Extension Details
Context-Aware Verdict
The extension has a relatively small user base of 4,000 users and only 4 ratings, which limits confidence in its widespread adoption and community vetting. The 4.2-star rating is positive but based on very few reviews. The lack of clear developer information and company details raises transparency concerns. SalesHood appears to be a sales training/enablement platform, which would legitimately need some web access for its functionality.
The extension requests extremely broad permissions that far exceed what would typically be necessary for a sales training tool. The universal host permissions (*://*/*) allow access to every website you visit, creating significant privacy risks. The tabs permission enables monitoring and manipulation of all browser tabs. The broad content script injection capability means this extension can read and modify content on any website, potentially capturing sensitive information like login credentials, financial data, or personal information. The combination of these permissions creates a powerful surveillance and data collection capability.
Given the high-risk profile, consider running this extension in a separate Chrome profile dedicated solely to sales-related activities. Before installation, contact SalesHood directly to understand why such broad permissions are necessary for their service. Monitor your browsing behavior and be cautious about visiting sensitive websites while this extension is active. Consider whether the sales training benefits justify the significant privacy trade-offs, and explore alternative solutions with more limited permission requirements.
Findings
Security Analysis Details
Required Permissions:
- declarativeNetRequest
- declarativeNetRequestFeedback
- storage
- activeTab
- scripting
- tabs
Host Permissions:
- *://*/*
Embedded URLs (104 total):
| https://clients2.google.com/service/update2/crx | https://mail.google.com | |
| https://chromewebstore.google.com/detail/disable-content-security/ieelmcmcagommplceebfedjlakkhpden?hl=en | http://www.w3.org/2000/svg | |
| http://www.w3.org/1999/xlink | https://markjs.io/ | |
| https://git.io/vwTVl | https://github.com/facebook/regenerator/blob/main/LICENSE | |
| http://momentjs.com/guides/#/warnings/define-locale/ | http://momentjs.com/guides/#/warnings/js-date/ | |
| http://momentjs.com/guides/#/warnings/min-max/ | http://momentjs.com/guides/#/warnings/add-inverted-param/ | |
| http://momentjs.com/guides/#/warnings/zone/ | http://momentjs.com/guides/#/warnings/dst-shifted/ | |
| https://fontawesome.com | https://fontawesome.com/license/free | |
| http://fb.me/use-check-prop-types | https://github.com/date-fns/date-fns/blob/master/docs/upgradeGuide.md#string-arguments | |
| https://github.com/jfroffice | https://github.com/lluchs | |
| https://github.com/Oire | https://github.com/mik01aj | |
| https://github.com/jalex79 | https://github.com/caio-ribeiro-pereira | |
| https://github.com/julionc | https://github.com/erhangundogan | |
| https://github.com/BYK | https://github.com/sirn | |
| https://github.com/Viktorminator | https://github.com/socketpair | |
| https://github.com/suupic | https://github.com/zenozeng | |
| https://github.com/uu109 | https://github.com/tyok | |
| http://id.wikisource.org/wiki/Pedoman_Umum_Ejaan_Bahasa_Indonesia_yang_Disempurnakan | https://github.com/aliem | |
| https://github.com/nostalgiaz | https://github.com/Manfre98 | |
| https://github.com/baryon | https://git.io/JUIaE# | |
| http://www.w3.org/XML/1998/namespace | http://example.com | |
| http://www.apache.org/licenses/LICENSE-2.0 | https://github.com/ankeetmaini/react-infinite-scroll-component/issues/59 | |
| https://momentjs.com/timezone/docs/#/use-it/browser/ | http://momentjs.com/timezone/docs/#/data-loading/. | |
| https://github.com/pladaria/reconnecting-websocket | https://github.com/uuidjs/uuid#getrandomvalues-not-supported | |
| https://sdp-proxy.service | https://feross.org | |
| https://github.com/remarkjs/react-markdown/blob/main/changelog.md | https://prosemirror.net/docs/guide/#generatable | |
| https://reactjs.org/docs/error-decoder.html?invariant= | https://reactjs.org/link/react-polyfills | |
| http://www.w3.org/1999/xhtml | http://www.w3.org/1998/Math/MathML | |
| http://jedwatson.github.io/classnames | https://feross.org/opensource | |
| https://lodash.com/ | https://openjsf.org/ | |
| https://lodash.com/license | http://underscorejs.org/LICENSE | |
| https://npms.io/search?q=ponyfill. | https://sketch.com | |
| http://www.w3.org/Graphics/SVG/1.1/DTD/svg11.dtd | http://ns.adobe.com/Extensibility/1.0/ | |
| http://ns.adobe.com/AdobeIllustrator/10.0/ | http://ns.adobe.com/Graphs/1.0/ | |
| http://ns.adobe.com/Variables/1.0/ | http://ns.adobe.com/ImageReplacement/1.0/ | |
| http://ns.adobe.com/SaveForWeb/1.0/ | http://ns.adobe.com/GenericCustomNamespace/1.0/ | |
| http://ns.adobe.com/XPath/1.0/ | https://saleshood.preview.saleshood.com/auth/login?return_url=%2F | |
| https://fb.me/react-async-component-lifecycle-hooks | https://support.saleshood.com/hc/en-us/articles/24637621096077-Managing-Whitelist-Settings-for-Links | |
| http://purl.eligrey.com/github/classList.js/blob/master/classList.js | https://github.com/kesla/parse-headers/ | |
| https://github.com/kesla/parse-headers/blob/master/LICENCE | https://example.com |
Raw Manifest
{ "name": "SalesHood", "icons": { "16": "images/icon-16x16.png", "32": "images/icon-32x32.png", "48": "images/icon-48x48.png", "128": "images/icon-128x128.png" }, "action": { "default_popup": "popup/index.html", "default_title": "Saleshood Extension" }, "version": "1.2.18", "background": { "type": "module", "service_worker": "service-worker-loader.js" }, "options_ui": { "page": "options/index.html", "open_in_tab": true }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Enhance your SalesHood experience by improving integrations with other systems.", "permissions": [ "declarativeNetRequest", "declarativeNetRequestFeedback", "storage", "activeTab", "scripting", "tabs" ], "content_scripts": [ { "js": [ "assets/share-content-modal-script.js-loader-5d097586.js" ], "matches": [ "*://*/*" ] }, { "js": [ "assets/webapp-content-script.js-loader-61024e90.js" ], "run_at": "document_end", "matches": [ "*://*.saleshood.com/*", "*://*.skillshood.com/*", "*://saleshood.lvh.me/*" ] } ], "host_permissions": [ "*://*/*" ], "manifest_version": 3, "externally_connectable": { "matches": [ "*://*.saleshood.com/*", "*://*.skillshood.com/*", "*://saleshood.lvh.me/*" ] }, "web_accessible_resources": [ { "matches": [ "*://*/*" ], "resources": [ "share-content-modal-dist/assets/*", "share-content-modal/VideoJSFont.css", "csp/trusted-security-policies.js", "content-scripts/add_gmail_button_script.js", "content-scripts/store_original_html_element.js", "assets/auth-4e29c0b9.js", "assets/_commonjsHelpers-de833af9.js", "assets/share-content-modal-script.js-0fd69a1c.js" ], "use_dynamic_url": false }, { "matches": [ "*://*.saleshood.com/*", "*://*.skillshood.com/*", "*://saleshood.lvh.me/*" ], "resources": [ "assets/webapp-content-script.js-2485d84a.js" ], "use_dynamic_url": false } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.