Starting analysis...
Hue: More Colors for Google Calendar
Version 1.0.5 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has a moderate user base of 10,000 users and a rating of 3.6/5 from 40 reviews, which suggests mixed user satisfaction. The specific focus on Google Calendar color enhancement appears legitimate for its stated purpose. However, the lack of detailed developer information and company reputation data limits trust assessment.
The primary concern is the broad host permissions that allow access to both HTTP and HTTPS versions of Google Calendar. While this access is necessary for the extension's functionality, it creates potential exposure to sensitive calendar data including personal appointments, meeting details, and scheduling information. The storage permission, while standard for customization features, could be used to retain user data locally. The medium overall risk rating with one high-risk finding indicates some security considerations that warrant attention.
Given the medium risk level, consider running this extension in a separate Chrome profile dedicated to Google Calendar use if you handle highly sensitive scheduling information. Before installation, review the extension's privacy policy if available and monitor what data it accesses. Regularly check for updates to ensure you have the latest security patches. If you notice any unusual behavior or unauthorized data access, remove the extension immediately. The legitimate functionality appears to justify the permissions requested, but maintain awareness of the sensitive data exposure.
Findings
Security Analysis Details
Required Permissions:
- storage
Host Permissions:
- https://calendar.google.com/*
- http://calendar.google.com/*
Embedded URLs (252 total):
| https://github.com/chakra-ui/chakra-ui/issues/3201 | https://github.com/garycourt/murmurhash-js | |
| https://github.com/aappleby/smhasher/blob/61a0530f28277f2e850bfc39600ce61d02b518de/src/MurmurHash2.cpp#L37-L86 | https://esbench.com/bench/5bfee68a4cd7e6009ef61d23 | |
| https://github.com/emotion-js/emotion/tree/main/packages/react | https://github.com/emotion-js/emotion/issues/2675 | |
| https://caniuse.com/?search=globalThis | https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Template_literals#ES2018_revision_of_illegal_escape_sequences | |
| https://esbench.com/bench/5b809c2cf2949800a0f61fb5 | https://github.com/facebook/flow/issues/1414 | |
| https://github.com/popperjs/popper-core/issues/1078 | https://github.com/popperjs/popper-core/issues/1223 | |
| https://github.com/popperjs/popper-core/issues/837 | https://developer.mozilla.org/en-US/docs/Web/CSS/Containing_block#identifying_the_containing_block | |
| https://stackoverflow.com/questions/49875255 | https://github.com/theKashey/aria-hidden/issues/10 | |
| https://github.com/ricokahler/color2k/issues/351 | https://en.wikipedia.org/wiki/HSL_and_HSV | |
| https://github.com/styled-components/polished/blob/a23a6a2bb26802b3d922d9c3b67bac3f3a54a310/src/internalHelpers/_rgbToHsl.js | https://github.com/styled-components/polished/blob/0764c982551b487469043acb56281b0358b3107b/src/color/getLuminance.js | |
| https://github.com/styled-components/polished/blob/0764c982551b487469043acb56281b0358b3107b/src/color/getContrast.js | http://www.w3.org/TR/WCAG20/#contrast-ratiodef | |
| http://sass-lang.com/documentation/Sass/Script/Functions.html#mix-instance_method | https://github.com/theKashey/focus-lock/#focus-fighting | |
| https://github.com/gre/bezier-easing/blob/master/src/index.js | https://github.com/gre/bezier-easing/blob/master/LICENSE | |
| https://gist.github.com/mjackson/5311256 | https://www.youtube.com/watch?v=LKnqECcg6Gw | |
| http://codepen.io/osublake/pen/xGVVaN | https://github.com/framer/motion/issues/2270 | |
| https://github.com/framer/motion/issues/2023 | https://bugs.chromium.org/p/chromium/issues/detail?id=1406850 | |
| https://www.framer.com/docs/guide-upgrade/##shared-layout-animations | https://lodash.com/ | |
| https://openjsf.org/ | https://lodash.com/license | |
| http://underscorejs.org/LICENSE | http://ecma-international.org/ecma-262/7.0/#sec-patterns | |
| http://ecma-international.org/ecma-262/7.0/#sec-object.prototype.tostring | http://ecma-international.org/ecma-262/7.0/#sec-samevaluezero | |
| http://ecma-international.org/ecma-262/7.0/#sec-object.keys | http://ecma-international.org/ecma-262/7.0/#sec-tolength | |
| http://www.ecma-international.org/ecma-262/7.0/#sec-ecmascript-language-types | https://bugs.chromium.org/p/v8/issues/detail?id=4118 | |
| https://bugs.chromium.org/p/v8/issues/detail?id=3056 | https://developer.mozilla.org/en-US/docs/Web/JavaScript/Reference/Global_Objects/Object/is | |
| http://fb.me/use-check-prop-types | https://fb.me/react-warning-dont-call-proptypes | |
| http://fb.me/prop-types-in-prod | https://github.com/facebook/react/issues/13610 | |
| https://github.com/facebook/react/issues/11347 | https://github.com/facebook/react/pull/22064. | |
| http://www.w3.org/1999/xlink | http://www.w3.org/XML/1998/namespace | |
| https://url.spec.whatwg.org/#url-parsing | https://infra.spec.whatwg.org/#ascii-tab-or-newline | |
| https://infra.spec.whatwg.org/#c0-control-or-space | https://github.com/facebook/react/issues/19099 | |
| https://github.com/facebook/react/issues/11768 | http://www.w3.org/TR/2012/WD-html5-20121025/the-input-element.html | |
| https://reactjs.org/link/controlled-components | https://bugs.chromium.org/p/chromium/issues/detail?id=608416 | |
| https://github.com/facebook/react/issues/7253 | https://developer.microsoft.com/microsoft-edge/platform/issues/101525/ | |
| http://www.w3.org/1999/xhtml | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/2000/svg | https://github.com/mozilla/gecko-dev/blob/4e638efc71/layout/style/test/property_database.js | |
| https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet | http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/ | |
| http://modernizr.com/docs/#prefixed | http://www.andismith.com/blog/2012/02/modernizr-prefixed/ | |
| https://reactjs.org/link/dangerously-set-inner-html | https://w3c.github.io/webcomponents/spec/custom/#custom-elements-core-concepts | |
| https://reactjs.org/link/invalid-aria-props | https://reactjs.org/link/attribute-behavior | |
| https://github.com/facebook/react/issues/12506 | http://www.quirksmode.org/js/events_properties.html | |
| https://github.com/facebook/react/issues/1698 | https://developer.mozilla.org/en-US/docs/Web/API/EventTarget/addEventListener#Safely_detecting_option_support |
Raw Manifest
{ "name": "Hue: More Colors for Google Calendar", "action": { "default_icon": { "16": "icon.png", "48": "icon.png", "128": "icon.png" }, "default_popup": "popup.html" }, "version": "1.0.5", "update_url": "https://clients2.google.com/service/update2/crx", "description": "A Chrome extension designed to enhance and personalize your Google Calendar experience.", "permissions": [ "storage" ], "content_scripts": [ { "js": [ "colour.js", "selector.js" ], "run_at": "document_end", "matches": [ "https://calendar.google.com/*", "http://calendar.google.com/*" ] } ], "host_permissions": [ "https://calendar.google.com/*", "http://calendar.google.com/*" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "https://calendar.google.com/*", "http://calendar.google.com/*" ], "resources": [ "icon.png", "trash16.png" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.