Extension Details
Developer:
kabila.app
Rating:
4.8 ★
(21 ratings)
Users:
3,000
Context-Aware Verdict
This section provides a Claude-based AI analysis that applies additional context to the risk. Results are not guaranteed to be accurate.
HIGH
Risk Level
Trust Factors:
The extension has a decent user base of 3,000 users and a high rating of 4.8 stars from 21 reviews, suggesting positive user experiences. The developer domain kabila.app appears to be a legitimate cryptocurrency wallet service. The extension is actively maintained with version 2.2.33, indicating ongoing development support.
Concerns:
The extension requests excessive permissions that raise significant privacy and security concerns. The tabs permission allows monitoring and manipulation of all browser tabs, which goes beyond typical wallet functionality. Content scripts injected into all websites (https://*/*) create potential attack vectors for malicious actors. The broad host permissions include access to analytics services and localhost, expanding the attack surface unnecessarily. While the CSP policy shows extensive third-party integrations typical of crypto wallets, the combination of broad permissions with content script injection across all sites is concerning.
Recommendations:
Given the high-risk nature of this extension, consider running it in a separate Chrome profile to isolate it from your main browsing activities. Only install if you specifically need Kabila wallet functionality and trust the developer completely. Regularly review the extension's permissions and consider alternatives with more restrictive permission models. Monitor your browser activity for any unusual behavior after installation. Be particularly cautious when using this extension on sites containing sensitive financial or personal information, as the broad permissions could potentially expose this data.
Security Analysis
This section provides a detailed analysis of the extension's security posture, without broader context. Assumes worst-case impact.
HIGH
Overall Risk
Based on 5 total findings, ranked without considering overall context, including 2 high-risk and 3 medium-risk findings.
HIGH
Broad Host Permissions
This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.
HIGH
High-Risk Permission: tabs
This extension has the tabs permission. Can access browser tab information and manipulate tabs. This could potentially be used maliciously to compromise security or privacy.
MEDIUM
Access to Sensitive Domains
This extension requests access to sensitive domains: https://www.google-analytics.com/*. Ensure you trust this extension with access to these sites.
MEDIUM
Medium-Risk Permission: activeTab
This extension has the activeTab permission. Can access the active tab when clicking the extension icon.
MEDIUM
Medium-Risk Permission: storage
This extension has the storage permission. Can store data locally.
Security Analysis Details
Required Permissions:
- storage
- activeTab
- tabs
Host Permissions:
- https://labs.kabila.app/*
- https://assets.kabila.app/*
- https://onramp.kabila.app/*
- https://www.google-analytics.com/*
- https://s.tradingview.com/*
Content Security Policy:
- extension_pages: default-src 'self' https://kabila-user-profiles.b-cdn.net https://kabila-proxy-urls.b-cdn.net/ https://cdn.kabila.app https://kabila.b-cdn.net https://kabila-files.b-cdn.net https://assets.kabila.app https://labs.kabila.app https://*.kabilabs.com https://kabila-arweave.b-cdn.net https://khashinals.b-cdn.net https://hcs.kabila.app https://hcs-kabila-app.b-cdn.net; script-src 'self'; object-src 'none'; base-uri 'self'; frame-src *; connect-src 'self' https://kabila-market.b-cdn.net https://api.kabila.app https://kabila-user-profiles.b-cdn.net https://kabila-proxy-urls.b-cdn.net/ https://mainnet.hedera.api.hgraph.io https://testnet.hedera.api.hgraph.io https://*.akrd.net https://*.swirldslabs.com https://*.pics.davincigraph.io https://*.ipfs.dweb.link https://www.cloudflare.com https://*.swirlds.com https://*.hedera.com https://status.hedera.com https://status.hedera.com/api http://localhost:3000 