[ new scan ] [ statistics ] [ github ] [ twitter ]

One Click Image Downloader - WEBP & JPEG & PNG - Pickysaver

Version 1.0.1 View in Chrome Web Store

Last scanned: 1 day ago | force re-scan

Extension Details

Rating: 5.0 ★ (1 rating)

Users: 33

Context-Aware Verdict

HIGH

Risk Level

Trust Factors:

The extension has extremely limited trust indicators with only 33 users and a single 5-star rating, which is insufficient to establish credibility. The lack of developer information, company details, and recent update history raises significant transparency concerns. While the functionality of downloading images is legitimate, the minimal user base suggests this extension hasn't been thoroughly vetted by the community.

Concerns:

The most significant concern is the broad content script injection capability across all URLs, which grants the extension access to read and modify content on every website you visit. This level of access far exceeds what's typically necessary for image downloading functionality. The extension could potentially capture sensitive information like login credentials, personal data, or browsing habits from any website. The storage permission, while less concerning, allows the extension to retain data locally without clear disclosure of what information is being stored.

Recommendations:

Given the high-risk permissions combined with the lack of established trust factors, consider running this extension in a separate Chrome profile to isolate it from your primary browsing activities. Alternatively, look for more established image downloading extensions with larger user bases and transparent developer information. If you choose to use this extension, avoid using it while accessing sensitive websites like banking or email services, and regularly review what data it might be storing locally.

Security Analysis

MEDIUM

Overall Risk

Based on 2 total findings, ranked without considering overall context, including 1 high-risk and 1 medium-risk findings.

HIGH

Broad Content Script Injection

This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.

MEDIUM

Medium-Risk Permission: storage

This extension has the storage permission. Can store data locally.

Security Analysis Details

Required Permissions:

storage

Embedded URLs (348 total):

