Chrome Extension Security Analyzer | CRXcavator Alternative

CRXcavator is dead. Spin.AI charges $5,000/year. Now you can audit Chrome extensions for $0.20 each.

This actor downloads Chrome extension CRX files directly from Google's servers, extracts the manifest, analyzes every permission, and generates a comprehensive security risk assessment. No browser required. No manual work. Just paste extension IDs and get instant, actionable security intelligence.

Built for IT security teams, compliance officers, and anyone responsible for managing browser extensions across an organization.

Key Features

• Permission Risk Classification -- Every permission scored as CRITICAL (10), HIGH (7), MEDIUM (4), or LOW (1) with human-readable explanations of what each permission actually allows
• Manifest V2/V3 Detection -- Flags extensions still running deprecated Manifest V2, which has a weaker security model and is being phased out by Google
• Content Script Analysis -- Identifies which websites an extension injects code into, whether it targets all pages, and whether it runs at document_start (more invasive)
• CSP Evaluation -- Checks the extension's Content Security Policy for unsafe-eval and unsafe-inline directives that weaken security
• Overall Risk Scoring -- Computes a 0-100 risk score using a weighted algorithm that considers permissions, content scripts, manifest version, and CSP
• Batch Auditing -- Analyze up to 500 extensions in a single run with parallel processing
• Tracker Mode -- Generates compliance-ready summary reports with risk distribution, recommendations, and auto-generated insights
• Chrome Web Store Metadata -- Scrapes extension name, description, user count, rating, developer info, and category alongside the security analysis

Output Example

{
  "extensionId": "cjpalhdlnbpafiamejdnhcphjbkeiagm",
  "name": "uBlock Origin",
  "version": "1.57.2",
  "manifestVersion": 2,
  "overallRiskScore": 82,
  "riskLevel": "CRITICAL",
  "permissions": [
    {
      "permission": "<all_urls>",
      "riskLevel": "CRITICAL",
      "riskScore": 10,
      "description": "Can access ALL websites -- full read/write to every page you visit"
    },
    {
      "permission": "webRequest",
      "riskLevel": "HIGH",
      "riskScore": 7,
      "description": "Can observe all HTTP requests made by the browser"
    },
    {
      "permission": "webRequestBlocking",
      "riskLevel": "HIGH",
      "riskScore": 7,
      "description": "Can intercept and modify ALL HTTP requests and responses"
    }
  ],
  "riskFactors": [
    "Can read and modify ALL web traffic -- every website you visit",
    "Can intercept, block, and modify all HTTP requests and responses",
    "Uses deprecated Manifest V2 -- less secure permission model"
  ],
  "dataAccessScope": [
    "All website content (DOM, forms, text)",
    "All HTTP request/response data including headers and bodies"
  ],
  "contentScripts": [
    {
      "matches": ["http://*/*", "https://*/*"],
      "runAt": "document_start",
      "allFrames": true
    }
  ],
  "manifestV2Warning": true,
  "status": "success"
}

Note: uBlock Origin legitimately needs broad permissions for ad blocking. A high risk score does not mean an extension is malicious -- it means it has significant access that should be reviewed.

How to Use

1. Find Extension IDs -- Copy the 32-character ID from any Chrome Web Store URL. For example, in https://chromewebstore.google.com/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm, the ID is cjpalhdlnbpafiamejdnhcphjbkeiagm. You can also paste the full URL into extensionUrls.

2. Configure Your Audit -- Add extension IDs to the extensionIds array. Choose raw mode for individual reports or tracker mode for a compliance summary. Set riskThreshold to filter results.

3. Run the Actor -- Click Start and the actor will download each CRX file, extract the manifest, scrape Web Store metadata, and generate the risk assessment.

4. Export Results -- Download from the Dataset tab as JSON, CSV, or Excel. Use tracker mode output directly in security review presentations and compliance reports.

Integration Examples

Python SDK

from apify_client import ApifyClient

client = ApifyClient("YOUR_API_TOKEN")

run = client.actor("nexgendata/chrome-extension-security-analyzer").call(
    run_input={
        "extensionIds": [
            "cjpalhdlnbpafiamejdnhcphjbkeiagm",  # uBlock Origin
            "gighmmpiobklfepjocnamgkkbiglidom",    # AdBlock
            "cfhdojbkjhnklbpkdaibdccddilifddb",    # Adblock Plus
        ],
        "outputMode": "tracker",
        "riskThreshold": "all",
    }
)

dataset = client.dataset(run["defaultDatasetId"]).list_items().items
for item in dataset:
    if item.get("type") == "tracker_summary":
        print(f"Risk Distribution: {item['riskDistributionPercent']}")
    else:
        print(f"{item['name']}: {item['riskLevel']} ({item['overallRiskScore']}/100)")

cURL

curl "https://api.apify.com/v2/acts/nexgendata~chrome-extension-security-analyzer/runs" \
  -X POST \
  -H "Content-Type: application/json" \
  -H "Authorization: Bearer YOUR_API_TOKEN" \
  -d '{
    "extensionIds": ["cjpalhdlnbpafiamejdnhcphjbkeiagm"],
    "outputMode": "raw"
  }'

