Extension Details
Developer:
roblox.plus
Rating:
4.1 ★
(8.1K ratings)
Users:
1,000,000
Context-Aware Verdict
This section provides a Claude-based AI analysis that applies additional context to the risk. Results are not guaranteed to be accurate.
MEDIUM
Overall Risk
Trust Factors:
The extension has strong legitimacy indicators with 1 million users and a 4.1-star rating from over 8,000 reviews. The developer domain "roblox.plus" suggests it's a third-party enhancement tool for Roblox, which is a common and legitimate use case. The high user adoption and positive ratings indicate community trust and functionality.
Concerns:
The primary concern is the broad host permissions that extend beyond just Roblox domains to include rbxcdn.com and the developer's own domain (roblox.plus). While the content scripts are appropriately scoped to specific Roblox pages, the extension could potentially access sensitive user data across these domains. The notifications and storage permissions, while medium-risk individually, could be used to collect and store user behavior data or send unwanted notifications. The gcm (Google Cloud Messaging) permission suggests the extension may communicate with external servers.
Recommendations:
This extension appears legitimate for Roblox users seeking enhanced functionality. However, users should be aware that it can access their Roblox account data and activity. Consider reviewing what specific features you actually use - if you only need basic enhancements, look for more limited alternatives. Monitor for any unexpected notifications or behavior changes on Roblox. The risk is acceptable for most users given the strong community adoption, but privacy-conscious users might prefer running it in a separate Chrome profile dedicated to gaming.
Findings
This section provides a detailed analysis of the extension's security posture, without broader context. Assumes worst-case impact.
HIGH
Broad Host Permissions
This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.
MEDIUM
Medium-Risk Permission: notifications
This extension has the notifications permission. Can show notifications.
MEDIUM
Medium-Risk Permission: storage
This extension has the storage permission. Can store data locally.
Security Analysis Details
Required Permissions:
- alarms
- gcm
- notifications
- storage
Host Permissions:
- https://*.roblox.com/*
- https://*.roblox.plus/*
- https://*.rbxcdn.com/*
Embedded URLs (183 total):
| https://clients2.google.com/service/update2/crx | https://roblox.plus/ | |
| https://www.roblox.com/ | https://www.roblox.com/my/avatar | |
| https://www.roblox.com/my/messages | https://www.roblox.com/users/ | |
| https://www.roblox.com/discover | https://www.roblox.com/groups/ | |
| https://www.roblox.com/games/ | https://www.roblox.com/badges/ | |
| https://www.roblox.com/game-pass/ | https://www.roblox.com/catalog/ | |
| https://www.roblox.com/transactions | https://roblox.plus/settings | |
| https://stackoverflow.com/a/73482349/1663648 | https://stackoverflow.com/a/20077854/1663648 | |
| https://github.com/DefinitelyTyped/DefinitelyTyped/discussions/65809 | https://api.roblox.plus/v2/itemnotifier/registertoken | |
| https://roblox.plus/about/changes?version= | https://trades.roblox.com/v1/trades/ | |
| https://www.roblox.com/trades | https://assetdelivery.roblox.com/v2/assets/batch | |
| https://economy.roblox.com/v2/assets/ | https://avatar.roblox.com/v1/avatar-rules | |
| https://avatar.roblox.com/v1/users/ | https://avatar.roblox.com/v1/avatar/set-wearing-assets | |
| https://avatar.roblox.com/v1/avatar/assets/ | https://badges.roblox.com/v1/users/ | |
| https://economy.roblox.com/v1/users/ | https://friends.roblox.com/v1/user/following-exists | |
| https://friends.roblox.com/v1/user/friend-requests/count | https://friends.roblox.com/v1/users/ | |
| https://economy.roblox.com/v1/game-pass/ | https://develop.roblox.com/v1/user/groups/canmanage | |
| https://groups.roblox.com/v1/groups/ | https://groups.roblox.com/v1/users/ | |
| https://inventory.roblox.com/v2/assets/ | https://assetgame.roblox.com/asset/delete-from-inventory | |
| https://inventory.roblox.com/v1/users/ | https://locale.roblox.com/v1/locales/user-locale | |
| https://translations.roblox.com/v1/translations?consumerType=Web | https://games.roblox.com/v1/vip-servers/ | |
| https://games.roblox.com/v1/games/258257446/private-servers | https://api.roblox.plus/v1/rpluspremium/ | |
| https://presence.roblox.com/v1/presence/users | https://privatemessages.roblox.com/v1/messages/unread/count | |
| https://thumbnails.roblox.com/v1/batch | https://economy.roblox.com/v2/sales/sales-report-download | |
| https://users.roblox.com/v1/users | https://users.roblox.com/v1/usernames/users | |
| https://users.roblox.com/v1/users/authenticated | https://github.com/facebook/react/issues/13610 | |
| https://github.com/facebook/react/issues/11347 | https://github.com/facebook/react/pull/22064. | |
| http://www.w3.org/1999/xlink | http://www.w3.org/XML/1998/namespace | |