https://clients2.google.com/service/update2/crx	https://registry.npmjs.org/@babel/code-frame/-/code-frame-7.27.1.tgz
https://registry.npmjs.org/@babel/helper-validator-identifier/-/helper-validator-identifier-7.27.1.tgz	https://registry.npmjs.org/@babel/runtime/-/runtime-7.27.6.tgz
https://registry.npmjs.org/@devicefarmer/adbkit/-/adbkit-3.3.8.tgz	https://registry.npmjs.org/@devicefarmer/adbkit-logcat/-/adbkit-logcat-2.1.3.tgz
https://registry.npmjs.org/@devicefarmer/adbkit-monkey/-/adbkit-monkey-1.2.1.tgz	https://registry.npmjs.org/@eslint-community/eslint-utils/-/eslint-utils-4.7.0.tgz
https://opencollective.com/eslint	https://registry.npmjs.org/eslint-visitor-keys/-/eslint-visitor-keys-3.4.3.tgz
https://registry.npmjs.org/@eslint-community/regexpp/-/regexpp-4.12.1.tgz	https://registry.npmjs.org/@eslint/eslintrc/-/eslintrc-2.1.4.tgz
https://registry.npmjs.org/ajv/-/ajv-6.12.6.tgz	https://github.com/sponsors/epoberezkin
https://registry.npmjs.org/espree/-/espree-9.6.1.tgz	https://registry.npmjs.org/json-schema-traverse/-/json-schema-traverse-0.4.1.tgz
https://registry.npmjs.org/strip-json-comments/-/strip-json-comments-3.1.1.tgz	https://github.com/sponsors/sindresorhus
https://registry.npmjs.org/@eslint/js/-/js-8.57.1.tgz	https://registry.npmjs.org/@fluent/syntax/-/syntax-0.19.0.tgz
https://registry.npmjs.org/@fregante/relaxed-json/-/relaxed-json-2.0.0.tgz	https://registry.npmjs.org/@humanwhocodes/config-array/-/config-array-0.13.0.tgz
https://registry.npmjs.org/@humanwhocodes/module-importer/-/module-importer-1.0.1.tgz	https://github.com/sponsors/nzakas
https://registry.npmjs.org/@humanwhocodes/object-schema/-/object-schema-2.0.3.tgz	https://registry.npmjs.org/@mdn/browser-compat-data/-/browser-compat-data-6.0.32.tgz
https://registry.npmjs.org/@nodelib/fs.scandir/-/fs.scandir-2.1.5.tgz	https://registry.npmjs.org/@nodelib/fs.stat/-/fs.stat-2.0.5.tgz
https://registry.npmjs.org/@nodelib/fs.walk/-/fs.walk-1.2.8.tgz	https://registry.npmjs.org/@pnpm/config.env-replace/-/config.env-replace-1.1.0.tgz
https://registry.npmjs.org/@pnpm/network.ca-file/-/network.ca-file-1.0.2.tgz	https://registry.npmjs.org/graceful-fs/-/graceful-fs-4.2.10.tgz
https://registry.npmjs.org/@pnpm/npm-conf/-/npm-conf-2.3.1.tgz	https://registry.npmjs.org/@types/minimatch/-/minimatch-3.0.5.tgz
https://registry.npmjs.org/@types/node/-/node-24.2.1.tgz	https://registry.npmjs.org/@types/yauzl/-/yauzl-2.10.3.tgz
https://registry.npmjs.org/@ungap/structured-clone/-/structured-clone-1.3.0.tgz	https://registry.npmjs.org/acorn/-/acorn-8.15.0.tgz
https://registry.npmjs.org/acorn-jsx/-/acorn-jsx-5.3.2.tgz	https://registry.npmjs.org/addons-linter/-/addons-linter-7.18.0.tgz
https://registry.npmjs.org/addons-moz-compare/-/addons-moz-compare-1.3.0.tgz	https://registry.npmjs.org/addons-scanner-utils/-/addons-scanner-utils-9.13.0.tgz
https://registry.npmjs.org/adm-zip/-/adm-zip-0.5.16.tgz	https://registry.npmjs.org/agent-base/-/agent-base-7.1.4.tgz
https://registry.npmjs.org/ajv/-/ajv-8.17.1.tgz	https://registry.npmjs.org/ansi-align/-/ansi-align-3.0.1.tgz
https://registry.npmjs.org/emoji-regex/-/emoji-regex-8.0.0.tgz	https://registry.npmjs.org/string-width/-/string-width-4.2.3.tgz
https://registry.npmjs.org/ansi-regex/-/ansi-regex-5.0.1.tgz	https://registry.npmjs.org/ansi-styles/-/ansi-styles-4.3.0.tgz
https://github.com/chalk/ansi-styles?sponsor=1	https://registry.npmjs.org/argparse/-/argparse-2.0.1.tgz
https://registry.npmjs.org/array-differ/-/array-differ-4.0.0.tgz	https://registry.npmjs.org/array-union/-/array-union-3.0.1.tgz
https://registry.npmjs.org/async/-/async-3.2.6.tgz	https://registry.npmjs.org/atomic-sleep/-/atomic-sleep-1.0.0.tgz
https://registry.npmjs.org/atomically/-/atomically-2.0.3.tgz	https://registry.npmjs.org/balanced-match/-/balanced-match-1.0.2.tgz
https://registry.npmjs.org/bluebird/-/bluebird-3.7.2.tgz	https://registry.npmjs.org/boolbase/-/boolbase-1.0.0.tgz
https://registry.npmjs.org/boxen/-/boxen-8.0.1.tgz	https://registry.npmjs.org/chalk/-/chalk-5.5.0.tgz
https://github.com/chalk/chalk?sponsor=1	https://registry.npmjs.org/type-fest/-/type-fest-4.41.0.tgz
https://registry.npmjs.org/brace-expansion/-/brace-expansion-1.1.12.tgz	https://registry.npmjs.org/buffer-crc32/-/buffer-crc32-0.2.13.tgz
https://registry.npmjs.org/buffer-from/-/buffer-from-1.1.2.tgz	https://registry.npmjs.org/bundle-name/-/bundle-name-4.1.0.tgz
https://registry.npmjs.org/callsites/-/callsites-3.1.0.tgz	https://registry.npmjs.org/camelcase/-/camelcase-8.0.0.tgz
https://registry.npmjs.org/chalk/-/chalk-4.1.2.tgz	https://registry.npmjs.org/cheerio/-/cheerio-1.0.0-rc.12.tgz
https://github.com/cheeriojs/cheerio?sponsor=1	https://registry.npmjs.org/cheerio-select/-/cheerio-select-2.1.0.tgz
https://github.com/sponsors/fb55	https://registry.npmjs.org/chrome-launcher/-/chrome-launcher-1.2.0.tgz
https://registry.npmjs.org/cli-boxes/-/cli-boxes-3.0.0.tgz	https://registry.npmjs.org/cliui/-/cliui-8.0.1.tgz
https://registry.npmjs.org/wrap-ansi/-/wrap-ansi-7.0.0.tgz	https://github.com/chalk/wrap-ansi?sponsor=1

Page 1 of 5

Raw Manifest

{
  "name": "One Click Image Downloader - WEBP & JPEG & PNG - Pickysaver",
  "icons": {
    "16": "icon16.png",
    "48": "icon48.png",
    "128": "icon128.png"
  },
  "action": {
    "default_popup": "popup.html",
    "default_title": "Pickysaver Settings"
  },
  "version": "1.0.1",
  "update_url": "https://clients2.google.com/service/update2/crx",
  "description": "One-click image downloader with format selection (WEBP, JPEG, PNG). No more right-clicking - download images instantly!",
  "permissions": [
    "storage"
  ],
  "content_scripts": [
    {
      "js": [
        "content.js"
      ],
      "css": [
        "styles.css"
      ],
      "matches": [
        "<all_urls>"
      ]
    }
  ],
  "manifest_version": 3
}