Starting analysis...
Extension Details
Context-Aware Verdict
The extension has a moderate user base of 20,000 users and a decent rating of 4.1/5 from 52 reviews, which suggests some level of user satisfaction. However, the developer "Qrew LLC" lacks clear identification or established reputation information, making it difficult to assess trustworthiness. The extension appears to be a legitimate tool for AppSheet users, given its targeted host permissions for AppSheet-related domains.
The extension requests several powerful permissions that create significant security risks. The tabs permission allows manipulation of browser tabs and access to tab information, which could be exploited for malicious purposes. The scripting permission combined with declarativeNetRequest capabilities enables content modification and network request interception. While the host permissions are somewhat targeted to AppSheet domains, they still provide broad access across multiple sites including Google support pages. The storage permission, while common, allows persistent data collection.
Given the high-risk permissions and unclear developer reputation, consider running this extension in a separate Chrome profile to isolate potential security risks. Only install if you actively use AppSheet and require the specific functionality this toolbox provides. Regularly review the extension's behavior and remove it if you notice any suspicious activity. Monitor for updates and check if the developer provides clearer identification or security documentation. Consider alternative AppSheet tools with more transparent developers if available.
Findings
Security Analysis Details
Required Permissions:
- storage
- scripting
- declarativeNetRequest
- declarativeNetRequestWithHostAccess
- tabs
Host Permissions:
- https://www.appsheet.com/*
- https://support.google.com/appsheet/*
- https://appsheettraining.com/*
Embedded URLs (146 total):
| https://www.appsheet.com/template/Apps | https://appsheettraining.com | |
| https://acp-api.bubbleapps.io/version-test | https://appsheettraining.com/version-test | |
| https://help.appsheet.com/ | https://www.appsheet.com/ | |
| https://appsheettraining.com/profile | https://www.appsheet.com/api/loadApp/ | |
| https://appsheettraining.com/version-test/api/1.1/wf/ResetPasword | https://appsheettraining.com/api/1.1/wf/resetpassword | |
| https://jquery.com/ | https://sizzlejs.com/ | |
| https://jquery.org/license | https://github.com/whatwg/html/issues/2369 | |
| https://html.spec.whatwg.org/#nonce-attributes | https://js.foundation/ | |
| https://jsperf.com/thor-indexof-vs-for/5 | http://www.w3.org/TR/css3-selectors/#whitespace | |
| http://www.w3.org/TR/CSS21/syndata.html#value-def-identifier | http://www.w3.org/TR/selectors/#attribute-selectors | |
| http://www.w3.org/TR/CSS21/syndata.html#escaped-characters | https://drafts.csswg.org/cssom/#common-serializing-idioms | |
| https://html.spec.whatwg.org/multipage/scripting.html#selector-enabled | https://html.spec.whatwg.org/multipage/scripting.html#selector-disabled | |
| https://html.spec.whatwg.org/multipage/forms.html#category-listed | https://html.spec.whatwg.org/multipage/forms.html#concept-fe-disabled | |
| https://html.spec.whatwg.org/multipage/forms.html#concept-option-disabled | https://bugs.jquery.com/ticket/4833 | |
| https://bugs.jquery.com/ticket/13378 | https://bugs.jquery.com/ticket/12359 | |
| https://msdn.microsoft.com/en-us/library/ie/hh465388.aspx#attribute_section | http://www.w3.org/TR/2011/REC-css3-selectors-20110929/#checked | |
| https://bugs.webkit.org/show_bug.cgi?id=136851 | https://github.com/jquery/sizzle/pull/225 | |
| http://www.w3.org/TR/selectors/#pseudo-classes | http://www.w3.org/TR/selectors/#lang-pseudo | |
| http://www.w3.org/TR/selectors/#empty-pseudo | https://msdn.microsoft.com/en-us/library/ms536429%28VS.85%29.aspx | |
| https://promisesaplus.com/#point-59 | https://promisesaplus.com/#point-48 | |
| https://promisesaplus.com/#point-54 | https://promisesaplus.com/#point-75 | |
