Web Capture - HTML to React with MagicPath
Version 1.0.0 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has a reasonable user base of 9,000 downloads and a solid 4.5-star rating from 47 reviews, suggesting legitimate functionality. The developer domain "magicpath.ai" appears to be a legitimate AI-focused company, and the extension's purpose of converting HTML to React code is a valid developer tool use case.
The extension requests extremely broad permissions that far exceed what's necessary for HTML-to-React conversion. The <all_urls> host permissions and content script injection capabilities allow it to access and modify any website you visit, not just when actively using the tool. The clipboardWrite permission, while potentially useful for copying generated code, could be misused to inject malicious content. The combination of these permissions creates a powerful surveillance and data collection capability that could capture sensitive information from banking sites, email, or other private web applications.
Consider running this extension in a separate Chrome profile dedicated to development work only. Disable the extension when not actively converting HTML to React code. Before installing, verify if the functionality truly requires such broad permissions - many similar tools work with more limited scope. Monitor your clipboard content after using the extension. If you proceed with installation, avoid using it while accessing sensitive websites like banking or email platforms.
Findings
Security Analysis Details
Required Permissions:
- storage
- activeTab
- clipboardWrite
Host Permissions:
- <all_urls>
Embedded URLs (15 total):
| http://www.w3.org/2000/svg | https://clients2.google.com/service/update2/crx | |
| https://magicpath.ai/ | https://api.magicpath.ai | |
| https://www.magicpath.ai | https://fonts.googleapis.com/css2?family=Geist:wght@400&display=swap | |
| https://tailwindcss.com | https://react.dev/errors/ | |
| http://www.w3.org/1998/Math/MathML | http://www.w3.org/1999/xlink | |
| http://www.w3.org/XML/1998/namespace | https://json-schema.org/draft/2020-12/schema | |
| http://json-schema.org/draft-07/schema# | http://json-schema.org/draft-04/schema# | |
| https://youtu.be/6gxnTIGjCQc |
Raw Manifest
{ "env": { "API_URL": "https://api.magicpath.ai", "WEB_URL": "https://www.magicpath.ai" }, "name": "Web Capture - HTML to React with MagicPath", "icons": { "16": "icons/icon-16.png", "32": "icons/icon-32.png", "48": "icons/icon-48.png", "128": "icons/icon-128.png" }, "action": { "default_icon": { "16": "icons/icon-16.png", "24": "icons/icon-24.png", "32": "icons/icon-32.png", "48": "icons/icon-48.png", "128": "icons/icon-128.png" }, "default_popup": "index.html" }, "version": "1.0.0", "background": { "service_worker": "service-worker.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Capture elements from the web. Convert elements into interactive React components and edit manually or with AI on a canvas.", "permissions": [ "storage", "activeTab", "clipboardWrite" ], "content_scripts": [ { "js": [ "injected/contentScript.js" ], "run_at": "document_idle", "matches": [ "<all_urls>" ] } ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "externally_connectable": { "matches": [ "https://magicpath.ai/*", "https://*.magicpath.ai/*" ] }, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "injected/selectionOverlay.css", "injected/newExtractor.js", "injected/StyleExtractor.js" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.