Chrome Extension Security Analyzer | CRXcavator Alternative

CRXcavator is dead. Spin.AI charges $5,000/year. Now you can audit Chrome extensions for $0.20 each.

This actor downloads Chrome extension CRX files directly from Google's servers, extracts the manifest, analyzes every permission, and generates a comprehensive security risk assessment. No browser required. No manual work. Just paste extension IDs and get instant, actionable security intelligence.

Built for IT security teams, compliance officers, and anyone responsible for managing browser extensions across an organization.

Key Features

• Permission Risk Classification -- Every permission scored as CRITICAL (10), HIGH (7), MEDIUM (4), or LOW (1) with human-readable explanations of what each permission actually allows
• Manifest V2/V3 Detection -- Flags extensions still running deprecated Manifest V2, which has a weaker security model and is being phased out by Google
• Content Script Analysis -- Identifies which websites an extension injects code into, whether it targets all pages, and whether it runs at document_start (more invasive)
• CSP Evaluation -- Checks the extension's Content Security Policy for unsafe-eval and unsafe-inline directives that weaken security
• Overall Risk Scoring -- Computes a 0-100 risk score using a weighted algorithm that considers permissions, content scripts, manifest version, and CSP
• Batch Auditing -- Analyze up to 500 extensions in a single run with parallel processing
• Tracker Mode -- Generates compliance-ready summary reports with risk distribution, recommendations, and auto-generated insights
• Chrome Web Store Metadata -- Scrapes extension name, description, user count, rating, developer info, and category alongside the security analysis

Output Example

{
  "extensionId": "cjpalhdlnbpafiamejdnhcphjbkeiagm",
  "name": "uBlock Origin",
  "version": "1.57.2",
  "manifestVersion": 2,
  "overallRiskScore": 82,
  "riskLevel": "CRITICAL",
  "permissions": [
    {
      "permission": "<all_urls>",
      "riskLevel": "CRITICAL",
      "riskScore": 10,
      "description": "Can access ALL websites -- full read/write to every page you visit"
    },
    {
      "permission": "webRequest",
      "riskLevel": "HIGH",
      "riskScore": 7,
      "description": "Can observe all HTTP requests made by the browser"
    },
    {
      "permission": "webRequestBlocking",
      "riskLevel": "HIGH",
      "riskScore": 7,
      "description": "Can intercept and modify ALL HTTP requests and responses"
    }
  ],
  "riskFactors": [
    "Can read and modify ALL web traffic -- every website you visit",
    "Can intercept, block, and modify all HTTP requests and responses",
    "Uses deprecated Manifest V2 -- less secure permission model"
  ],
  "dataAccessScope": [
    "All website content (DOM, forms, text)",
    "All HTTP request/response data including headers and bodies"
  ],
  "contentScripts": [
    {
      "matches": ["http://*/*", "https://*/*"],
      "runAt": "document_start",
      "allFrames": true
    }
  ],
  "manifestV2Warning": true,
  "status": "success"
}

Note: uBlock Origin legitimately needs broad permissions for ad blocking. A high risk score does not mean an extension is malicious -- it means it has significant access that should be reviewed.

How to Use

1. Find Extension IDs -- Copy the 32-character ID from any Chrome Web Store URL. For example, in https://chromewebstore.google.com/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm, the ID is cjpalhdlnbpafiamejdnhcphjbkeiagm. You can also paste the full URL into extensionUrls.

2. Configure Your Audit -- Add extension IDs to the extensionIds array. Choose raw mode for individual reports or tracker mode for a compliance summary. Set riskThreshold to filter results.

3. Run the Actor -- Click Start and the actor will download each CRX file, extract the manifest, scrape Web Store metadata, and generate the risk assessment.

4. Export Results -- Download from the Dataset tab as JSON, CSV, or Excel. Use tracker mode output directly in security review presentations and compliance reports.