| https://promisesaplus.com/#point-64 | https://promisesaplus.com/#point-61 | |
| https://promisesaplus.com/#point-57 | https://bugs.chromium.org/p/chromium/issues/detail?id=378607 | |
| https://bugs.jquery.com/ticket/13393 | https://www.w3.org/TR/DOM-Level-3-Events/#event-type-click | |
| https://www.w3.org/TR/2003/WD-DOM-Level-3-Events-20030331/ecma-script-binding.html | https://bugs.chromium.org/p/chromium/issues/detail?id=470258 | |
| https://github.com/eslint/eslint/issues/3229 | https://connect.microsoft.com/IE/feedback/details/1736512/ | |
| https://jsperf.com/getall-vs-sizzle/2 | https://drafts.csswg.org/cssom/#resolved-values | |
| https://developer.mozilla.org/en-US/docs/CSS/display | https://web.archive.org/web/20100324014747/http://blindsignals.com/index.php/2009/07/jquery-delay/ | |
| https://html.spec.whatwg.org/multipage/syntax.html#attributes-2 | https://web.archive.org/web/20141116233347/http://fluidproject.org/blog/2008/01/09/getting-setting-and-removing-tabindex-values-with-javascript/ | |
| https://infra.spec.whatwg.org/#strip-and-collapse-ascii-whitespace | https://html.spec.whatwg.org/#strip-and-collapse-whitespace | |
| https://bugzilla.mozilla.org/show_bug.cgi?id=687787 | http://www.w3.org/TR/DOM-Level-3-Events/#events-focusevent-event-order | |
| https://bugs.chromium.org/p/chromium/issues/detail?id=449857 | http://example.com:80x/ | |
| https://bugs.webkit.org/show_bug.cgi?id=137337 | https://bugs.webkit.org/show_bug.cgi?id=29084 | |
| https://bugs.chromium.org/p/chromium/issues/detail?id=589347 | https://github.com/jrburke/requirejs/wiki/Updating-existing-libraries#wiki-anon | |
| https://github.com/jquery/jquery/pull/557 | https://clients2.google.com/service/update2/crx | |
| https://support.google.com/appsheet/ | https://appsheettraining.com/ | |
| https://www.appsheet.com/template/ | http://fontawesome.io | |
| http://fontawesome.io/license | https://storage.googleapis.com/qrew_public_1/QREW_resources/AST-IconPBShaded.png | |
| https://appsheettraining.com/?src=qrewtools | https://appsheettraining.com/terms_of_service | |
| https://appsheettraining.com/privacy_policy | https://help.appsheet.com/en/ |
Raw Manifest
{ "name": "AppSheet Toolbox", "icons": { "16": "AST16.png", "48": "AST48.png", "128": "AST128.png" }, "action": { "default_icon": { "16": "AST16.png", "48": "AST48.png", "128": "AST128.png" }, "default_popup": "popup.html" }, "version": "4.0091", "background": { "service_worker": "background.js" }, "update_url": "https://clients2.google.com/service/update2/crx", "description": "Build Better AppSheet Apps", "permissions": [ "storage", "scripting", "declarativeNetRequest", "declarativeNetRequestWithHostAccess", "tabs" ], "content_scripts": [ { "js": [ "jquery-3.4.1.js", "content.js", "codemirror/lib/codemirror.js", "codemirror/mode/spreadsheet/spreadsheet.js", "codemirror/mode/spreadsheet/spreadsheet.js", "codemirror/addon/edit/matchbrackets.js", "codemirror/addon/edit/closebrackets.js", "codemirror/addon/hint/show-hint.js" ], "css": [ "mirrorMain.css", "codemirror/lib/codemirror.css", "codemirror/addon/hint/show-hint.css", "font-awesome.min.css" ], "matches": [ "https://www.appsheet.com/template/*" ] }, { "js": [ "help-frame.js" ], "matches": [ "https://support.google.com/appsheet/*" ], "all_frames": true } ], "host_permissions": [ "https://www.appsheet.com/*", "https://support.google.com/appsheet/*", "https://appsheettraining.com/*" ], "manifest_version": 3, "declarative_net_request": { "rule_resources": [ { "id": "ruleset", "path": "rules.json", "enabled": true } ] }, "web_accessible_resources": [ { "matches": [ "http://*/*", "https://*/*" ], "resources": [ "qrew-logo-hires.png", "codemirror/theme/*" ] } ] }
ⓘ CRXaminer has partnered with our friends at Secure Annex to provide additional findings unique to their platform.
Secure Annex also analyzes extensions from other browsers, IDEs, and can continuously monitor.
This extension may not yet be analyzed by Secure Annex.