Extension Details
Context-Aware Verdict
The extension has very limited trust indicators. With only 5,000 users and just 3 ratings (despite a perfect 5.0 score), the user base is quite small for meaningful validation. The lack of developer information, company details, and missing description raises significant transparency concerns. The extension name suggests AI-powered publishing functionality, but without a proper description, users cannot verify if the requested permissions align with stated purposes.
The combination of cookies permission with broad host permissions (https://*/*) creates a particularly concerning risk profile. This setup allows the extension to access and modify cookies across all HTTPS websites, potentially enabling session hijacking, unauthorized account access, or comprehensive tracking across the entire web. The declarativeNetRequest permission adds another layer of concern as it can modify network requests. For a publishing-focused tool, these permissions appear excessive and unnecessary. The small user base combined with perfect ratings from only 3 reviews suggests potential rating manipulation.
Given the high risk level, avoid installing this extension on your primary browser profile. If you must use it, create a separate Chrome profile specifically for this extension and limit sensitive browsing activities in that profile. Consider alternative publishing tools with better transparency and more appropriate permission requests. Monitor your accounts for unusual activity if you've already installed this extension, and consider changing passwords for important accounts.
Findings
Security Analysis Details
Required Permissions:
- cookies
- storage
- declarativeNetRequest
Host Permissions:
- https://*/*
Embedded URLs (217 total):
| http://www.w3.org/2000/svg | https://sentry.io/welcome/ | |
| https://docs.sentry.io/platforms/javascript/best-practices/browser-extensions/ | https://browser.sentry-cdn.com | |
| http://dogs.are.great | http://www.example.com | |
| https://github.com/browserify/crypto-browserify | https://www.acx.com | |
| https://account.kdp.amazon.com/api/payee | https://kdpreports.amazon.com | |
| https://api.publishing.ai | https://www.acx.com/api | |
| https://www.acx.com/salesTitle/ | https://www.acx.com/api/dashboard/v2/production?statuses=LIVE%2CPUB_NOT_LIVE%2CIN_REVIEW%2CPUBLISHING%2CLIVE_REQUEST_PX%2CLIVE_AWAITING_PX%2CLIVE_REVISION_PX%2CLIVE_SYNTHESIZING%2CLIVE_WITH_CHANGES&pageIndex=1&resultPerPage=10 | |
| https://www.acx.com/api/runtime/ | https://www.acx.com/api/titleview/ | |
| https://www.acx.com/dashboard | https://db3920554abdfc1807e46fee98321d30@o4506043484209152.ingest.us.sentry.io/4507823450095616 | |
| https://feross.org | https://feross.org/opensource | |
| https://github.com/Yaffle/EventSource/ | https://clients2.google.com/service/update2/crx | |
| https://app.publishing.com/ | https://fonts.googleapis.com | |
| https://fonts.gstatic.com | https://fonts.googleapis.com/css2?family=Inter:ital | |
| https://app.publishing.com/sales-analytics | https://www.acx.com/api/ | |
| https://github.com/getsentry/sentry-javascript/issues/838 | https://github.com/getsentry/sentry-javascript/issues/3344 | |
| https://github.com/bugsnag/bugsnag-js/issues/469 | https://stackoverflow.com/questions/23191918/peformance-getentries-and-negative-duration-display | |
| https://developer.mozilla.org/en-US/docs/Web/API/LayoutShift | https://www.apache.org/licenses/LICENSE-2.0 | |
| https://web.dev/articles/cls#what_is_a_good_cls_score | https://web.dev/articles/cls | |
| https://web.dev/articles/cls#layout_shift_score | https://developer.chrome.com/blog/page-lifecycle-api/#advice-hidden | |
