Extension Details
Context-Aware Verdict
The extension has a moderate user base of 20,000 users and a decent rating of 4.1 stars, suggesting some level of user satisfaction. However, the developer "Qrew LLC" lacks clear company information or reputation details, which reduces trustworthiness. The extension appears to be specifically designed for AppSheet users, which provides some context for its permissions.
The extension requests unnecessarily broad permissions for what appears to be an AppSheet productivity tool. The tabs permission allows manipulation of browser tabs and access to sensitive tab information, which seems excessive for a toolbox application. The scripting permission combined with declarativeNetRequest capabilities could enable content modification and network request interception. While the host permissions are limited to AppSheet-related domains, the combination of powerful permissions creates potential for misuse if the extension is compromised or malicious.
Given the high-risk permissions and limited developer transparency, consider running this extension in a separate Chrome profile dedicated to AppSheet work. This isolates potential risks from your main browsing profile. Before installation, verify that you actually need AppSheet functionality and cannot achieve the same results through AppSheet's native interface. Monitor the extension's behavior after installation and remove it immediately if you notice unexpected tab behavior or performance issues. Consider reaching out to Qrew LLC for more information about their data handling practices before trusting them with broad browser access.
Findings
Security Analysis Details
Required Permissions:
- storage
- scripting
- declarativeNetRequest
- declarativeNetRequestWithHostAccess
- tabs
Host Permissions:
- https://www.appsheet.com/*
- https://support.google.com/appsheet/*
- https://appsheettraining.com/*
Embedded URLs (146 total):
| https://www.appsheet.com/template/Apps | https://appsheettraining.com | |
| https://acp-api.bubbleapps.io/version-test | https://appsheettraining.com/version-test | |
| https://help.appsheet.com/ | https://www.appsheet.com/ | |
| https://appsheettraining.com/profile | https://www.appsheet.com/api/loadApp/ | |
| https://appsheettraining.com/version-test/api/1.1/wf/ResetPasword | https://appsheettraining.com/api/1.1/wf/resetpassword | |
| https://jquery.com/ | https://sizzlejs.com/ | |
| https://jquery.org/license | https://github.com/whatwg/html/issues/2369 | |
| https://html.spec.whatwg.org/#nonce-attributes | https://js.foundation/ | |
| https://jsperf.com/thor-indexof-vs-for/5 | http://www.w3.org/TR/css3-selectors/#whitespace | |
| http://www.w3.org/TR/CSS21/syndata.html#value-def-identifier | http://www.w3.org/TR/selectors/#attribute-selectors | |
| http://www.w3.org/TR/CSS21/syndata.html#escaped-characters | https://drafts.csswg.org/cssom/#common-serializing-idioms | |
| https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled | https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled | |
| https://html.spec.whatwg.org/multipage/forms.html#category-listed | https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled | |
| https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled | https://bugs.jquery.com/ticket/4833 | |
| https://bugs.jquery.com/ticket/13378 | https://bugs.jquery.com/ticket/12359 | |
| https://msdn.microsoft.com/en-us/library/ie/hh465388.aspx#attribute_section | http://www.w3.org/TR/2011/REC-css3-selectors-20110929/#checked | |
| https://bugs.webkit.org/show_bug.cgi?id=136851 | https://github.com/jquery/sizzle/pull/225 | |
| http://www.w3.org/TR/selectors/#pseudo-classes | http://www.w3.org/TR/selectors/#lang-pseudo | |
| http://www.w3.org/TR/selectors/#empty-pseudo | https://msdn.microsoft.com/en-us/library/ms536429%28VS.85%29.aspx | |
| https://promisesaplus.com/#point-59 | https://promisesaplus.com/#point-48 | |
| https://promisesaplus.com/#point-54 | https://promisesaplus.com/#point-75 | |
| https://promisesaplus.com/#point-64 | https://promisesaplus.com/#point-61 | |
| https://promisesaplus.com/#point-57 | https://bugs.chromium.org/p/chromium/issues/detail?id=378607 | |
| https://bugs.jquery.com/ticket/13393 | https://www.w3.org/TR/DOM-Level-3-Events/#event-type-click | |
| https://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html | https://bugs.chromium.org/p/chromium/issues/detail?id=470258 | |
| https://github.com/eslint/eslint/issues/3229 | https://connect.microsoft.com/IE/feedback/details/1736512/ | |
| https://jsperf.com/getall-vs-sizzle/2 | https://drafts.csswg.org/cssom/#resolved-values | |
| https://developer.mozilla.org/en-US/docs/CSS/display | https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/ | |
| https://html.spec.whatwg.org/multipage/syntax.html#attributes-2 | https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/ | |
| https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace | https://html.spec.whatwg.org/#strip-and-collapse-whitespace | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=687787 | http://www.w3.org/TR/DOM-Level-3-Events/#events-focusevent-event-order | |
| https://bugs.chromium.org/p/chromium/issues/detail?id=449857 | http://example.com:80x/ | |
| https://bugs.webkit.org/show_bug.cgi?id=137337 | https://bugs.webkit.org/show_bug.cgi?id=29084 | |
| https://bugs.chromium.org/p/chromium/issues/detail?id=589347 | https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon | |
| https://github.com/jquery/jquery/pull/557 | https://clients2.google.com/service/update2/crx | |
| https://support.google.com/appsheet/ | https://appsheettraining.com/ | |
| https://www.appsheet.com/template/ | http://fontawesome.io | |
| http://fontawesome.io/license | https://storage.googleapis.com/qrew_public_1/QREW_resources/AST-IconPBShaded.png | |
| https://appsheettraining.com/?src=qrewtools | https://appsheettraining.com/terms_of_service | |
| https://appsheettraining.com/privacy_policy | https://help.appsheet.com/en/ |
Raw Manifest
{ "name": "AppSheet Toolbox", "icons": { "16": "AST16.png", "48": "AST48.png", "128": "AST128.png" }, "action": { "default_icon": { "16": "AST16.png", "48": "AST48.png", "128": "AST128.png" }, "default_popup": "popup.html" }, "version": "4.0091", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Build Better AppSheet Apps", "permissions": [ "storage", "scripting", "declarativeNetRequest", "declarativeNetRequestWithHostAccess", "tabs" ], "content_scripts": [ { "js": [ "jquery-3.4.1.js", "content.js", "codemirror/lib/codemirror.js", "codemirror/mode/spreadsheet/spreadsheet.js", "codemirror/mode/spreadsheet/spreadsheet.js", "codemirror/addon/edit/matchbrackets.js", "codemirror/addon/edit/closebrackets.js", "codemirror/addon/hint/show-hint.js" ], "css": [ "mirrorMain.css", "codemirror/lib/codemirror.css", "codemirror/addon/hint/show-hint.css", "font-awesome.min.css" ], "matches": [ "https://www.appsheet.com/template/*" ] }, { "js": [ "help-frame.js" ], "matches": [ "https://support.google.com/appsheet/*" ], "all_frames": true } ], "host_permissions": [ "https://www.appsheet.com/*", "https://support.google.com/appsheet/*", "https://appsheettraining.com/*" ], "manifest_version": 3, "declarative_net_request": { "rule_resources": [ { "id": "ruleset", "path": "rules.json", "enabled": true } ] }, "web_accessible_resources": [ { "matches": [ "http://*/*", "https://*/*" ], "resources": [ "qrew-logo-hires.png", "codemirror/theme/*" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.