Needle Inspector — DevTools for three.js
Version 1.0.1 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension comes from Needle Tools GmbH, a legitimate company known for web development tools. The perfect 5.0 rating from 15 reviews and its specific purpose as DevTools for three.js (a popular 3D JavaScript library) suggest it serves a genuine developer need. However, the small user base of only 1,000 users limits the validation of its safety through widespread adoption.
The extension's permission set is extremely broad and concerning for a developer tool. The combination of identity access, web request interception, navigation tracking, and universal host permissions creates a powerful surveillance and data collection capability. Content script injection across all URLs means it can access sensitive information on banking sites, email, and other private services. The webRequest permission allows it to modify or redirect network traffic, potentially enabling man-in-the-middle attacks. These permissions far exceed what would typically be necessary for three.js debugging functionality.
Given the critical risk level, install this extension only in a completely separate Chrome profile dedicated to three.js development work. Never use this profile for personal browsing, banking, or accessing sensitive accounts. Consider whether the debugging benefits truly justify the extensive access permissions, and explore alternative three.js debugging methods that don't require such broad system access. Regularly audit what data the extension might be collecting through its identity and storage permissions.
Findings
Security Analysis Details
Required Permissions:
- activeTab
- storage
- identity
- webRequest
- webNavigation
Host Permissions:
- https://auth.needle.tools/*
- file://*/*
- http://*/*
- https://*/*
Embedded URLs (107 total):
| http://keepachangelog.com/en/1.0.0/ | http://semver.org/spec/v2.0.0.html | |
| https://fwd.needle.tools/mcp | http://www.w3.org/1999/xhtml | |
| http://www.w3.org/2000/svg | https://svelte.dev/e/lifecycle_outside_component | |
| https://svelte.dev/e/async_derived_orphan | https://svelte.dev/e/effect_in_teardown | |
| https://svelte.dev/e/effect_in_unowned_derived | https://svelte.dev/e/effect_orphan | |
| https://svelte.dev/e/effect_update_depth_exceeded | https://svelte.dev/e/hydration_failed | |
| https://svelte.dev/e/props_invalid_value | https://svelte.dev/e/state_descriptors_fixed | |
| https://svelte.dev/e/state_prototype_fixed | https://svelte.dev/e/state_unsafe_mutation | |
| https://svelte.dev/e/svelte_boundary_reset_onerror | https://svelte.dev/e/hydration_mismatch | |
| https://svelte.dev/e/select_multiple_invalid_value | https://svelte.dev/e/svelte_boundary_reset_noop | |
| https://svelte.dev/e/ | https://samples.needle.tools/physics-basic | |
| https://samples.needle.tools/physics-playground | https://samples.needle.tools/physics-&-animation | |
| https://samples.needle.tools/contact-shadows | https://droplistener-zubcksz1veaoo.needle.run/ | |
| https://engine.needle.tools/samples/ground-projection | https://threejs.org/docs/#examples/en/controls/OrbitControls | |
| https://threejs.org/docs/#examples/en/controls/OrbitControls.dampingFactor | http://samples.needle.tools/reflection-probes | |
| https://engine.needle.tools/samples/multi-scene-example | https://needle.tools | |
| https://app.songsofcultures.com | https://see-through-walls-z23hmxbz1kjfjn.needle.run/ | |
| https://engine.needle.tools/samples/spritesheet-animation | https://github.com/Alchemist0823/three.quarks | |
| http://samples.needle.tools/splines | https://stackblitz.com/~/github.com/needle-engine/sample-3d-over-html | |
| https://engine.needle.tools/samples/look-at-cursor-interactive-3d-header/ | https://viewbox-demo-z23hmxbz2gkayo-z1nyzm6.needle.run/ | |
