Extension Details
Context-Aware Verdict
The extension has very limited adoption with only 25 users and appears to be in early development (version 0.0.3). While it maintains a perfect 5.0 rating, this is based on an extremely small sample size. The lack of developer information and company details raises transparency concerns. The extension's purpose appears to be integrating Vim text editing capabilities with web forms, which is a legitimate use case for developers.
The combination of nativeMessaging, activeTab, and scripting permissions creates a concerning security profile. The nativeMessaging permission allows communication with native applications on your computer, which could potentially be exploited to execute system-level commands. When combined with activeTab and scripting permissions, this creates a pathway for the extension to inject code into web pages and communicate with external programs. For a Vim integration tool, nativeMessaging might be necessary for editor functionality, but the broad access is concerning given the minimal user base and lack of established reputation.
Install this extension only in a separate Chrome profile dedicated to development work. Avoid using it on pages containing sensitive information like banking or personal accounts. Monitor system activity when the extension is active. Consider waiting for the extension to mature and gain more users before adoption, or seek established alternatives with better track records and transparency.
Findings
Security Analysis Details
Required Permissions:
- nativeMessaging
- activeTab
- scripting
Embedded URLs (2 total):
| https://github.com/mbid/vim-compose | https://clients2.google.com/service/update2/crx |
Raw Manifest
{ "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAxHW+LGAt9lZqtX//i4fQ32WNYkIGKaiHahIC8My1WOEoJ5k0FEsyJjk2KmWBGb4q26HnLPlKD8FUw89CmHvTyzEGIZZvG/Bh+v8d2qE4/BY2AOXhBMlWbk5eWCdgPETJKko/JjbyP4jti7Js7wGlwW5vQ8W4pz2rJoMjWWis8Ck0pzgrjUolskahazNiDj+W8361OPp0MeUC6vExiDYKZDdmnxpUiBFJk14M8cPTadWkU57qNCA31+nQLId2F8R/U4vzuuKVGUFi2Xkvwf7HZwpJw2XD0d1C0wbvUxF/nKL4hYIzEjplOVf0N9EyKkobVYeE65LHxUNlMc3NDx0ebwIDAQAB", "name": "Vim Compose", "icons": { "16": "icon16.png", "32": "icon32.png", "48": "icon48.png", "128": "icon128.png" }, "action": {}, "version": "0.0.3", "commands": { "_execute_action": { "description": "Edit in vim", "suggested_key": { "default": "Ctrl+Shift+E" } } }, "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Compose mail and other text on the web as markdown in vim.", "permissions": [ "nativeMessaging", "activeTab", "scripting" ], "manifest_version": 3 }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.