| https://url.spec.whatwg.org/#url-parsing | https://infra.spec.whatwg.org/#ascii-tab-or-newline | |
| https://infra.spec.whatwg.org/#c0-control-or-space | https://github.com/facebook/react/issues/19099 | |
| https://github.com/facebook/react/issues/11768 | http://www.w3.org/TR/2012/WD-html5-20121025/the-input-element.html | |
| https://reactjs.org/link/controlled-components | https://bugs.chromium.org/p/chromium/issues/detail?id=608416 | |
| https://github.com/facebook/react/issues/7253 | https://developer.microsoft.com/microsoft-edge/platform/issues/101525/ | |
| http://www.w3.org/1999/xhtml | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/2000/svg | https://github.com/mozilla/gecko-dev/blob/4e638efc71/layout/style/test/property_database.js | |
| https://www.owasp.org/index.php/XSS_Filter_Evasion_Cheat_Sheet | http://www.thespanner.co.uk/2007/11/26/ultimate-xss-css-injection/ | |
| http://modernizr.com/docs/#prefixed | http://www.andismith.com/blog/2012/02/modernizr-prefixed/ | |
| https://reactjs.org/link/dangerously-set-inner-html | https://w3c.github.io/webcomponents/spec/custom/#custom-elements-core-concepts | |
| https://reactjs.org/link/invalid-aria-props | https://reactjs.org/link/attribute-behavior | |
| https://github.com/facebook/react/issues/12506 | http://www.quirksmode.org/js/events_properties.html |
Page 1 of 3
Raw Manifest
{ "name": "Roblox+", "icons": { "16": "./images/icons/logo16.png", "32": "./images/icons/logo32.png", "48": "./images/icons/logo48.png", "128": "./images/icons/logo128.png" }, "action": { "default_icon": { "16": "./images/icons/logo16.png", "32": "./images/icons/logo32.png" }, "default_title": "Roblox+" }, "author": "WebGL3D", "version": "3.27.0", "incognito": "split", "background": { "service_worker": "./dist/service-worker.js" }, "short_name": "Roblox+", "update_url": "https://clients2.google.com/service/update2/crx", "description": "Extends the features available on roblox.com", "permissions": [ "alarms", "gcm", "notifications", "storage" ], "homepage_url": "https://roblox.plus/settings", "content_scripts": [ { "js": [ "./dist/pages/roblox-plus.js" ], "run_at": "document_start", "matches": [ "https://roblox.plus/*" ] }, { "js": [ "dist/pages/all.js" ], "css": [ "dist/css/all.css" ], "run_at": "document_start", "matches": [ "https://www.roblox.com/*" ] }, { "js": [ "./dist/pages/avatar.js" ], "run_at": "document_end", "matches": [ "https://www.roblox.com/my/avatar", "https://www.roblox.com/*/my/avatar" ] }, { "js": [ "./dist/pages/messages.js" ], "run_at": "document_end", "matches": [ "https://www.roblox.com/my/messages*", "https://www.roblox.com/*/my/messages*" ] }, { "js": [ "./dist/pages/inventory.js" ], "css": [ "./dist/css/inventory.css" ], "run_at": "document_end", "matches": [ "https://www.roblox.com/users/*/inventory", "https://www.roblox.com/*/users/*/inventory" ] }, { "js": [ "./dist/pages/games-list.js" ], "css": [ "./dist/css/games-list.css" ], "run_at": "document_end", "matches": [ "https://www.roblox.com/discover", "https://www.roblox.com/*/discover" ] }, { "js": [ "./dist/pages/groups.js" ], "css": [ "./dist/css/groups.css" ], "run_at": "document_end", "matches": [ "https://www.roblox.com/groups/*/*", "https://www.roblox.com/*/groups/*/*" ] }, { "js": [ "./dist/pages/game-details.js" ], "css": [ "./dist/css/game-details.css" ], "run_at": "document_end", "matches": [ "https://www.roblox.com/games/*/*", "https://www.roblox.com/*/games/*/*" ] }, { "js": [ "./dist/pages/badge-details.js" ], "run_at": "document_end", "matches": [ "https://www.roblox.com/badges/*/*", "https://www.roblox.com/*/badges/*/*" ] }, { "js": [ "./dist/pages/game-pass-details.js" ], "run_at": "document_end", "matches": [ "https://www.roblox.com/game-pass/*/*", "https://www.roblox.com/*/game-pass/*/*" ] }, { "js": [ "./dist/pages/item-details.js" ], "css": [ "dist/css/item-details.css" ], "run_at": "document_end", "matches": [ "https://www.roblox.com/catalog/*/*", "https://www.roblox.com/*/catalog/*/*" ] }, { "js": [ "./dist/pages/transactions.js" ], "run_at": "document_end", "matches": [ "https://www.roblox.com/transactions*", "https://www.roblox.com/*/transactions*" ] }, { "js": [ "./dist/pages/profile.js" ], "run_at": "document_end", "matches": [ "https://www.roblox.com/users/*/profile*", "https://www.roblox.com/*/users/*/profile*" ] } ], "host_permissions": [ "https://*.roblox.com/*", "https://*.roblox.plus/*", "https://*.rbxcdn.com/*" ], "manifest_version": 3, "minimum_chrome_version": "100.0.0", "web_accessible_resources": [ { "matches": [ "https://*.roblox.com/*", "https://roblox.plus/*" ], "resources": [ "*.js.map" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
Loading Secure Annex data...
Unable to load Secure Annex data.
This extension may not yet be analyzed by Secure Annex.
Detections
0Critical
0
High
0
Medium
0
Low
0
Has Verdicts
Yes
Manifest Findings
0Critical
0
High
0
Medium
0
Low
0
Secure Annex analyzed version: -