Use Cases

1. IT Security Audit

Audit every Chrome extension installed across your organization. Export the tracker mode report showing risk distribution, identify CRITICAL extensions, and generate removal recommendations for your security review board.

2. Compliance Review

Meet SOC 2, ISO 27001, and NIST requirements for software inventory and risk assessment. The compliance summary output includes audit dates, risk counts, and actionable findings ready for your compliance documentation.

3. Vendor Assessment

Before approving a vendor's Chrome extension for company-wide deployment, run a security audit. Check what permissions it requests, whether it injects content scripts broadly, and whether it uses deprecated Manifest V2.

4. Extension Development

If you develop Chrome extensions, use this tool to benchmark your permission footprint against competitors. Identify unnecessary permissions and reduce your risk score before publishing to the Web Store.

5. Browser Policy Enforcement

Generate data to inform Chrome browser policies (ExtensionInstallBlocklist, ExtensionInstallAllowlist). Block CRITICAL-risk extensions and allow only LOW/MEDIUM risk extensions that have been reviewed.

6. Incident Response

When investigating a security incident, quickly audit all extensions a user had installed. Identify which extensions had the permissions necessary to exfiltrate data, intercept traffic, or communicate with external servers.

Frequently Asked Questions

Q: Does a high risk score mean the extension is malicious? No. Risk scores measure the breadth of permissions, not intent. Ad blockers like uBlock Origin legitimately need broad permissions. The score helps you prioritize which extensions to review manually.

Q: How does this compare to CRXcavator? CRXcavator was discontinued in 2023. This actor provides equivalent permission analysis, risk scoring, and content script evaluation. It adds Manifest V3 awareness, CSP analysis, and tracker mode for compliance reporting.

Q: Can I audit extensions not on the Chrome Web Store? Currently, this actor only supports extensions available through Google's CRX distribution servers. Sideloaded or enterprise-distributed extensions from other sources are not supported.

Q: How current is the analysis? Every run downloads the latest CRX file from Google's servers, so you always get the current published version. There is no caching -- each audit reflects the live extension.

Q: What is tracker mode? Tracker mode adds a summary record to the dataset with risk distribution percentages, the most common risky permissions, Manifest V2 warnings, content script scope analysis, and prioritized recommendations. It is designed for security reports and executive summaries.

Q: Can I integrate this with my SIEM or security tools? Yes. Use the Apify API or webhooks to trigger audits on a schedule and push results to Splunk, Elastic, or any tool that accepts JSON via API or webhook.

Pricing

Solution	Cost	Notes
Spin.AI	$5,000/year	Enterprise SaaS with minimum commitments
CRXcavator	Discontinued	No longer available
This Actor	$0.20/extension	Pay only for what you use

Audit 10 extensions: $2.25 (includes $0.25 start fee + $0.20 per extension). Audit 100 extensions: $20.25. Audit 1,000 extensions: $200.25.

No subscriptions. No minimums. No contracts.

Why Choose This Actor

1. Cost Effective -- At $0.20 per extension, you can audit your entire organization's browser extensions for less than the cost of a single Spin.AI monthly payment. Pay-per-use means zero waste.

2. No Infrastructure -- Runs on Apify's cloud. No servers to maintain, no Docker containers to manage, no dependencies to update. Just call the API and get results.

3. Compliance Ready -- Tracker mode generates structured output designed for SOC 2, ISO 27001, and NIST compliance documentation. Export as JSON or CSV and attach directly to audit reports.

4. Always Current -- Every run pulls the latest CRX from Google's servers. No stale databases, no cached results. You always audit the version your users are actually running.

Get Started

Run your first audit now with the prefilled uBlock Origin example, or paste your organization's extension list and get a full security assessment in minutes.

Need help integrating with your security workflow? Check the Apify documentation for webhook setup, scheduled runs, and API integration guides.

Sign up for Apify to get started with $5 in free credits every month.

