# 🛡️ Chrome Extension Security Analyzer - Permission Audit (`nexgendata/chrome-extension-security-analyzer`) Actor Audit Chrome extensions for security risks. Downloads CRX files, analyzes permissions (CRITICAL/HIGH/MEDIUM/LOW), checks Manifest V2/V3, evaluates CSP & content scripts. Risk scores for SOC 2 & ISO 27001 compliance. CRXcavator is dead — same job for $0.20/extension. - **URL**: https://apify.com/nexgendata/chrome-extension-security-analyzer.md - **Developed by:** [Stephan Corbeil](https://apify.com/nexgendata) (community) - **Categories:** Developer tools, Automation - **Stats:** 2 total users, 1 monthly users, 100.0% runs succeeded, NaN bookmarks - **User rating**: No ratings yet ## Pricing Pay per usage This Actor is paid per platform usage. The Actor is free to use, and you only pay for the Apify platform usage, which gets cheaper the higher subscription plan you have. Learn more: https://docs.apify.com/platform/actors/running/actors-in-store#pay-per-usage ## What's an Apify Actor? Actors are a software tools running on the Apify platform, for all kinds of web data extraction and automation use cases. In Batch mode, an Actor accepts a well-defined JSON input, performs an action which can take anything from a few seconds to a few hours, and optionally produces a well-defined JSON output, datasets with results, or files in key-value store. In Standby mode, an Actor provides a web server which can be used as a website, API, or an MCP server. Actors are written with capital "A". ## How to integrate an Actor? If asked about integration, you help developers integrate Actors into their projects. You adapt to their stack and deliver integrations that are safe, well-documented, and production-ready. The best way to integrate Actors is as follows. In JavaScript/TypeScript projects, use official [JavaScript/TypeScript client](https://docs.apify.com/api/client/js.md): ```bash npm install apify-client ``` In Python projects, use official [Python client library](https://docs.apify.com/api/client/python.md): ```bash pip install apify-client ``` In shell scripts, use [Apify CLI](https://docs.apify.com/cli/docs.md): ````bash # MacOS / Linux curl -fsSL https://apify.com/install-cli.sh | bash # Windows irm https://apify.com/install-cli.ps1 | iex ```bash In AI frameworks, you might use the [Apify MCP server](https://docs.apify.com/platform/integrations/mcp.md). If your project is in a different language, use the [REST API](https://docs.apify.com/api/v2.md). For usage examples, see the [API](#api) section below. For more details, see Apify documentation as [Markdown index](https://docs.apify.com/llms.txt) and [Markdown full-text](https://docs.apify.com/llms-full.txt). # README ## Chrome Extension Security Analyzer | CRXcavator Alternative CRXcavator is dead. Spin.AI charges $5,000/year. Now you can audit Chrome extensions for $0.20 each. This actor downloads Chrome extension CRX files directly from Google's servers, extracts the manifest, analyzes every permission, and generates a comprehensive security risk assessment. No browser required. No manual work. Just paste extension IDs and get instant, actionable security intelligence. Built for IT security teams, compliance officers, and anyone responsible for managing browser extensions across an organization. ### Key Features - **Permission Risk Classification** -- Every permission scored as CRITICAL (10), HIGH (7), MEDIUM (4), or LOW (1) with human-readable explanations of what each permission actually allows - **Manifest V2/V3 Detection** -- Flags extensions still running deprecated Manifest V2, which has a weaker security model and is being phased out by Google - **Content Script Analysis** -- Identifies which websites an extension injects code into, whether it targets all pages, and whether it runs at document_start (more invasive) - **CSP Evaluation** -- Checks the extension's Content Security Policy for unsafe-eval and unsafe-inline directives that weaken security - **Overall Risk Scoring** -- Computes a 0-100 risk score using a weighted algorithm that considers permissions, content scripts, manifest version, and CSP - **Batch Auditing** -- Analyze up to 500 extensions in a single run with parallel processing - **Tracker Mode** -- Generates compliance-ready summary reports with risk distribution, recommendations, and auto-generated insights - **Chrome Web Store Metadata** -- Scrapes extension name, description, user count, rating, developer info, and category alongside the security analysis ### Output Example ```json { "extensionId": "cjpalhdlnbpafiamejdnhcphjbkeiagm", "name": "uBlock Origin", "version": "1.57.2", "manifestVersion": 2, "overallRiskScore": 82, "riskLevel": "CRITICAL", "permissions": [ { "permission": "", "riskLevel": "CRITICAL", "riskScore": 10, "description": "Can access ALL websites -- full read/write to every page you visit" }, { "permission": "webRequest", "riskLevel": "HIGH", "riskScore": 7, "description": "Can observe all HTTP requests made by the browser" }, { "permission": "webRequestBlocking", "riskLevel": "HIGH", "riskScore": 7, "description": "Can intercept and modify ALL HTTP requests and responses" } ], "riskFactors": [ "Can read and modify ALL web traffic -- every website you visit", "Can intercept, block, and modify all HTTP requests and responses", "Uses deprecated Manifest V2 -- less secure permission model" ], "dataAccessScope": [ "All website content (DOM, forms, text)", "All HTTP request/response data including headers and bodies" ], "contentScripts": [ { "matches": ["http://*/*", "https://*/*"], "runAt": "document_start", "allFrames": true } ], "manifestV2Warning": true, "status": "success" } ```` Note: uBlock Origin legitimately needs broad permissions for ad blocking. A high risk score does not mean an extension is malicious -- it means it has significant access that should be reviewed. ### How to Use 1. **Find Extension IDs** -- Copy the 32-character ID from any Chrome Web Store URL. For example, in `https://chromewebstore.google.com/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm`, the ID is `cjpalhdlnbpafiamejdnhcphjbkeiagm`. You can also paste the full URL into `extensionUrls`. 2. **Configure Your Audit** -- Add extension IDs to the `extensionIds` array. Choose `raw` mode for individual reports or `tracker` mode for a compliance summary. Set `riskThreshold` to filter results. 3. **Run the Actor** -- Click Start and the actor will download each CRX file, extract the manifest, scrape Web Store metadata, and generate the risk assessment. 4. **Export Results** -- Download from the Dataset tab as JSON, CSV, or Excel. Use tracker mode output directly in security review presentations and compliance reports. ### Integration Examples #### Python SDK ```python from apify_client import ApifyClient client = ApifyClient("YOUR_API_TOKEN") run = client.actor("nexgendata/chrome-extension-security-analyzer").call( run_input={ "extensionIds": [ "cjpalhdlnbpafiamejdnhcphjbkeiagm", ## uBlock Origin "gighmmpiobklfepjocnamgkkbiglidom", ## AdBlock "cfhdojbkjhnklbpkdaibdccddilifddb", ## Adblock Plus ], "outputMode": "tracker", "riskThreshold": "all", } ) dataset = client.dataset(run["defaultDatasetId"]).list_items().items for item in dataset: if item.get("type") == "tracker_summary": print(f"Risk Distribution: {item['riskDistributionPercent']}") else: print(f"{item['name']}: {item['riskLevel']} ({item['overallRiskScore']}/100)") ``` #### cURL ```bash curl "https://api.apify.com/v2/acts/nexgendata~chrome-extension-security-analyzer/runs" \ -X POST \ -H "Content-Type: application/json" \ -H "Authorization: Bearer YOUR_API_TOKEN" \ -d '{ "extensionIds": ["cjpalhdlnbpafiamejdnhcphjbkeiagm"], "outputMode": "raw" }' ``` ### Use Cases #### 1. IT Security Audit Audit every Chrome extension installed across your organization. Export the tracker mode report showing risk distribution, identify CRITICAL extensions, and generate removal recommendations for your security review board. #### 2. Compliance Review Meet SOC 2, ISO 27001, and NIST requirements for software inventory and risk assessment. The compliance summary output includes audit dates, risk counts, and actionable findings ready for your compliance documentation. #### 3. Vendor Assessment Before approving a vendor's Chrome extension for company-wide deployment, run a security audit. Check what permissions it requests, whether it injects content scripts broadly, and whether it uses deprecated Manifest