Integration Examples

Python SDK

from apify_client import ApifyClient

client = ApifyClient("YOUR_API_TOKEN")

run = client.actor("nexgendata/chrome-extension-security-analyzer").call(
    run_input={
        "extensionIds": [
            "cjpalhdlnbpafiamejdnhcphjbkeiagm",  # uBlock Origin
            "gighmmpiobklfepjocnamgkkbiglidom",    # AdBlock
            "cfhdojbkjhnklbpkdaibdccddilifddb",    # Adblock Plus
        ],
        "outputMode": "tracker",
        "riskThreshold": "all",
    }
)

dataset = client.dataset(run["defaultDatasetId"]).list_items().items
for item in dataset:
    if item.get("type") == "tracker_summary":
        print(f"Risk Distribution: {item['riskDistributionPercent']}")
    else:
        print(f"{item['name']}: {item['riskLevel']} ({item['overallRiskScore']}/100)")

cURL

curl "https://api.apify.com/v2/acts/nexgendata~chrome-extension-security-analyzer/runs" \
  -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -d '{
    "extensionIds": ["cjpalhdlnbpafiamejdnhcphjbkeiagm"],
    "outputMode": "raw"
  }'

Use Cases

1. IT Security Audit

Audit every Chrome extension installed across your organization. Export the tracker mode report showing risk distribution, identify CRITICAL extensions, and generate removal recommendations for your security review board.

2. Compliance Review

Meet SOC 2, ISO 27001, and NIST requirements for software inventory and risk assessment. The compliance summary output includes audit dates, risk counts, and actionable findings ready for your compliance documentation.

3. Vendor Assessment

Before approving a vendor's Chrome extension for company-wide deployment, run a security audit. Check what permissions it requests, whether it injects content scripts broadly, and whether it uses deprecated Manifest V2.

4. Extension Development

If you develop Chrome extensions, use this tool to benchmark your permission footprint against competitors. Identify unnecessary permissions and reduce your risk score before publishing to the Web Store.

5. Browser Policy Enforcement

Generate data to inform Chrome browser policies (ExtensionInstallBlocklist, ExtensionInstallAllowlist). Block CRITICAL-risk extensions and allow only LOW/MEDIUM risk extensions that have been reviewed.

6. Incident Response

When investigating a security incident, quickly audit all extensions a user had installed. Identify which extensions had the permissions necessary to exfiltrate data, intercept traffic, or communicate with external servers.

Frequently Asked Questions

Q: Does a high risk score mean the extension is malicious? No. Risk scores measure the breadth of permissions, not intent. Ad blockers like uBlock Origin legitimately need broad permissions. The score helps you prioritize which extensions to review manually.

Q: How does this compare to CRXcavator? CRXcavator was discontinued in 2023. This actor provides equivalent permission analysis, risk scoring, and content script evaluation. It adds Manifest V3 awareness, CSP analysis, and tracker mode for compliance reporting.

Q: Can I audit extensions not on the Chrome Web Store? Currently, this actor only supports extensions available through Google's CRX distribution servers. Sideloaded or enterprise-distributed extensions from other sources are not supported.

Q: How current is the analysis? Every run downloads the latest CRX file from Google's servers, so you always get the current published version. There is no caching -- each audit reflects the live extension.

Q: What is tracker mode? Tracker mode adds a summary record to the dataset with risk distribution percentages, the most common risky permissions, Manifest V2 warnings, content script scope analysis, and prioritized recommendations. It is designed for security reports and executive summaries.

Q: Can I integrate this with my SIEM or security tools? Yes. Use the Apify API or webhooks to trigger audits on a schedule and push results to Splunk, Elastic, or any tool that accepts JSON via API or webhook.

Pricing

Solution	Cost	Notes
Spin.AI	$5,000/year	Enterprise SaaS with minimum commitments
CRXcavator	Discontinued	No longer available
This Actor	$0.20/extension	Pay only for what you use

Audit 10 extensions: $2.25 (includes $0.25 start fee + $0.20 per extension). Audit 100 extensions: $20.25. Audit 1,000 extensions: $200.25.

No subscriptions. No minimums. No contracts.

Why Choose This Actor

1. Cost Effective -- At $0.20 per extension, you can audit your entire organization's browser extensions for less than the cost of a single Spin.AI monthly payment. Pay-per-use means zero waste.

2. No Infrastructure -- Runs on Apify's cloud. No servers to maintain, no Docker containers to manage, no dependencies to update. Just call the API and get results.

3. Compliance Ready -- Tracker mode generates structured output designed for SOC 2, ISO 27001, and NIST compliance documentation. Export as JSON or CSV and attach directly to audit reports.

4. Always Current -- Every run pulls the latest CRX from Google's servers. No stale databases, no cached results. You always audit the version your users are actually running.

Get Started

Run your first audit now with the prefilled uBlock Origin example, or paste your organization's extension list and get a full security assessment in minutes.

Need help integrating with your security workflow? Check the Apify documentation for webhook setup, scheduled runs, and API integration guides.

Sign up for Apify to get started with $5 in free credits every month.