💻 Code Example — Python

from apify_client import ApifyClient

client = ApifyClient("YOUR_APIFY_TOKEN")
run = client.actor("nexgendata/chrome-extension-security-analyzer").call(run_input={
    # Fill in the input shape from the actor's input_schema
})

for item in client.dataset(run["defaultDatasetId"]).iterate_items():
    print(item)

🌐 Code Example — cURL

curl -X POST "https://api.apify.com/v2/acts/nexgendata~chrome-extension-security-analyzer/run-sync-get-dataset-items?token=YOUR_TOKEN" \
  -H "Content-Type: application/json" \
  -d '{ /* input schema */ }'

❓ FAQ

Q: How do I get started? Sign up at apify.com, grab your API token from Settings → Integrations, and run the actor via the Apify console, API, Python SDK, or any integration (Zapier, Make.com, n8n).

Q: What's the typical cost per run? See the pricing section below. Most runs finish under $0.10 for typical batches.

Q: Is this actor maintained? Yes. NexGenData maintains 165+ Apify actors and ships updates regularly. Bug reports via the Apify console issues tab get responses within 24 hours.

Q: Can I use the output commercially? Yes — you own the output data. Check the target site's Terms of Service for any usage restrictions on the scraped content itself.

Q: How do I handle rate limits? Apify manages concurrency and retries automatically. For very large batches (10K+ items), run multiple smaller jobs in parallel instead of one mega-job for better reliability.

💰 Pricing

Pay-per-event pricing — you only pay for what you actually extract.

• Actor Start: $0.0001
• result: $0.0050

🔗 Related NexGenData Actors

• Hacker News Scraper
• Google Maps Lead Scraper
• SEC EDGAR Scraper

🚀 Apify Affiliate Program

New to Apify? Sign up with our referral link — you get free platform credits on signup, and you help fund the maintenance of this actor fleet.

📚 More From NexGenData

Explore the full catalog, tutorials, Gumroad data packs, and newsletter at thenextgennexus.com — the brand home for everything we ship.

• 📖 Tutorials & how-to guides
• 🗂️ Full actor catalog with usage examples
• 📦 Gumroad data packs (one-time purchases)
• 📬 Newsletter — monthly drops of new actors and revenue experiments

---

Built and maintained by NexGenData — 165+ actors covering scraping, enrichment, MCP servers, and automation. 🏠 Home: thenextgennexus.com

---

Why Chrome Extension Security Analyzer Beats CRXcavator, Spin.AI, ExtAnalysis & Manual Review

Feature	NexGenData Chrome Ext Security Analyzer	CRXcavator (Duo)	Spin.AI Risk Assessment	ExtAnalysis	Manual source review
Cost	$0.05 / extension, pay-per-result	Discontinued / archived	Plan-gated SaaS	Free (single-ext UI)	Free (slow, expertise gate)
Bulk analysis	Yes — list of extension IDs	One-at-a-time	Plan-gated	One-at-a-time	DIY
Risk score + permission breakdown	Yes — structured	Yes (legacy)	Yes	Limited	DIY
Permission categorization	Yes — host / API / sensitive	Yes	Yes	Yes	DIY
External-host / API-call detection	Yes	Yes	Yes	Limited	DIY
Code-quality signals (obfuscation, minified)	Yes	Limited	Yes	Limited	DIY
Bulk export	JSON / CSV / Excel	N/A (discontinued)	Plan-gated CSV	Manual copy	DIY
API access	Apify REST + SDKs	None	Plan-gated	None	None
Auth required	Apify token	N/A	Account + plan	None	None
Monthly minimum	None	N/A	$$	None	None

Most IT-security + SaaS-governance teams pick this actor instead of the discontinued CRXcavator because CRXcavator was retired by Duo / Cisco in 2022 and has no maintained replacement at its price point; this actor recreates the Chrome-extension risk-scoring workflow at $0.05 per extension with no contract. Cheaper than Spin.AI's per-seat plans for the bulk-analysis use case and a drop-in alternative to ExtAnalysis for teams that need an API + CSV pipeline, not a single-extension UI.

Related NexGenData Security + Domain-Intel Actors

Use case	Actor
DNS records lookup (DNS / MX / TXT / SPF)	dns-records-lookup
WHOIS replacement (cheaper than WhoisXMLAPI)	whois-replacement
IP geolocation replacement (MaxMind alt)	ip-geolocation-replacement
DMARC bulk auditor	dmarc-bulk-auditor
DNS propagation checker	dns-propagation-checker
Email RBL checker (blacklist lookup)	email-rbl-checker
Company tech-stack detector (BuiltWith alt)	company-tech-stack-detector
Wappalyzer replacement (tech-stack detection)	wappalyzer-replacement
WordPress plugin security scraper	wordpress-plugin-scraper

Browse the full NexGenData catalog of 260+ actors at https://apify.com/nexgendata?fpr=2ayu9b