Extension Details
Rating:
4.2 ★
(59 ratings)
Users:
100,000
Context-Aware Verdict
This section provides a Claude-based AI analysis that applies additional context to the risk. Results are not guaranteed to be accurate.
HIGH
Overall Risk
Trust Factors:
Temple Wallet appears to be a cryptocurrency wallet extension with 100,000 users and a decent 4.2-star rating from 59 reviews. However, the lack of clear developer information and company details reduces trustworthiness. The extension's purpose as a crypto wallet does justify some of its more invasive permissions, but the implementation raises security concerns.
Key Concerns:
The extension has extremely broad content script injection capabilities across all websites, which is excessive even for a wallet application. The unsafe WebAssembly execution policy creates potential attack vectors for malicious code execution. The clipboardWrite permission, while useful for copying wallet addresses, could be misused to replace copied cryptocurrency addresses with attacker-controlled ones. The localhost host permissions suggest development/testing functionality that shouldn't be present in production releases.
The combination of unlimited storage, broad web access, and unsafe code execution creates a high-risk profile that could be exploited if the extension is compromised or contains malicious code.
Recommendations:
Consider running this extension in a separate Chrome profile dedicated to cryptocurrency activities only. Regularly monitor clipboard contents when copying sensitive information like wallet addresses. Keep the extension updated and consider switching to hardware wallets for significant cryptocurrency holdings. Review the extension's network activity and be cautious about which websites you visit while the extension is active.
Findings
This section provides a detailed analysis of the extension's security posture, without broader context. Assumes worst-case impact.
HIGH
Broad Content Script Injection
This extension can inject scripts into any website. This means it could potentially read sensitive data, modify website content, or steal credentials.
HIGH
High-Risk Permission: clipboardWrite
This extension has the clipboardWrite permission. Can modify clipboard content. This could potentially be used maliciously to compromise security or privacy.
HIGH
Unsafe WebAssembly Execution
This extension's Content Security Policy allows 'wasm-unsafe-eval', which permits potentially dangerous WebAssembly code execution. This could be used to hide malicious code or perform CPU-intensive operations.
MEDIUM
Medium-Risk Permission: activeTab
This extension has the activeTab permission. Can access the active tab when clicking the extension icon.
MEDIUM
Medium-Risk Permission: storage
This extension has the storage permission. Can store data locally.
MEDIUM
Medium-Risk Permission: unlimitedStorage
This extension has the unlimitedStorage permission. Can store unlimited data locally.
Security Analysis Details
Required Permissions:
- storage
- unlimitedStorage
- clipboardWrite
- activeTab
- sidePanel
Optional Permissions:
- clipboardRead
Host Permissions:
- http://localhost:8732/
Content Security Policy:
- extension_pages: script-src 'self' 'wasm-unsafe-eval'; object-src 'self'
Embedded URLs (2162 total):
| https://www.ledger.com/ | https://en.wikipedia.org/wiki/Remote_procedure_call | |
| https://links.ethers.org/v5-errors- | https://icp.coin.ledger.com/ | |
| https://apt.coin.ledger.com/node/v1 | https://apt.coin.ledger-stg.com/node/v1 | |
| https://apt.coin.ledger.com/node/v1/graphql | https://apt.coin.ledger-stg.com/node/v1/graphql | |
| https://casper.coin.ledger.com/indexer | https://casper.coin.ledger.com/node/ | |
| https://algorand.coin.ledger.com | https://celo.coin.ledger.com/indexer/ | |
| https://celo.coin.ledger.com/archive/ | https://filecoin.coin.ledger.com | |
| https://stacks.coin.ledger.com | https://polkadot.coin.ledger.com | |
| https://polkadot-sidecar.coin.ledger.com | https://polkadot-fullnodes.api.live.ledger.com | |
| https://elrond.coin.ledger.com | https://delegations-elrond.coin.ledger.com | |
| https://stellar.coin.ledger.com | https://tezos-bakers.api.live.ledger.com | |
| https://xtz-explorer.api.live.ledger.com/explorer | https://xtz-tzkt-explorer.api.live.ledger.com | |
| https://xtz-node.api.live.ledger.com | https://tron.coin.ledger.com | |
| https://solana.coin.ledger.com | https://earn.api.live.ledger.com/v0/network/solana/validator-details | |
| https://validators-solana.coin.ledger.com/api/v1/validators | https://hedera.coin.ledger.com | |
| https://vechain.coin.ledger.com | https://buy.api.live.ledger.com/buy/v1 | |
| https://cardano.coin.ledger.com/api | https://testnet-ledger.cardanoscan.io/api | |
