[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

Clippass

Version 1.1 View in Chrome Web Store

Last scanned: about 6 hours ago

Extension Details

Rating: 4.5 ★

Users: 1

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension has extremely limited trust indicators with only 1 user and no visible developer information or company details. The lack of transparency regarding the author and development team raises significant concerns. The 4.5 rating appears misleading given the minimal user base. The missing description provides no context for what the extension actually does or why it needs such extensive permissions.

Concerns:

The most significant concern is the <all_urls> host permission combined with activeTab and scripting capabilities, creating a powerful combination that could access and manipulate content on any website. The nativeMessaging permission is particularly concerning as it allows communication with native applications on the user's computer, potentially bypassing browser security boundaries. For an extension with an unclear purpose and no established reputation, these permissions represent substantial overreach. The contextMenus permission, while less critical, adds another attack vector for malicious activity.

Recommendations:

Given the high-risk profile, avoid installing this extension entirely until more information becomes available about its purpose and developer. If you must use it, create a dedicated Chrome profile with minimal sensitive data and avoid accessing important accounts while the extension is active. Monitor system activity for unusual behavior and consider using browser security tools to track extension activities. Wait for the extension to gain more users and reviews before considering it trustworthy.

Findings

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

MEDIUM

Medium-Risk Permission: contextMenus

This extension has the contextMenus permission. Can add items to the context menu.

Raw Manifest

{
  "name": "Clippass",
  "action": {
    "default_icon": {
      "16": "icon.png",
      "48": "icon.png",
      "128": "icon.png"
    },
    "default_title": "Clippass"
  },
  "version": "1.1",
  "commands": {
    "trigger-decrypt": {
      "description": "Trigger Clippass to decrypt password",
      "suggested_key": {
        "default": "Ctrl+Shift+K"
      }
    }
  },
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Securely decrypt passwords from the clipboard and input them into the focused field.",
  "permissions": [
    "nativeMessaging",
    "activeTab",
    "scripting",
    "contextMenus"
  ],
  "options_page": "settings.html",
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3
}

by ✦ Astarte

https://www.passwordstore.org/	https://salsa.debian.org/danielemiliogarcia/password-store/-/merge_requests/1
https://raw.githubusercontent.com/danielemiliogarcia/clippass/master/files/com.clippass.host.json	https://raw.githubusercontent.com/danielemiliogarcia/clippass/master/files/clippass_extension_decrypt_clipboard.sh
https://clients2.google.com/service/update2/crx	https://github.com/danielemiliogarcia/clippass
https://raw.githubusercontent.com/danielemiliogarcia/clippass/master/files/clippass-ns-install.sh

Clippass

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (7 total):

Raw Manifest

Detections

Manifest Findings