| https://web.dev/articles/fid#what_is_a_good_fid_score | https://web.dev/articles/fid | |
| https://web.dev/articles/inp#what_is_a_good_inp_score | https://web.dev/articles/inp | |
| https://web.dev/articles/lcp#what_is_a_good_lcp_score | https://web.dev/articles/lcp | |
| https://github.com/GoogleChrome/web-vitals/issues/75 | https://github.com/GoogleChrome/web-vitals/issues/383 | |
| https://github.com/GoogleChrome/web-vitals/issues/14 | https://github.com/GoogleChrome/web-vitals/issues/277 | |
| https://web.dev/articles/fcp#what_is_a_good_fcp_score | https://web.dev/articles/fcp | |
| https://web.dev/articles/ttfb#what_is_a_good_ttfb_score | https://web.dev/articles/ttfb | |
| https://w3c.github.io/navigation-timing/ | https://www.w3.org/TR/hr-time-2/#sec-time-origin | |
| https://github.com/GoogleChrome/web-vitals/issues/137 | https://github.com/GoogleChrome/web-vitals/issues/162 | |
| https://github.com/GoogleChrome/web-vitals/issues/275 | https://stackoverflow.com/a/58879212 | |
| https://stackoverflow.com/a/3540295 | https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getDisplayMedia | |
| https://forums.developer.apple.com/forums/thread/119186 | https://stackoverflow.com/questions/60482650/how-to-detect-ipad-useragent-on-safari-browser | |
| https://developer.mozilla.org/en-US/docs/Web/API/MediaDevices/getDisplayMedia#prefercurrenttab | https://github.com/niklasvh/base64-arraybuffer | |
| https://hertzen.com | https://reactjs.org/docs/error-decoder.html?invariant=423 | |
| https://react.dev/errors/418 | https://github.com/rrweb-io/rrweb/blob/d8f9290ca496712aa1e7d472549480c4e7876594/packages/rrweb/src/types.ts#L16 | |
| https://example.com | https://sentry.io/for/session-replay/ | |
| https://docs.sentry.io/platforms/javascript/guides/session-replay/ | https://github.com/getsentry/sentry/blob/9f08305e09866c8bd6d0c24f5b0aabdd7dd6c59c/src/sentry/lang/javascript/errormapping.py#L83-L108 | |
| https://github.com/zertosh/invariant/blob/master/invariant.js#L46 | https://github.com/getsentry/sentry-javascript/issues/1949 | |
| https://developer.mozilla.org/en-US/docs/Web/API/DOMError | https://developer.mozilla.org/en-US/docs/Web/API/DOMException | |
| https://webidl.spec.whatwg.org/#es-DOMException-specialness | https://github.com/getsentry/sentry-javascript/issues/1168 | |
| https://developer.mozilla.org/en-US/docs/Web/API/PromiseRejectionEvent | https://developer.mozilla.org/en-US/docs/Web/API/CustomEvent |
Raw Manifest
{ "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxINW3MFaTq1hoJHWxjc4DgWr3efStW9ZgsYVp009y0a+kk9iPTkonQPqDr7Aa4Ovlt/WTIDBYcY/rMu4xHMAeFdCeljqFHFZjTd5Y9HDmXID5ixJgWsqR7NuA4cWQB7HoZ0jNGbU7LfDVWGkcb8WoPugDl5x5Gtpx4/3tThe9tmGlmiNOtSWnR9pmYrtrEMWLYD6ihFYy+4Jnummrv9QJ9h54VIFm+DX9hCVkr/RGNqikdtz1NEhHsBmEjb+Hl9AmJsGdCxptfdyVqwG2MesjUv6zWPLg0zsbc65+DPIM06CsGDt5rGBdmPjbWnQ+gtysiLFCTlfWoeqqUMQ5l9rZwIDAQAB", "name": "Publishing.ai", "icons": { "16": "images/icon_16.png", "32": "images/icon_32.png", "48": "images/icon_48.png", "128": "images/icon_128.png" }, "action": { "default_popup": "popup.html" }, "version": "3.3.3", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "The all-in-one solution for authors and publishers. From identifying profitable topics, to writing books, and tracking sales.", "permissions": [ "cookies", "storage", "declarativeNetRequest" ], "host_permissions": [ "https://*/*" ], "manifest_version": 3, "externally_connectable": { "matches": [ "https://app.publishing.com/*" ] }, "declarative_net_request": { "rule_resources": [ { "id": "ruleset_1", "path": "rules.json", "enabled": true } ] } }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.