Extension Details
Context-Aware Verdict
The extension has strong user adoption with 100,000 users and an excellent 4.9-star rating from 372 reviews, suggesting legitimate functionality and user satisfaction. The specific focus on YouTube to NotebookLM integration indicates a clear, defined purpose that users find valuable.
The extension requests extremely broad permissions that far exceed what's necessary for YouTube-to-NotebookLM functionality. The <all_urls> host permission and universal content script injection (*://*/*) allow access to every website you visit, not just YouTube. This creates significant privacy and security risks, as the extension can read sensitive data from banking sites, email, social media, and any other web content. The tabs permission enables monitoring of your browsing activity across all websites. While storage permissions are reasonable for saving content, the unlimited storage capability could be excessive.
Despite the high user rating, the overly broad permissions present substantial privacy risks. Consider running this extension in a separate Chrome profile dedicated only to YouTube and NotebookLM activities to limit exposure. Alternatively, look for similar extensions with more restrictive permissions that only access YouTube domains. If you must use this extension in your main profile, regularly review what data it might be collecting and consider the trade-off between convenience and privacy protection.
Findings
Security Analysis Details
Required Permissions:
- tabs
- storage
- contextMenus
- scripting
- unlimitedStorage
Host Permissions:
- <all_urls>
Embedded URLs (27 total):
| https://www.youtube.com/watch?v=L_Guz73e6fw | https://clients2.google.com/service/update2/crx | |
| https://api.mixpanel.com/track?ip=1&data= | https://chromewebstore.google.com/detail/ | |
| https://notebooklm.google.com/ | https://notebooklm.google.com/_/LabsTailwindUi/data/batchexecute | |
| https://www.youtube.com/watch?v= | https://notebooklm.google.com/notebook/ | |
| https://accounts.google.com/ListAccounts?json=standard&source=ogb&md=1&cc=1&mn=1&mo=1&gpsia=1&fwput=860&listPages=1&origin=https%3A%2F%2Fwww.google.com | https://dub.sh/R54JZHj | |
| https://github.com/facebook/regenerator/blob/main/LICENSE | http://www.example.com | |
| https://bf400567be25b62fb781201dcb9bd725@o4509712863854592.ingest.us.sentry.io/4509712864968704 | https://www.youtube.com | |
| https://www.youtube.com/youtubei/v1/browse?key= | https://www.youtube.com/ | |
| https://www.youtube.com/channel/ | https://addons.mozilla.org/en-US/firefox/addon/youtube-to-notebooklm/ | |
| https://chromewebstore.google.com/detail/youtube-to-notebooklm/kobncfkmjelbefaoohoblamnbackjggk/reviews#:~:text=Write%20a%20review | http://www.w3.org/2000/svg | |
| https://fonts.gstatic.com/s/outfit/v11/QGYvz_MVcBeNP4NJuktqUYLkn8BJ.woff2 | https://fonts.gstatic.com/s/outfit/v11/QGYvz_MVcBeNP4NJtEtqUYLknw.woff2 | |
| https://vuejs.org/error-reference/#runtime- | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/1999/xlink | https://docs.sentry.io/platforms/javascript/best-practices/browser-extensions/ | |
| https://api.mixpanel.com |
Raw Manifest
{ "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAqkAqGgFYU4JJ+Qh13NUEPx61xjWZukMij/5sMJVwWtM1c/pNNPjpUnalhWLx9XlHQmM+kr5ecdRSv63i22nxNnw5b0Qbjt02Q8ytwLCEhDB7Asrj6mP0Xhr7G+SUJ1WTVBx5Eut665rrmPhxlwDFLnFHbuEgV9ABTH6vQAdpqCC+6PUKxHbxv/xeflCs9BQU7HTRcnfWwnIj8NsK9TEkZ1otSLalBOMOYC3+HMB37ZGm9npREMCgxP80Hp4hdLkab/oiI0voFuPhJGYHw256IFGtXQYo4JQgwAKpRIXcqIEMYOvEIeVjXlbGM9Fj4Ub7GwchbRopNYfFjh1cJ26WqwIDAQAB", "name": "__MSG_appName__", "icons": { "16": "icon/icon_16.png", "32": "icon/icon_32.png", "48": "icon/icon_48.png", "128": "icon/icon_128.png" }, "action": { "default_icon": { "16": "icon/icon_16.png", "32": "icon/icon_32.png", "48": "icon/icon_48.png", "128": "icon/icon_128.png" }, "default_popup": "/ytlm-app/dist/index.html", "default_title": "__MSG_appName__" }, "version": "1.0.25", "background": { "service_worker": "/build/background.js" }, "short_name": "YouTube to NotebookLM", "update_url": "https://clients2.google.com/service/update2/crx", "description": "__MSG_shortDesc__", "permissions": [ "tabs", "storage", "contextMenus", "scripting", "unlimitedStorage" ], "options_page": "/ytlm-app/dist/index.html", "default_locale": "en", "content_scripts": [ { "js": [ "/build/app.js" ], "run_at": "document_start", "matches": [ "*://*/*" ], "all_frames": true }, { "css": [ "/build/context.css" ], "run_at": "document_start", "matches": [ "https://*.youtube.com/*" ], "all_frames": true } ], "host_permissions": [ "<all_urls>" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "icon/*" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.