Extension Details
Context-Aware Verdict
The extension has a concerning trust profile with only 20,000 users and a poor 2.8-star rating from just 32 reviews, indicating user dissatisfaction. The developer "pictureknow.com" lacks clear company information or established reputation. For a color picker tool, these metrics suggest potential quality or functionality issues.
The most alarming aspect is the proxy permission, which is completely unnecessary for a color picker tool and could be used to intercept or redirect web traffic maliciously. The broad host permissions (<all_urls>) are excessive - a legitimate eyedropper only needs access to the current tab, not all websites. The content scripts targeting specific Chinese e-commerce sites (Taobao, Tmall, JD.com) is suspicious and unrelated to color picking functionality. The combination of proxy control and universal website access creates significant potential for data theft, traffic manipulation, or privacy violations.
Do not install this extension due to the proxy permission and suspicious targeting of e-commerce sites. If you need a color picker, choose alternatives like "ColorZilla" or "Eye Dropper" which have better ratings and appropriate permissions. If you must use this extension for testing purposes, run it in a completely isolated Chrome profile with no saved passwords or sensitive data, and monitor network traffic carefully.
Findings
Security Analysis Details
Required Permissions:
- contextMenus
- alarms
- proxy
- scripting
- storage
Host Permissions:
- <all_urls>
Embedded URLs (18 total):
| http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd | http://www.w3.org/2000/svg | |
| http://www.w3.org/1999/xlink | https://jquery.com/ | |
| https://sizzlejs.com/ | https://jquery.org/license | |
| https://js.foundation/ | https://reactjs.org/docs/error-decoder.html?invariant= | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/1999/xhtml | |
| http://www.w3.org/1998/Math/MathML | https://reactjs.org/link/react-polyfills | |
| https://api.pictureknow.com/ | https://clients2.google.com/ | |
| https://chrome.google.com | https://tutorial.pictureknow.com/book?id=e8e87d0d99364c949158b46bc7358593 | |
| https://clients2.google.com/service/update2/crx | https://www.pictureknow.com/ |
Raw Manifest
{ "name": "__MSG_name__", "icons": { "16": "icons/icon16.png", "32": "icons/icon32.png", "48": "icons/icon48.png", "128": "icons/icon128.png" }, "action": { "default_icon": "icons/icon128.png", "default_title": "__MSG_name__" }, "version": "1.3.7", "background": { "service_worker": "js/background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_desc__", "permissions": [ "contextMenus", "alarms", "proxy", "scripting", "storage" ], "homepage_url": "https://www.pictureknow.com/", "default_locale": "en", "content_scripts": [ { "js": [ "js/coupon_content.js" ], "matches": [ "*://item.taobao.com/*" ] }, { "js": [ "js/coupon_content.js" ], "matches": [ "*://detail.tmall.com/*" ] }, { "js": [ "js/jd_coupon_content.js" ], "matches": [ "*://item.jd.com/*" ] } ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3 }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.