https://*.walletconnect.com https://verify.walletconnect.org https://pulse.walletconnect.org https://grpc-web.myhbarwallet.com https://server-verify.hashscan.io https://dns.google https://cloudflare-dns.com https://*.arweave.net https://*.ipfs.io https://arweave.net https://api.coingecko.com https://*.ipfs.nftstorage.link https://www.google-analytics.com https://mainnet.hashio.io/api https://testnet.hashio.io/api https://kabila-arweave.b-cdn.net https://cdn.kabila.app https://kabila.b-cdn.net https://khashinals.b-cdn.net https://hcs.kabila.app https://kabila-files.b-cdn.net https://assets.kabila.app https://hcs-kabila-app.b-cdn.net https://vblb9e8h48.execute-api.us-east-2.amazonaws.com https://dhgy0gxwfa.execute-api.us-east-2.amazonaws.com https://labs.kabila.app https://dev-labs.kabila.app https://api.kabilabs.com https://onramp.kabila.app https://ahoracrypto.com https://api.etaswap.com https://ipfs-cdn.sentx.io/ https://hashpack.b-cdn.net https://api.dexscreener.com wss: blob:; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; form-action 'self'; worker-src 'none'; upgrade-insecure-requests; media-src 'self' https://kabila-user-profiles.b-cdn.net https://cdn.kabila.app https://kabila.b-cdn.net https://kabila-files.b-cdn.net https://assets.kabila.app https://kabila-arweave.b-cdn.net https://khashinals.b-cdn.net https://hcs.kabila.app https://hcs-kabila-app.b-cdn.net https://ipfs-cdn.sentx.io/ https://hashpack.b-cdn.net blob:;
- sandbox: sandbox allow-scripts; script-src 'self'; object-src 'self'
Embedded URLs (211 total):
| https://kabila-user-profiles.b-cdn.net | https://kabila-proxy-urls.b-cdn.net/ | |
| https://cdn.kabila.app | https://kabila.b-cdn.net | |
| https://kabila-files.b-cdn.net | https://assets.kabila.app | |
| https://labs.kabila.app | https://kabila-arweave.b-cdn.net | |
| https://khashinals.b-cdn.net | https://hcs.kabila.app | |
| https://hcs-kabila-app.b-cdn.net | https://ipfs-cdn.sentx.io/ | |
| https://hashpack.b-cdn.net | https://fonts.googleapis.com | |
| https://fonts.gstatic.com | https://kabila-market.b-cdn.net | |
| https://api.kabila.app | https://mainnet.hedera.api.hgraph.io | |
| https://testnet.hedera.api.hgraph.io | https://www.cloudflare.com | |
| https://verify.walletconnect.org | https://pulse.walletconnect.org | |
| https://grpc-web.myhbarwallet.com | https://server-verify.hashscan.io | |
| https://dns.google | https://cloudflare-dns.com | |
| https://arweave.net | https://api.coingecko.com | |
| https://www.google-analytics.com | https://mainnet.hashio.io/api | |
| https://testnet.hashio.io/api | https://dev-labs.kabila.app | |
| https://api.kabilabs.com | https://vblb9e8h48.execute-api.us-east-2.amazonaws.com | |
| https://dhgy0gxwfa.execute-api.us-east-2.amazonaws.com | https://api.etaswap.com | |
| https://api.dexscreener.com | https://fonts.googleapis.com/css2?family=Montserrat:wght@300 | |
| https://kabila.app | https://assets.kabila.app/icons/main/default.svg | |
| https://wallet.kabila.app/ | https://status.hedera.com | |
| https://status.hedera.com/api | https://onramp.kabila.app | |
| https://ahoracrypto.com | https://labs.kabila.app/ | |
| https://assets.kabila.app/ | https://onramp.kabila.app/ | |
| https://www.google-analytics.com/ | https://s.tradingview.com/ | |
| https://clients2.google.com/service/update2/crx | http://www.w3.org/2000/svg | |
| http://www.w3.org/1999/xhtml | http://www.apache.org/licenses/LICENSE-2.0 | |
| https://github.com/google/model-viewer/pull/755#issuecomment-536597893 | https://github.com/h5bp/html5-boilerplate/blob/ceb4620c78fc82e13534fc44202a3f168754873f/dist/css/main.css#L122-L133 | |
| http://www.w3.org/1999/xlink | http://schema.org/ | |
| https://101arrowz.github.io/fflate | https://github.com/101arrowz/fflate/blob/master/LICENSE | |
| https://www.gstatic.com/draco/versioned/decoders/1.5.6/ | https://www.gstatic.com/basis-universal/versioned/2021-04-15-ba1c3e4/ | |
| https://cdn.jsdelivr.net/npm/three@0.149.0/examples/jsm/loaders/LottieLoader.js | http://fb.me/use-check-prop-types | |
