DualPiP – Picture-in-Picture Player | Subtitles & AI Translation
Version 1.5.2 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has a solid 4.7-star rating from 52 reviews and serves 3,000 users, indicating reasonable user satisfaction. The specific functionality (Picture-in-Picture with subtitles and AI translation) is clearly defined and legitimate. However, the relatively small user base and limited developer information (dualpip.cc) provide minimal reputation indicators for thorough trust assessment.
The combination of broad host permissions with webRequest capability creates significant privacy and security risks. While Picture-in-Picture functionality may require some web access, the <all_urls> permission grants excessive access to all websites you visit. The webRequest permission allows interception and modification of network traffic, which goes beyond typical PiP requirements. The unlimitedStorage permission, while potentially needed for subtitle caching, could be exploited for data hoarding. These permissions collectively enable comprehensive browsing surveillance and data collection capabilities that far exceed what's necessary for the stated functionality.
Consider running this extension in a separate Chrome profile to isolate potential risks from your main browsing activities. Monitor your network traffic when the extension is active to detect any unexpected data transmission. Regularly review what data the extension has stored using Chrome's developer tools. If you only need basic PiP functionality, consider alternatives with more limited permissions. Given the high-risk permission combination, only install if the AI translation and subtitle features are essential to your workflow.
Findings
Security Analysis Details
Required Permissions:
- activeTab
- commands
- contextMenus
- scripting
- storage
- unlimitedStorage
- offscreen
- declarativeNetRequestWithHostAccess
- webRequest
Host Permissions:
- <all_urls>
Embedded URLs (79 total):
| https://www.rabbitpair.com | https://api.rabbitpair.com | |
| https://dualpip.cc/ | https://api.openai.com/v1/chat/completions | |
| https://api.anthropic.com/v1/messages | https://generativelanguage.googleapis.com/v1beta/models | |
| https://api.deepseek.com/chat/completions | https://open.bigmodel.cn/api/paas/v4/chat/completions | |
| https://api.moonshot.cn/v1/chat/completions | https://api.x.ai/v1/chat/completions | |
| https://microsoftedge.microsoft.com/addons/detail/inaehakbijpkfabjcgfhdldkojiedmko#review-section | https://store.whale.naver.com/detail/hglnicfjocopliiehfkglphopcapdjed#cbox_module | |
| https://chromewebstore.google.com/detail/ddkmobcljbfggkmibabekgpbighaogpn/reviews | https://chrome.google.com/ | |
| https://chromewebstore.google.com/ | https://translate.googleapis.com/translate_a/single | |
| https://translate-pa.googleapis.com/v1/translateHtml | https://api-edge.cognitive.microsofttranslator.com/translate | |
| https://edge.microsoft.com/translate/auth | https://github.com/uuidjs/uuid#getrandomvalues-not-supported | |
| https://translate.yandex.net/api/v1/tr.json/translate | https://translate.yandex.com/ | |
| https://translate.yandex.com | https://www.google.com/recaptcha/ | |
| https://sudatchi.com/api/proxy/ | https://www.youtube.com/ | |
| https://m.youtube.com/ | https://youtube.com/ | |
| https://www.netflix.com/ | https://netflix.com/ | |
| https://www.hulu.com/ | https://hulu.com/ | |
| https://www.bilibili.com/ | https://www.disneyplus.com/ | |
| https://www.dualpip.cc/quick-start.html | https://github.com/RabbitPair/DualPiP/issues/new?template=request-subtitles-barrage-thumbnail-preview-support-website.md&body= | |
| https://github.com/RabbitPair/DualPiP/issues/new?template=bug_report.md | https://www.netflix.com | |
| https://www.hulu.com | http://www.w3.org/2000/svg | |
| https://img.doodcdn.io/ | http://dashif.org/thumbnail_tile | |
| https://api.bilibili.com/x/web-interface/view?bvid= | https://api.bilibili.com/x/player/videoshot?index=1&aid= | |
| https://www.youtube.com/youtubei/v1 | https://youtube.com | |
| https://www.youtube.com | https://play.hulu.com/v6/playlist | |
| https://ib.hulu.com/thumb?eab_id= | https://api.bilibili.com/x/player/videoshot?aid= | |
| https://developer.chrome.com/blog/automatic-picture-in-picture-media-playback | https://api.example.com/v1/chat/completions | |
| https://reactrouter.com/en/main/routers/picking-a-router. | https://mui.com/production-error/?code= | |
| https://react.dev/errors/ | https://api.ejemplo.com/v1/chat/completions | |
| https://bit.ly/3cXEKWf | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/1999/xlink | http://www.w3.org/XML/1998/namespace | |
| https://github.com/remarkjs/react-markdown/blob/main/changelog.md# | https://api.primer.com/v1/chat/completions | |
| https://api.exemplo.com/v1/chat/completions | https://api.esempio.com/v1/chat/completions | |
| https://api.beispiel.com/v1/chat/completions | https://www.i18next.com/translation-function/formatting | |
| https://api.voorbeeld.com/v1/chat/completions | https://api.exempel.com/v1/chat/completions | |
| https://github.com/syntax-tree/hast-util-to-jsx-runtime | https://api.exemple.com/v1/chat/completions | |
| https://clients2.google.com/service/update2/crx | https://www.deepl.com/ | |
| https://www.deepl.com | https://www2.deepl.com/jsonrpc | |
| https://api.deepl.com/jsonrpc | https://w.deepl.com/oidc/token | |
| https://transmart.qq.com/api/imt | https://translate.volcengine.com/crx/translate/v1/ | |
| https://weibo.com/ |
Raw Manifest
{ "name": "__MSG_appName__", "icons": { "16": "images/16x16.png", "32": "images/32x32.png", "48": "images/48x48.png", "128": "images/128x128.png" }, "action": { "default_icon": { "16": "images/16x16.png", "32": "images/32x32.png", "48": "images/48x48.png", "128": "images/128x128.png" }, "default_popup": "popup.html", "default_title": "__MSG_appName__" }, "author": "RabbitPair", "version": "1.5.2", "commands": { "activatePiPMode": { "description": "__MSG_activatePiPMode__", "suggested_key": { "mac": "Ctrl+Shift+E", "default": "Ctrl+Shift+E" } } }, "background": { "type": "module", "service_worker": "background.js" }, "short_name": "__MSG_appShortName__", "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_appDescription__", "permissions": [ "activeTab", "commands", "contextMenus", "scripting", "storage", "unlimitedStorage", "offscreen", "declarativeNetRequestWithHostAccess", "webRequest" ], "options_page": "options.html", "default_locale": "en", "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "externally_connectable": { "ids": [ "*" ], "matches": [ "*://*.rabbitpair.com/*", "*://*.rabbitpair.cn/*" ] }, "declarative_net_request": { "rule_resources": [ { "id": "ruleset_1", "path": "rulesets/rules.json", "enabled": true } ] }, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "css/*", "assets/fonts/*", "configs/player/**/*" ], "extension_ids": [ "*" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.