Clippings.io for Amazon Kindle Highlights
Version 4.0.7 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has a solid user base of 10,000 users with a strong 4.5-star rating from 453 reviews, indicating positive user experiences. The developer identity "clippings.io" aligns with the extension's purpose, suggesting legitimate ownership. The extension uses Manifest V3, which provides better security controls than older versions.
The primary concern is the broad host permissions that extend beyond what's necessary for the stated functionality. While access to Amazon Kindle domains (read.amazon.com, read.amazon.co.jp) is justified for extracting highlights, the extension also requests access to ext.clippings.io and localhost:8080, which could potentially be exploited. The storage permission allows data retention, which raises questions about what highlight data is stored and how it's handled. Content script injection across multiple domains creates additional attack surface.
This extension appears legitimate for its intended purpose but requires careful consideration. Install only if you actively use Amazon Kindle and need highlight management functionality. Consider running it in a separate Chrome profile to isolate it from sensitive browsing activities. Review the extension's privacy policy to understand data handling practices. Monitor for any unusual behavior or requests for additional permissions in future updates. The medium risk level suggests cautious use rather than complete avoidance.
Findings
Security Analysis Details
Required Permissions:
- storage
- activeTab
Host Permissions:
- https://read.amazon.com/*
- https://read.amazon.co.jp/*
- https://ext.clippings.io/*
Embedded URLs (83 total):
| https://read.amazon.com/ | https://read.amazon.co.jp/ | |
| https://clients2.google.com/service/update2/crx | https://my.clippings.io/ | |
| https://ext.clippings.io/ | https://reactjs.org/docs/error-decoder.html?invariant= | |
| http://www.w3.org/1999/xlink | http://www.w3.org/XML/1998/namespace | |
| http://www.w3.org/2000/svg | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/1999/xhtml | http://www.example.com | |
| http://dogs.are.great | https://sentry.io/welcome/ | |
| https://0aa6de8f2f034b73a6b51ae8c801d54f@o447534.ingest.sentry.io/5427512 | http://jedwatson.github.io/classnames | |
| https://fb.me/react-async-component-lifecycle-hooks | http://fb.me/use-check-prop-types | |
| https://circumicons.com/ | https://github.com/Klarr-Agency/Circum-Icons/blob/main/LICENSE | |
| https://fontawesome.com/ | https://creativecommons.org/licenses/by/4.0/ | |
| https://ionicons.com/ | https://github.com/ionic-team/ionicons/blob/master/LICENSE | |
| http://google.github.io/material-design-icons/ | https://github.com/google/material-design-icons/blob/master/LICENSE | |
| http://s-ings.com/typicons/ | https://creativecommons.org/licenses/by-sa/3.0/ | |
| https://octicons.github.com/ | https://github.com/primer/octicons/blob/master/LICENSE | |
| https://feathericons.com/ | https://github.com/feathericons/feather/blob/master/LICENSE | |
| https://lucide.dev/ | https://github.com/lucide-icons/lucide/blob/main/LICENSE | |
| https://game-icons.net/ | https://creativecommons.org/licenses/by/3.0/ | |
| https://erikflowers.github.io/weather-icons/ | http://scripts.sil.org/OFL | |
| https://vorillaz.github.io/devicons/ | https://opensource.org/licenses/MIT | |
| https://github.com/ant-design/ant-design-icons | https://github.com/twbs/icons | |
| https://github.com/Remix-Design/RemixIcon | http://www.apache.org/licenses/ | |
| https://github.com/icons8/flat-color-icons | https://github.com/grommet/grommet-icons | |
| https://github.com/tailwindlabs/heroicons | https://simpleicons.org/ | |
| https://creativecommons.org/publicdomain/zero/1.0/ | https://thesabbir.github.io/simple-line-icons/ | |
| https://github.com/Keyamoon/IcoMoon-Free | https://github.com/Keyamoon/IcoMoon-Free/blob/master/License.txt | |
| https://github.com/atisawd/boxicons | https://github.com/atisawd/boxicons/blob/master/LICENSE | |
| https://github.com/astrit/css.gg | https://github.com/microsoft/vscode-codicons | |
| https://github.com/tabler/tabler-icons | https://github.com/lykmapipo/themify-icons | |
| https://github.com/thecreation/standard-icons/blob/master/modules/themify-icons/LICENSE | https://icons.radix-ui.com | |
| https://github.com/radix-ui/icons/blob/master/LICENSE | https://github.com/phosphor-icons/core | |
| https://github.com/phosphor-icons/core/blob/main/LICENSE | https://icons8.com/line-awesome | |
| https://github.com/icons8/line-awesome/blob/master/LICENSE.md | https://my.clippings.io | |
| https://ext.clippings.io | https://read.amazon.co.jp | |
| https://read.amazon.com | https://docs.clippings.io/importing/importing-using-the-chrome-extension | |
| https://mui.com/r/caveat-with-refs-guide | https://mui.com/production-error/?code= | |
| https://bugs.webkit.org/show_bug.cgi?id=68196 | http://mui.com/components/data-grid/pagination/#basic-implementation | |
| http://mui.com/components/data-grid/editing/#server-side-persistence. | https://mui.com/r/x-data-grid-no-dimensions. | |
| https://read.amazon. | http://stuartk.com/jszip | |
| https://raw.github.com/Stuk/jszip/main/LICENSE.markdown. | https://github.com/nodeca/pako/blob/main/LICENSE |
Raw Manifest
{ "name": "Clippings.io for Amazon Kindle Highlights", "icons": { "16": "icon16.plasmo.6c567d50.png", "32": "icon32.plasmo.76b92899.png", "48": "icon48.plasmo.aced7582.png", "64": "icon64.plasmo.8bb5e6e0.png", "128": "icon128.plasmo.3c1ed2d2.png" }, "action": { "default_icon": { "16": "icon16.plasmo.6c567d50.png", "32": "icon32.plasmo.76b92899.png", "48": "icon48.plasmo.aced7582.png", "64": "icon64.plasmo.8bb5e6e0.png", "128": "icon128.plasmo.3c1ed2d2.png" }, "default_popup": "popup.html" }, "author": "Clippings.io", "version": "4.0.7", "background": { "service_worker": "static/background/index.js" }, "options_ui": { "page": "options.html", "open_in_tab": true }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Export your Amazon Kindle Highlights to your favorite integrations or download to multiple file formats.", "permissions": [ "storage", "activeTab" ], "default_locale": "en", "content_scripts": [ { "js": [ "amazon-contentscript.3c72db48.js" ], "css": [ "amazon-contentscript.a9ac59c0.css" ], "matches": [ "https://read.amazon.com/*", "https://read.amazon.co.jp/*" ] }, { "js": [ "messaging-contentscript.4585ae59.js" ], "css": [], "matches": [ "https://my.clippings.io/*", "http://localhost:8080/*" ] } ], "host_permissions": [ "https://read.amazon.com/*", "https://read.amazon.co.jp/*", "https://ext.clippings.io/*" ], "manifest_version": 3, "externally_connectable": { "matches": [ "*://*.clippings.io/*", "*://localhost/*" ] }, "web_accessible_resources": [ { "matches": [ "<all_urls>", "https://read.amazon.com/*", "https://read.amazon.co.jp/*" ], "resources": [ "assets/images/*.svg" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.