Starting analysis...
Chessvision.ai Chess Position Scanner
Version 3.8.1 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has a solid user base of 100,000 users with a strong 4.6-star rating from 737 reviews, indicating positive user experiences. The specific purpose of scanning chess positions is clearly defined and legitimate. The developer is identified as SOFTWARE PAWEŁ KACPRZAK, providing some accountability.
The primary concern is the broad host permissions (*://app.chessvision.ai/*) which, while specific to the developer's domain, still represents elevated access. The combination of activeTab, storage, and scripting permissions creates a capability set that could potentially access and store data from web pages. However, these permissions align reasonably well with the extension's stated purpose of scanning chess positions from various chess websites.
The security analysis flagged the host permissions as high-risk, but this appears to be limited to the developer's own domain rather than all websites, which reduces the actual risk significantly. The activeTab permission is appropriate for a tool that needs to analyze chess positions on the current page.
This extension appears legitimate for its intended purpose. Users should ensure they only use it on trusted chess websites. Consider running it in a separate Chrome profile if you're particularly security-conscious, though this may be unnecessary given the specific domain restrictions and positive user feedback. Monitor for any unusual behavior or requests for additional permissions in future updates.
Findings
Security Analysis Details
Required Permissions:
- activeTab
- storage
- scripting
Host Permissions:
- *://app.chessvision.ai/*
Content Security Policy:
- extension_pages: script-src 'self'; object-src 'self'
Embedded URLs (65 total):
| https://reactjs.org/docs/error-decoder.html?invariant= | http://www.w3.org/1999/xlink | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/1999/xhtml | |
| http://www.w3.org/1998/Math/MathML | http://www.w3.org/2000/svg | |
| https://mui.com/production-error/?code= | http://jedwatson.github.io/classnames | |
| https://github.com/cssinjs/jss | http://fb.me/use-check-prop-types | |
| https://reactjs.org/link/react-polyfills | https://github.com/facebook/regenerator/blob/main/LICENSE | |
| http://app.chessvision.ai | https://chessvision-video-search.appspot.com | |
| https://www.chess.com/callback/daily/game/ | https://www.chess.com/callback/live/game/ | |
| https://my.chessvision.ai/chrome-extension/auth | https://my.chessvision.ai/chrome-extension/upgrade | |
| https://my.chessvision.ai/library | https://my.chessvision.ai | |
| https://chessvision.ai/ | https://ebook.chessvision.ai | |
| https://lichess.org/analysis/ | https://chessvision-extension-board.web.app/analysis/ | |
| https://app.chessvision.ai/chessable_courses_redirect?fen= | https://twitter.com | |
| https://x.com | https://lichess.org/analysis | |
| https://lichess.org/study | https://lichess.org/ | |
| https://www.chess.com/analysis | https://www.chess.com/explorer | |
| https://www.chess.com/classroom | https://i.ytimg.com/ | |
| https://www.youtube.com | https://www.youtube-nocookie.com | |
| https://www.google.com | https://static.doubleclick.net | |
| https://googleads.g.doubleclick.net | https://my.chessvision.ai/watch/ | |
| https://www.youtube.com/watch?v= | https://youtube.com/channel/ | |
| https://chessvision.ai | https://www.chessable.com | |
| https://www.chess.com/analysis?fen= | http://polymer.github.io/LICENSE.txt | |
| http://polymer.github.io/AUTHORS.txt | http://polymer.github.io/CONTRIBUTORS.txt | |
| http://polymer.github.io/PATENTS.txt | https://chrome.google.com/webstore/detail/johejpedmdkeiffkdaodgoipdjodhlld/reviews | |
| https://chessvision.ai/docs/browser-extension/faq#what-to-do-if-i-see-an-empty-analysis-board | https://fonts.googleapis.com/css?family=Roboto:300 | |
| http://www.apache.org/licenses/LICENSE-2.0 | https://www.chess.com/ | |
| https://www.youtube.com/ | https://twitter.com/ | |
| https://x.com/ | https://chessvision.ai/docs/browser-extension/tutorial | |
| https://chessvision.ai/docs/browser-extension/faq | https://twitter.com/ChessvisionAI | |
| https://discord.gg/zkcBPhWhme | https://lichess.org/team/chessvisionai-team | |
| https://apps.apple.com/us/app/id1574933453 | https://play.google.com/store/apps/details?id=ai.chessvision.scanner | |
| https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "name": "Chessvision.ai Chess Position Scanner", "icons": { "128": "icon-128.png" }, "action": { "default_icon": "icon-128.png", "default_popup": "popup.html", "default_title": "Chessvision.ai Scan" }, "author": "Pawel Kacprzak", "version": "3.8.1", "background": { "service_worker": "background.bundle.js" }, "short_name": "Chessvision", "update_url": "https://clients2.google.com/service/update2/crx", "description": "Analyze chess positions from any website, book, and video in Chrome", "permissions": [ "activeTab", "storage", "scripting" ], "options_page": "options.html", "host_permissions": [ "*://app.chessvision.ai/*" ], "manifest_version": 3, "externally_connectable": { "matches": [ "https://*.chessvision.ai/*" ] }, "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'self'" }, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "content.styles.css", "icon-128.png", "logo_sign.png", "bK.svg", "wK.svg", "fen_observers/*", "placeholders/*", "checkerboard.svg", "chessable.svg", "videos.svg" ] } ], "optional_host_permissions": [ "*://www.chess.com/*", "*://www.youtube.com/*", "*://lichess.org/*", "*://twitter.com/*", "*://x.com/*" ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.