| https://github.com/theKashey/focus-lock/#focus-fighting | https://onramp.kabila.app/index.html?accountId= | |
| https://radix-ui.com/primitives/docs/components/ | https://hashscan.io/ | |
| https://dexscreener.com/hedera/ | https://x.com/ | |
| https://docs.hedera.com/hedera/core-concepts/staking/staking | https://feross.org/opensource | |
| https://feross.org | https://reactjs.org/docs/error-decoder.html?invariant= | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/1998/Math/MathML | |
| https://links.ethers.org/v5-errors- | https://github.com/emn178/js-sha3 | |
| https://node00.swirldslabs.com:443 | https://node01-00-grpc.swirlds.com:443 |
Page 1 of 3
Raw Manifest
{ "name": "Kabila Wallet", "icons": { "16": "icons/walletx16.png", "32": "icons/walletx32.png", "48": "icons/walletx48.png", "64": "icons/walletx64.png", "128": "icons/walletx128.png" }, "action": { "default_icon": { "32": "icons/walletx32.png" }, "default_title": "Kabila Wallet" }, "version": "2.2.33", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Kabila Wallet is a non-custodial account manager based on Hedera network. A clean, fun and easy-to-use Wallet.", "permissions": [ "storage", "activeTab", "tabs" ], "content_scripts": [ { "js": [ "content_script.js" ], "matches": [ "https://*/*", "http://localhost/*" ] } ], "host_permissions": [ "https://labs.kabila.app/*", "https://assets.kabila.app/*", "https://onramp.kabila.app/*", "https://www.google-analytics.com/*", "https://s.tradingview.com/*" ], "manifest_version": 3, "content_security_policy": { "sandbox": "sandbox allow-scripts; script-src 'self'; object-src 'self'", "extension_pages": "default-src 'self' https://kabila-user-profiles.b-cdn.net https://kabila-proxy-urls.b-cdn.net/ https://cdn.kabila.app https://kabila.b-cdn.net https://kabila-files.b-cdn.net https://assets.kabila.app https://labs.kabila.app https://*.kabilabs.com https://kabila-arweave.b-cdn.net https://khashinals.b-cdn.net https://hcs.kabila.app https://hcs-kabila-app.b-cdn.net; script-src 'self'; object-src 'none'; base-uri 'self'; frame-src *; connect-src 'self' https://kabila-market.b-cdn.net https://api.kabila.app https://kabila-user-profiles.b-cdn.net https://kabila-proxy-urls.b-cdn.net/ https://mainnet.hedera.api.hgraph.io https://testnet.hedera.api.hgraph.io https://*.akrd.net https://*.swirldslabs.com https://*.pics.davincigraph.io https://*.ipfs.dweb.link https://www.cloudflare.com https://*.swirlds.com https://*.hedera.com https://status.hedera.com https://status.hedera.com/api http://localhost:3000 https://*.walletconnect.com https://verify.walletconnect.org https://pulse.walletconnect.org https://grpc-web.myhbarwallet.com https://server-verify.hashscan.io https://dns.google https://cloudflare-dns.com https://*.arweave.net https://*.ipfs.io https://arweave.net https://api.coingecko.com https://*.ipfs.nftstorage.link https://www.google-analytics.com https://mainnet.hashio.io/api https://testnet.hashio.io/api https://kabila-arweave.b-cdn.net https://cdn.kabila.app https://kabila.b-cdn.net https://khashinals.b-cdn.net https://hcs.kabila.app https://kabila-files.b-cdn.net https://assets.kabila.app https://hcs-kabila-app.b-cdn.net https://vblb9e8h48.execute-api.us-east-2.amazonaws.com https://dhgy0gxwfa.execute-api.us-east-2.amazonaws.com https://labs.kabila.app https://dev-labs.kabila.app https://api.kabilabs.com https://onramp.kabila.app https://ahoracrypto.com https://api.etaswap.com https://ipfs-cdn.sentx.io/ https://hashpack.b-cdn.net https://api.dexscreener.com wss: blob:; font-src 'self' https://fonts.gstatic.com data:; img-src 'self' https: data:; style-src 'self' 'unsafe-inline' https://fonts.googleapis.com; form-action 'self'; worker-src 'none'; upgrade-insecure-requests; media-src 'self' https://kabila-user-profiles.b-cdn.net https://cdn.kabila.app https://kabila.b-cdn.net https://kabila-files.b-cdn.net https://assets.kabila.app https://kabila-arweave.b-cdn.net https://khashinals.b-cdn.net https://hcs.kabila.app https://hcs-kabila-app.b-cdn.net https://ipfs-cdn.sentx.io/ https://hashpack.b-cdn.net blob:;" } }
Secure Annex (beta)
Coming soon...