| https://icon.coin.ledger.com/api/v3 | https://icon.coin.ledger.com/api/v3d | |
| https://icon.coin.ledger.com/api/v1 | https://berlin.net.solidwallet.io/api/v3 | |
| https://berlin.net.solidwallet.io/api/v3d | https://tracker.berlin.icon.community/api/v1 | |
| https://cryptoorg-rpc-indexer.coin.ledger.com | https://cronos-pos.org/explorer/croeseid4 | |
| https://cryptoorg-rpc-node.coin.ledger.com | https://rpc-testnet-croeseid-4.crypto.org | |
| https://explorers.api.live.ledger.com | https://explorers.api-01.live.ledger-stg.com | |
| https://countervalues.live.ledger.com | https://manager.api.live.ledger.com/api | |
| https://mapping-service.api.ledger.com | https://nft.api.live.ledger.com | |
| https://simplehash.api.live.ledger.com/api/v0 | https://swap.ledger.com/v5 | |
| https://cloud-sync-backend.api.aws.stg.ldg-tech.com | https://cloud-sync.api.live.ledger.com | |
| https://cdn.live.ledger.com/announcements | https://ledger.statuspage.io/api | |
| https://trustchain-backend.api.aws.stg.ldg-tech.com | https://trustchain.api.live.ledger.com | |
| https://live-app-catalog.ledger.com/api/v1/apps | https://cdn.live.ledger.com/platform/catalog/v1/data.json | |
| https://cdn.live.ledger-stg.com/platform/catalog/v1/data.json | https://cdn.live.ledger.com/platform/trade/v1/data.json | |
| https://cdn.live.ledger-stg.com/platform/trade/v1/data.json | https://proxycg.api.live.ledger.com/api/v3 | |
| https://cdn.live.ledger.com/cryptoassets | https://crypto-assets-service.api.ledger.com | |
| https://nft.api.live.ledger.com/v1/ethereum | https://cdn.live.ledger.com | |
| https://explorers.api.live.ledger.com/blockchain/v4/eth/ens/resolve/ | https://explorers.api.live.ledger.com/blockchain/v4/eth/ens/reverse-resolve/ | |
| https://nft.api.live.ledger.com/v1/names/ens/forward/ | https://nft.api.live.ledger.com/v1/names/ens/reverse/ | |
| https://github.com/emn178/js-sha3 | https://github.com/emscripten-core/emscripten/wiki/Linking | |
| https://api.takeads.com | https://raw.githubusercontent.com/madfish-solutions/templewallet-extension/development/public/misc/icon-128.png | |
| https://github.com/browserify/crypto-browserify | https://tinyurl.com/y2uuvskb | |
| http://bit.ly/2kdckMn | https://npms.io/search?q=ponyfill. |
Page 1 of 28
Raw Manifest
{ "name": "Temple Wallet", "icons": { "16": "misc/icon-16.png", "19": "misc/icon-19.png", "38": "misc/icon-38.png", "128": "misc/icon-128.png" }, "action": { "chrome_style": false, "default_icon": { "16": "misc/icon-16.png", "19": "misc/icon-19.png", "38": "misc/icon-38.png", "128": "misc/icon-128.png" }, "default_popup": "popup.html", "default_title": "Temple Wallet" }, "author": "https://madfish.solutions", "version": "2.0.27", "background": { "service_worker": "background/index.js" }, "options_ui": { "page": "options.html", "open_in_tab": true }, "short_name": "Temple Wallet", "side_panel": { "default_path": "sidebar.html" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Seamless and secure multichain wallet for Tezos & EVM blockchains.", "permissions": [ "storage", "unlimitedStorage", "clipboardWrite", "activeTab", "sidePanel" ], "homepage_url": "https://github.com/madfish-solutions/templewallet-extension", "options_page": "options.html", "default_locale": "en", "content_scripts": [ { "js": [ "scripts/main.js" ], "run_at": "document_start", "matches": [ "http://localhost/*", "http://127.0.0.1/*", "https://*/*" ], "all_frames": true }, { "js": [ "scripts/replaceAds.js", "scripts/replaceReferrals.js" ], "run_at": "document_start", "matches": [ "https://*/*", "http://*/*" ], "all_frames": false, "exclude_matches": [ "http://localhost/*" ] }, { "js": [ "scripts/inpage.js" ], "world": "MAIN", "run_at": "document_start", "matches": [ "http://*/*", "https://*/*" ], "all_frames": true }, { "js": [ "scripts/keepBackgroundWorkerAlive.js" ], "run_at": "document_start", "matches": [ "<all_urls>" ], "all_frames": true, "match_about_blank": true, "match_origin_as_fallback": true } ], "host_permissions": [ "http://localhost:8732/" ], "manifest_version": 3, "optional_permissions": [ "clipboardRead" ], "minimum_chrome_version": "110", "content_security_policy": { "extension_pages": "script-src 'self' 'wasm-unsafe-eval'; object-src 'self'" }, "web_accessible_resources": [ { "matches": [ "https://*/*", "http://*/*" ], "resources": [ "scripts/*.chunk.js", "scripts/*.embed.js", "fullpage.html", "misc/ad-banners/*", "iframes/ads-stack.html" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
Loading Secure Annex data...
Unable to load Secure Annex data.
This extension may not yet be analyzed by Secure Annex.
Detections
0Critical
0
High
0
Medium
0
Low
0
Has Verdicts
Yes
Manifest Findings
0Critical
0
High
0
Medium
0
Low
0
Secure Annex analyzed version: -