Starting analysis...
Add to CRM for Freshworks: Free B2B Prospecting Integration
Version 5.2.5 View in Chrome Web Store
Extension Details
Context-Aware Verdict
The extension has very limited adoption with only 58 users and a perfect 5.0 rating, though the small sample size makes this rating less meaningful. The extension targets Freshworks CRM integration for B2B prospecting, which is a legitimate business use case. However, the lack of detailed developer information and minimal user base raises concerns about the extension's maturity and trustworthiness.
The extension requests extremely broad permissions that far exceed what's necessary for basic CRM integration. The tabs permission allows manipulation of all browser tabs, not just the active one, which is excessive for a prospecting tool. Host permissions span multiple sensitive platforms including LinkedIn, Gmail, and Outlook, creating significant attack surface. The inclusion of localhost permissions suggests development/testing code may still be present in the production version. Content scripts can inject code across all these sensitive domains, potentially intercepting confidential business communications and contact data.
Given the high risk level, run this extension in a separate Chrome profile dedicated to prospecting activities only. Avoid using this profile for sensitive business communications or accessing confidential information. Consider using established CRM tools with better security track records and larger user bases. If you must use this extension, regularly audit what data it's accessing and storing, and remove it immediately after use rather than keeping it permanently installed.
Findings
Security Analysis Details
Required Permissions:
- storage
- activeTab
- tabs
- sidePanel
Host Permissions:
- https://www.linkedin.com/*
- https://mail.google.com/*
- https://outlook.office.com/*
- https://outlook.office365.com/*
- https://outlook.live.com/*
- https://addtocrm.com/*
- https://api.addtocrm.com/*
- http://localhost:8080/*
- http://localhost:3000/*
Content Security Policy:
- extension_pages: script-src 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://api.addtocrm.com https://addtocrm.com http://localhost:8080 http://localhost:3000;
Embedded URLs (27 total):
| https://addtocrm.com | https://www.addtocrm.com | |
| https://app.addtocrm.com | https://react.dev/errors/ | |
| http://www.w3.org/2000/svg | http://www.w3.org/1998/Math/MathML | |
| http://www.w3.org/1999/xlink | http://www.w3.org/XML/1998/namespace | |
| https://company.com | https://www.linkedin.com/in/philmcp | |
| https://addtocrm.com/contact | https://api.addtocrm.com | |
| https://www.linkedin.com/in/ | https://linkedin.com/in/ | |
| https://www.linkedin.com/company/ | https://linkedin.com/company/ | |
| https://www.linkedin.com | https://linkedin.com | |
| https://clients2.google.com/service/update2/crx | https://www.linkedin.com/ | |
| https://mail.google.com/ | https://outlook.office.com/ | |
| https://outlook.office365.com/ | https://outlook.live.com/ | |
| https://addtocrm.com/ | https://api.addtocrm.com/ | |
| https://crminputs.com |
Raw Manifest
{ "name": "Add to CRM for Freshworks: Free B2B Prospecting Integration", "icons": { "16": "img/icon/default16.png", "48": "img/icon/default48.png", "128": "img/icon/default128.png" }, "action": { "default_popup": "popup.html", "default_title": "Add to CRM for Freshworks: Free B2B Prospecting Integration", "default_width": 320, "default_height": 700 }, "author": { "url": "https://crminputs.com", "name": "Add to CRM", "email": "phil@crminputs.com" }, "version": "5.2.5", "background": { "type": "module", "service_worker": "background.bundle.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Find verified contact info for your prospects on professional social networks and add them to your Freshworks with 1-click.", "permissions": [ "storage", "activeTab", "tabs", "sidePanel" ], "content_scripts": [ { "js": [ "contentScripts.bundle.js" ], "run_at": "document_idle", "matches": [ "*://mail.google.com/*", "*://gmail.com/*", "*://outlook.office.com/*", "*://outlook.office365.com/*", "*://outlook.live.com/*", "*://www.linkedin.com/*", "*://addtocrm.com/*", "*://api.addtocrm.com/*" ] }, { "js": [ "appBridge.bundle.js" ], "run_at": "document_idle", "matches": [ "https://addtocrm.com/*", "https://*.addtocrm.com/*", "http://localhost:3000/*" ] } ], "host_permissions": [ "https://www.linkedin.com/*", "https://mail.google.com/*", "https://outlook.office.com/*", "https://outlook.office365.com/*", "https://outlook.live.com/*", "https://addtocrm.com/*", "https://api.addtocrm.com/*", "http://localhost:8080/*", "http://localhost:3000/*" ], "manifest_version": 3, "content_security_policy": { "extension_pages": "script-src 'self'; object-src 'self'; style-src 'self' 'unsafe-inline'; connect-src 'self' https://api.addtocrm.com https://addtocrm.com http://localhost:8080 http://localhost:3000;" }, "web_accessible_resources": [ { "matches": [ "https://www.linkedin.com/*", "https://mail.google.com/*", "https://outlook.office.com/*", "https://outlook.office365.com/*", "https://outlook.live.com/*", "https://addtocrm.com/*", "https://api.addtocrm.com/*", "http://localhost:8080/*", "http://localhost:3000/*" ], "resources": [ "contentScripts.css", "assets/*", "img/icon2.png" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.