign=lwc-chart | |
| https://x.com/ | https://onramp.kabila.app/index.html?accountId= | |
| https://redux.js.org/Errors?code= | https://academy.kabila.app/products/wallet | |
| https://t.me/KabilaSupportBot | https://twitter.com/KabilaApp |
Page 1 of 3
Raw Manifest
{ "name": "Kabila Wallet", "icons": { "16": "icons/walletx16.png", "32": "icons/walletx32.png", "48": "icons/walletx48.png", "64": "icons/walletx64.png", "128": "icons/walletx128.png", "192": "icons/walletx192.png", "512": "icons/walletx512.png" }, "action": { "default_icon": { "32": "icons/walletx32.png" }, "default_title": "Kabila Wallet" }, "version": "3.0.10", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Kabila Wallet is a non-custodial account manager based on Hedera network. A clean, fun and easy-to-use Wallet.", "permissions": [ "storage", "activeTab", "tabs" ], "content_scripts": [ { "js": [ "content_script.js" ], "matches": [ "https://*/*", "http://localhost/*", "http://127.0.0.1/*" ] }, { "js": [ "eip6963.js" ], "world": "MAIN", "run_at": "document_start", "matches": [ "https://*/*", "http://localhost/*", "http://127.0.0.1/*" ] } ], "host_permissions": [ "https://labs.kabila.app/*", "https://assets.kabila.app/*", "https://onramp.kabila.app/*", "https://www.google-analytics.com/*" ], "manifest_version": 3, "content_security_policy": { "sandbox": "sandbox allow-scripts; script-src 'self'; object-src 'self'", "extension_pages": "default-src 'self' https://kabila-user-profiles.b-cdn.net https://kabila-proxy-urls.b-cdn.net/ https://cdn.kabila.app https://kabila.b-cdn.net https://kabila-files.b-cdn.net https://assets.kabila.app https://labs.kabila.app https://*.kabilabs.com https://kabila-arweave.b-cdn.net https://khashinals.b-cdn.net https://hcs.kabila.app https://hcs-kabila-app.b-cdn.net https://degenapi.com https://s3.us-east-2.wasabisys.com; script-src 'self'; object-src 'none'; base-uri 'self'; frame-src *; connect-src 'self' https://kabila-market.b-cdn.net https://api.kabila.app https://kabila-user-profiles.b-cdn.net https://kabila-proxy-urls.b-cdn.net/ https://mainnet.hedera.api.hgraph.io https://testnet.hedera.api.hgraph.io https://*.akrd.net https://*.swirldslabs.com https://*.pics.davincigraph.io https://*.ipfs.dweb.link https://www.cloudflare.com https://*.swirlds.com https://*.hedera.com https://status.hedera.com https://status.hedera.com/api http://localhost:3000 https://*.walletconnect.com https://verify.walletconnect.org https://pulse.walletconnect.org https://grpc-web.myhbarwallet.com https://server-verify.hashscan.io https://dns.google https://cloudflare-dns.com https://*.arweave.net https://*.ipfs.io https://arweave.net https://api.coingecko.com https://*.ipfs.nftstorage.link https://www.google-analytics.com https://mainnet.hashio.io/api https://testnet.hashio.io/api https://kabila-arweave.b-cdn.net https://cdn.kabila.app https://kabila.b-cdn.net https://khashinals.b-cdn.net https://hcs.kabila.app https://kabila-files.b-cdn.net https://assets.kabila.app https://hcs-kabila-app.b-cdn.net https://vblb9e8h48.execute-api.us-east-2.amazonaws.com https://dhgy0gxwfa.execute-api.us-east-2.amazonaws.com https://labs.kabila.app https://dev-labs.kabila.app https://api.kabilabs.com https://onramp.kabila.app https://ahoracrypto.com https://api.eta.finance https://api.letsexchange.io https://ipfs-cdn.sentx.io/ https://hashpack.b-cdn.net https://degenapi.com https://s3.us-east-2.wasabisys.com https://api.blockaid.io wss: blob:; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; form-action 'self'; worker-src 'none'; upgrade-insecure-requests; media-src 'self' https://kabila-user-profiles.b-cdn.net https://cdn.kabila.app https://kabila.b-cdn.net https://kabila-files.b-cdn.net https://assets.kabila.app https://kabila-arweave.b-cdn.net https://khashinals.b-cdn.net https://hcs.kabila.app https://hcs-kabila-app.b-cdn.net https://ipfs-cdn.sentx.io/ https://hashpack.b-cdn.net https://s3.us-east-2.wasabisys.com blob:;" } }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
Loading Secure Annex data...
Unable to load Secure Annex data.
This extension may not yet be analyzed by Secure Annex.
Detections
0Critical
0
High
0
Medium
0
Low
0
Has Verdicts
Yes
Manifest Findings
0Critical
0
High
0
Medium
0
Low
0
Secure Annex analyzed version: -