| https://scrollytelling-bike-z23hmxb2gnu5a.needle.run/ | https://stackblitz.com/edit/needle-engine-view-box-example | |
| https://samples.needle.tools/ar-camera-background | https://samples.needle.tools/collaborative-sandbox | |
| https://samples.needle.tools/image-tracking | https://proxy.needle.run/ | |
| https://needle.tools/ | http://www.w3.org/1999/xlink | |
| http://www.serif.com/ | https://discord.needle.tools | |
| https://jcgt.org/published/0007/04/01/ | https://www.gstatic.com/draco/versioned/decoders/1.5.7/ | |
| https://cdn.needle.tools/static/three/0.179.1/basis2/ | https://cdn.needle.tools/static/hdris/studio_small_09_2k.pmrem.ktx2 | |
| https://cdn.needle.tools/static/inspector/images/uv_texture.png | https://cloud.needle.tools/account | |
| https://needle.tools?utm_source=needle-inspector& | https://prettier.io/docs/plugins#optional-embed | |
| https://typescript-eslint.io/troubleshooting/faqs/general#the-key-property-is-deprecated-on-type-nodes-use-key-instead-warnings. | https://github.com/highlightjs/highlight.js/issues/2277 | |
| https://github.com/highlightjs/highlight.js/wiki/security | https://chromewebstore.google.com/detail/needle-inspector-for-thre/jonplpbnhmanoekkgcepnedhghflblmo | |
| https://chromewebstore.google.com/detail/jonplpbnhmanoekkgcepnedhghflblmo?utm_source=extension&utm_medium=rating_prompt&utm_campaign=inline | https://fwd.needle.tools/needle-threejs-chrome-extension-feedback | |
| https://fwd.needle.tools/needle-threejs-chrome-extension-donate | https://twitter.com/@NeedleTools | |
| https://openrouter.ai/api/v1/chat/completions | https://threejs.org/docs/?q= | |
| http://cdn.needle.tools/static/images/fun/homer-bush.gif | https://threejs.org/manual/resources/images/scenegraph-generic.svg | |
| https://threejs.org/manual/#en/scenegraph | https://threejs.org/docs/#Object3D.renderOrder | |
| https://threejs.org/docs/?q=instanced#InstancedMesh.count | https://threejs.org/docs/pages/WebGLRenderer.html#localClippingEnabled | |
| https://threejs.org/examples/#webgl_materials_alphahash | https://threejs.org/examples/#webgl_materials_blending | |
| https://threejs.org/examples/#webgl_materials_blending_custom | https://threejs.org/docs/#WebGLRenderer | |
| https://threejs.org/docs/#WebGPURenderer | https://threejs.org/docs/# |
Raw Manifest
{ "name": "Needle Inspector — DevTools for three.js", "icons": { "16": "icons/icon-16.png", "32": "icons/icon-32.png", "48": "icons/icon-48.png", "128": "icons/icon-128.png" }, "action": { "default_title": "Needle Scene Inspector - Click to reload and inject" }, "author": { "url": "https://needle.tools/", "name": "Needle", "email": "hi@needle.tools" }, "omnibox": { "keyword": "needleinspect" }, "version": "1.0.1", "background": { "type": "module", "service_worker": "src/service-worker.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Inspect any three.js, react-three-fiber or Needle Engine project with a visual hierarchy, real-time property editing, MCP connection", "permissions": [ "activeTab", "storage", "identity", "webRequest", "webNavigation" ], "content_scripts": [ { "js": [ "src/content.js" ], "run_at": "document_start", "matches": [ "<all_urls>" ], "all_frames": true }, { "js": [ "src/postmessage.bridge.js" ], "run_at": "document_start", "matches": [ "<all_urls>" ], "all_frames": true }, { "js": [ "src/needle-chrome.client.js" ], "world": "MAIN", "run_at": "document_start", "matches": [ "<all_urls>" ], "all_frames": true } ], "host_permissions": [ "https://auth.needle.tools/*", "file://*/*", "http://*/*", "https://*/*" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "src/needle-chrome.client.js", "dependencies/editor.js", "dependencies/chrome.js.map", "dependencies/*.map" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.