Extension Details
Context-Aware Verdict
The extension has a relatively small user base of 1,000 users and a modest rating of 3.3 out of 5 stars with only 6 reviews, indicating limited community validation. The lack of visible author and developer information raises transparency concerns, making it difficult to assess the publisher's credibility or track record.
The primary concern is the extension's use of Manifest Version 2, which provides fewer security protections compared to the newer Manifest V3 standard. While the permissions are appropriately scoped to development platforms (Visual Studio, GitHub, Gist, and Bitbucket), the older manifest version means the extension operates with less restrictive security boundaries. The limited user adoption and rating history suggest this extension hasn't been thoroughly vetted by a large community.
Consider running this extension in a separate Chrome profile dedicated to development work to isolate any potential risks from your main browsing activities. Look for alternative mermaid diagram extensions that have migrated to Manifest V3 for better security. If you must use this extension, monitor its behavior and consider removing it if you notice any unusual activity. Given the specific scope to development platforms, the risk is contained to those environments, but the older manifest version warrants caution.
Findings
Security Analysis Details
Required Permissions:
- https://*.visualstudio.com/*
- https://github.com/*
- https://gist.github.com/*
- https://bitbucket.org/*
Embedded URLs (21 total):
| https://clients2.google.com/service/update2/crx | https://github.com/Redisrupt/mermaid-diagrams | |
| https://github.com/ | https://gist.github.com/ | |
| https://bitbucket.org/ | http://www.w3.org/1999/xhtml | |
| http://www.w3.org/2000/svg | http://www.w3.org/1999/xlink | |
| http://www.w3.org/XML/1998/namespace | http://www.w3.org/2000/xmlns/ | |
| http://momentjs.com/guides/#/warnings/define-locale/ | http://momentjs.com/guides/#/warnings/js-date/ | |
| http://momentjs.com/guides/#/warnings/min-max/ | http://momentjs.com/guides/#/warnings/add-inverted-param/ | |
| http://momentjs.com/guides/#/warnings/zone/ | http://momentjs.com/guides/#/warnings/dst-shifted/ | |
| https://github.com/knsv/mermaid | https://github.com/kobezzza/Escaper | |
| https://github.com/kobezzza/Escaper/blob/master/LICENSE | http://www.w3.org/TR/SVG11/feature#Extensibility | |
| https://davidwalsh.name/detect-node-insertion. |
Raw Manifest
{ "name": "mermaid-diagrams", "icons": { "128": "icon.png" }, "version": "2.0.0", "update_url": "https://clients2.google.com/service/update2/crx", "description": "Enable `Mermaid diagrams` on github wiki and markdown files", "permissions": [ "https://*.visualstudio.com/*", "https://github.com/*", "https://gist.github.com/*", "https://bitbucket.org/*" ], "homepage_url": "https://github.com/Redisrupt/mermaid-diagrams", "content_scripts": [ { "js": [ "mermaid.min.js", "content.js" ], "css": [ "diagrams.css", "on_change_animation.css" ], "run_at": "document_start", "matches": [ "https://*.visualstudio.com/*", "https://github.com/*", "https://gist.github.com/*", "https://bitbucket.org/*" ] } ], "manifest_version": 2, "minimum_chrome_version": "56" }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.