[ new scan ] [ statistics ] [ github ] [ twitter ] [ help ]

GTM & CMP Helper

Version 3.0 View in Chrome Web Store

Last scanned: about 8 hours ago

Extension Details

Developer: https://www.analytrix.de/

Rating: 4.4 ★ (7 ratings)

Users: 1,000

Context-Aware Verdict

HIGH

Overall Risk

Trust Factors:

The extension comes from Analytrix, a legitimate analytics company, which adds some credibility. However, with only 1,000 users and just 7 ratings, it has a very limited user base that makes it difficult to assess real-world reliability. The 4.4 rating is positive but based on minimal feedback. The specialized nature for GTM (Google Tag Manager) and CMP (Consent Management Platform) work suggests it serves a legitimate business purpose.

Concerns:

The extension requests extremely broad permissions that far exceed what would typically be necessary for GTM and CMP assistance. The combination of cookies access, scripting permissions, and universal host permissions (<all_urls>) creates a powerful surveillance capability. It can inject scripts into every website you visit, access and modify all cookies, and potentially capture sensitive data including login credentials, personal information, and browsing patterns. For a tool focused on tag management, these permissions appear excessive and concerning.

Recommendations:

Given the high risk level, run this extension in a separate Chrome profile dedicated only to development or analytics work. Avoid using it while browsing sensitive sites like banking or personal accounts. Consider whether the functionality truly requires such broad access - legitimate GTM helpers often work with more limited permissions. Monitor your cookies and website behavior when the extension is active, and disable it when not actively needed for GTM/CMP work.

Findings

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

HIGH

Broad Host Permissions

This extension has broad host permissions allowing it to access many or all websites. This could potentially be used to steal sensitive data or track browsing activity.

HIGH

High-Risk Permission: cookies

This extension has the cookies permission. Can access and modify browser cookies. This could potentially be used maliciously to compromise security or privacy.

MEDIUM

Medium-Risk Permission: activeTab

This extension has the activeTab permission. Can access the active tab when clicking the extension icon.

Raw Manifest

{
  "name": "GTM & CMP Helper",
  "icons": {
    "16": "images/injectGTM.png",
    "32": "images/injectGTM.png",
    "48": "images/injectGTM_big.png",
    "128": "images/injectGTM_big.png"
  },
  "action": {
    "default_icon": {
      "16": "images/injectGTM.png",
      "32": "images/injectGTM.png",
      "48": "images/injectGTM_big.png",
      "128": "images/injectGTM_big.png"
    },
    "default_popup": "popup.html"
  },
  "version": "3.0",
  "background": {
    "service_worker": "background.js"
  },
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "Reset consent state for 60+ CMPs and / or inject GTM container, push dataLayer events, or execute JS on selected pages.",
  "permissions": [
    "activeTab",
    "cookies",
    "scripting"
  ],
  "content_scripts": [
    {
      "js": [
        "content.js"
      ],
      "world": "MAIN",
      "run_at": "document_idle",
      "matches": [
        "<all_urls>"
      ],
      "all_frames": true
    }
  ],
  "host_permissions": [
    "<all_urls>"
  ],
  "manifest_version": 3
}

by ✦ Astarte

GTM & CMP Helper

Extension Details

Context-Aware Verdict

Findings

Security Analysis Details

Required Permissions:

Host Permissions:

Embedded URLs (3 total):

Raw Manifest

Detections

Manifest Findings

https://www.analytrix.de/gtm-checkup-helper.html?autoaccountid=	https://clients2.google.com/service/update2/crx
https://www.analytrix.de/gtm-helper-chrome-extension.html