Extension Details
Context-Aware Verdict
The extension has very limited adoption with only 1,000 users and minimal user feedback (just 2 ratings with a 3.0 average). The developer "passed.ai" appears to be associated with an AI service, but there's insufficient information about the company's reputation or track record. The extension is relatively new (version 1.0.0) with no established history of updates or maintenance.
The primary concern is the identity permission, which grants access to your Google account information and authentication tokens. This is particularly risky given the extension's content script access to Google Docs, creating a pathway for potential data exfiltration. The combination of identity access with Google Docs integration could allow unauthorized access to your documents and personal information. The low user base and limited reviews make it difficult to assess real-world safety. The storage permission, while less critical, allows the extension to persist data locally, which could include sensitive information extracted from your documents.
Given the high-risk identity permission and limited trust indicators, consider running this extension in a separate Chrome profile dedicated to non-sensitive activities. Before installation, verify the legitimacy of passed.ai and their privacy practices. Monitor the extension's behavior closely and revoke access immediately if you notice any suspicious activity. Consider whether the extension's functionality truly requires identity access, and look for alternative solutions with more restrictive permissions if available.
Findings
Security Analysis Details
Required Permissions:
- identity
- storage
Embedded URLs (50 total):
| https://us-central1-passedai.cloudfunctions.net/storeScanData | https://us-central1-passedai.cloudfunctions.net/getHistoryUrl?token= | |
| https://us-central1-passedai.cloudfunctions.net/getRevisionsUrl | https://us-central1-passedai.cloudfunctions.net/getPreviousScans | |
| https://us-central1-passedai.cloudfunctions.net/passedExtScan | https://securetoken.google.com/ | |
| https://firebaseinstallations.googleapis.com/v1 | https://www.googletagmanager.com/gtag/js | |
| https://firebase.googleapis.com/v1alpha/projects/-/apps/ | https://content-firebaseappcheck.googleapis.com/v1 | |
| https://www.google.com/recaptcha/api.js | https://www.google.com/recaptcha/enterprise.js | |
| https://www.google.com/recaptcha/api.js?? | https://apis.google.com/js/api.js?onload= | |
| https://console.firebase.google.com/. | https://stackoverflow.com/q/56496296/110915 | |
| https://fcmregistrations.googleapis.com/v1 | https://firebase.google.com/docs/web/environments-js-sdk#polyfills | |
| https://firebase.google.com/pricing/. | https://firebaselogging.googleapis.com/v0cc/log?format=json_proto | |
| https://firebaseremoteconfig.googleapis.com/v1/projects/ | https://firebaseremoteconfig.googleapis.com | |
| https://www.gstatic.com/firebasejs/5.0.0/firebase- | https://app.passed.ai | |
| https://www.jsdelivr.com/using-sri-with-dynamic-files | http://momentjs.com/guides/#/warnings/define-locale/ | |
| http://momentjs.com/guides/#/warnings/js-date/ | http://momentjs.com/guides/#/warnings/min-max/ | |
| http://momentjs.com/guides/#/warnings/add-inverted-param/ | http://momentjs.com/guides/#/warnings/zone/ | |
| http://momentjs.com/guides/#/warnings/dst-shifted/ | http://hammerjs.github.io/ | |
| https://www.chartjs.org | https://github.com/kurkle/color#readme | |
| https://app.passed.ai/help | http://www.w3.org/2000/svg | |
| http://www.w3.org/1999/xlink | https://app.passed.ai/scans/ | |
| https://app.passed.ai/?extension=true | https://app.passed.ai/credits/?extension=true | |
| https://clients2.google.com/service/update2/crx | https://www.googleapis.com/auth/userinfo.email | |
| https://github.com/facebook/regenerator/blob/main/LICENSE | http://www.apache.org/licenses/LICENSE-2.0 | |
| https://fonts.googleapis.com/css2?family=Quicksand:wght@600&display=swap | https://reactjs.org/docs/error-decoder.html?invariant= | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/1999/xhtml | https://fb.me/react-polyfills |
Raw Manifest
{ "key": "MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAofrQgo0dQiCotLo927lyKKQgnhWCtErSsYqqIFNObVi55CsFMSNKUKsBH8T3m2KQd18z6yocSV8sG/75psdzOX5QESLN3+eIDW/Csj/i/cQk336DVsH29TwjuLhuI9+zO2fI77Lq+o0FyMRpMCyWN1dwfUzD8ZtiINQ4F6rmjQtlbe1MHT+sfNwefmqTf6nlFikyw8zGHZrNHaDhqv/uGap2vJhvFkaSJmWUeqeT4ix8jaGPOToxC+j3ioh2L+9CiyAIgQi80wZD4z8qtZca8a4L1VmgpdcwMouHgZlWNb7sFq30XDyn9sFjNrAZ5M63OQXJ2tejlCpF5QQsWe6F5wIDAQAB", "name": "Passed.ai Extension", "icons": { "16": "favicon-16x16.png", "48": "passedai_logo48.png", "128": "192x192.png" }, "action": { "default_popup": "./src/popup/public/index.html" }, "oauth2": { "scopes": [ "https://www.googleapis.com/auth/userinfo.email" ], "client_id": "1074435050373-jov22obdt6cfk01c4ejtc9hpvifqrfbi.apps.googleusercontent.com" }, "version": "1.0.0", "background": { "service_worker": "serviceWorker/background.js" }, "short_name": "Passed.ai Extension", "update_url": "https://clients2.google.com/service/update2/crx", "description": "Passed.ai Extension for Google Docs", "permissions": [ "identity", "storage" ], "content_scripts": [ { "js": [ "scripts/content.js" ], "matches": [ "*://docs.google.com/*" ], "all_frames": false } ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "*://docs.google.com/*" ], "resources": [ "scripts/injected-script.js", "styles/injected-styles.css", "favicon-32x32.png", "ajax-loader.gif", "scan_logo.png", "passed-shield.png", "inline-shield-bluename.png", "logo.webp" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.