Extension Details
Context-Aware Verdict
The extension has a modest user base of 2,000 users and a decent rating of 4.2, which provides some community validation. However, the "Staging" designation in the name suggests this may be a development or testing version rather than a production release, which raises concerns about stability and security practices. The lack of clear developer information and missing details about the company behind it significantly undermines trust.
The extension requests extremely broad permissions that are disproportionate for most legitimate use cases. The combination of universal host permissions (*://*/*) with content script injection across all URLs creates a dangerous attack surface. The webRequest permission allows complete interception and modification of web traffic, while downloads permission could facilitate malware distribution. The nativeMessaging permission enables communication with local applications, potentially bypassing browser security boundaries. These permissions collectively grant the extension unprecedented access to user data, browsing activity, and system resources.
Given the critical risk level, avoid installing this extension unless absolutely necessary for business purposes. If required, run it in a completely isolated Chrome profile with no access to personal accounts or sensitive data. Regularly audit what data the extension might be accessing and consider network monitoring to detect unusual traffic patterns. Contact the developer for clarification on why such broad permissions are necessary and request a detailed privacy policy explaining data handling practices.
Findings
Security Analysis Details
Required Permissions:
- activeTab
- downloads
- nativeMessaging
- pageCapture
- storage
- tabs
- webRequest
Host Permissions:
- *://*/*
Embedded URLs (13 total):
| https://clients2.google.com/service/update2/crx | http://www.w3.org/2000/svg | |
| https://stackoverflow.com/questions/511761/js-function-to-get-filename-from-url | https://s28.q4cdn.com/392171258/files/doc_downloads/test.pdf | |
| https://file-examples.com/storage/fef44df12666d835ba71c24/2017/10/file-sample_150kB.pdf | https://stackoverflow.com/ | |
| https://developer.chrome.com/docs/extensions/reference/api/runtime#event-onMessage | https://developer.chrome.com/docs/extensions/develop/concepts/content-scripts | |
| https://developer.chrome.com/docs/extensions/develop/concepts/service-workers | https://developer.chrome.com/docs/extensions/reference/api/runtime#method-sendMessage | |
| https://medium.com/fme-developer-stories/native-messaging-as-bridge-between-web-and-desktop-d288ea28cfd7 | https://developer.chrome.com/docs/extensions/reference/api/downloads#event-onChanged | |
| https://developer.chrome.com/docs/extensions/reference/api/downloads#method-search |
Raw Manifest
{ "name": "Smokeball-Staging", "icons": { "48": "images/sb-chrome48.png", "128": "images/sb-chrome128.png" }, "action": { "default_icon": { "16": "images/icon.png" }, "default_popup": "popup/popup.html", "default_title": "Web to Smokeball" }, "version": "2.0.3", "background": { "type": "module", "service_worker": "service-worker.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "This extension allows saving data from the web to Smokeball.", "permissions": [ "activeTab", "downloads", "nativeMessaging", "pageCapture", "storage", "tabs", "webRequest" ], "content_scripts": [ { "js": [ "scripts/content.js" ], "matches": [ "<all_urls>" ] } ], "host_permissions": [ "*://*/*" ], "manifest_version": 3, "web_accessible_resources": [ { "matches": [ "<all_urls>" ], "resources": [ "properties.js" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.