V2. #### 4. Extension Development If you develop Chrome extensions, use this tool to benchmark your permission footprint against competitors. Identify unnecessary permissions and reduce your risk score before publishing to the Web Store. #### 5. Browser Policy Enforcement Generate data to inform Chrome browser policies (ExtensionInstallBlocklist, ExtensionInstallAllowlist). Block CRITICAL-risk extensions and allow only LOW/MEDIUM risk extensions that have been reviewed. #### 6. Incident Response When investigating a security incident, quickly audit all extensions a user had installed. Identify which extensions had the permissions necessary to exfiltrate data, intercept traffic, or communicate with external servers. ### Frequently Asked Questions **Q: Does a high risk score mean the extension is malicious?** No. Risk scores measure the breadth of permissions, not intent. Ad blockers like uBlock Origin legitimately need broad permissions. The score helps you prioritize which extensions to review manually. **Q: How does this compare to CRXcavator?** CRXcavator was discontinued in 2023. This actor provides equivalent permission analysis, risk scoring, and content script evaluation. It adds Manifest V3 awareness, CSP analysis, and tracker mode for compliance reporting. **Q: Can I audit extensions not on the Chrome Web Store?** Currently, this actor only supports extensions available through Google's CRX distribution servers. Sideloaded or enterprise-distributed extensions from other sources are not supported. **Q: How current is the analysis?** Every run downloads the latest CRX file from Google's servers, so you always get the current published version. There is no caching -- each audit reflects the live extension. **Q: What is tracker mode?** Tracker mode adds a summary record to the dataset with risk distribution percentages, the most common risky permissions, Manifest V2 warnings, content script scope analysis, and prioritized recommendations. It is designed for security reports and executive summaries. **Q: Can I integrate this with my SIEM or security tools?** Yes. Use the Apify API or webhooks to trigger audits on a schedule and push results to Splunk, Elastic, or any tool that accepts JSON via API or webhook. ### Pricing | Solution | Cost | Notes | |----------|------|-------| | Spin.AI | $5,000/year | Enterprise SaaS with minimum commitments | | CRXcavator | Discontinued | No longer available | | **This Actor** | **$0.20/extension** | Pay only for what you use | Audit 10 extensions: $2.25 (includes $0.25 start fee + $0.20 per extension). Audit 100 extensions: $20.25. Audit 1,000 extensions: $200.25. No subscriptions. No minimums. No contracts. ### Why Choose This Actor 1. **Cost Effective** -- At $0.20 per extension, you can audit your entire organization's browser extensions for less than the cost of a single Spin.AI monthly payment. Pay-per-use means zero waste. 2. **No Infrastructure** -- Runs on Apify's cloud. No servers to maintain, no Docker containers to manage, no dependencies to update. Just call the API and get results. 3. **Compliance Ready** -- Tracker mode generates structured output designed for SOC 2, ISO 27001, and NIST compliance documentation. Export as JSON or CSV and attach directly to audit reports. 4. **Always Current** -- Every run pulls the latest CRX from Google's servers. No stale databases, no cached results. You always audit the version your users are actually running. ### Get Started Run your first audit now with the prefilled uBlock Origin example, or paste your organization's extension list and get a full security assessment in minutes. Need help integrating with your security workflow? Check the Apify documentation for webhook setup, scheduled runs, and API integration guides. [Sign up for Apify](https://apify.com?fpr=2ayu9b) to get started with $5 in free credits every month. # Actor input Schema ## `extensionIds` (type: `array`): Array of Chrome Web Store extension IDs (32-character lowercase strings). Example: cjpalhdlnbpafiamejdnhcphjbkeiagm for uBlock Origin. ## `extensionUrls` (type: `array`): Array of Chrome Web Store URLs. The extension ID will be extracted automatically from each URL. ## `maxResults` (type: `integer`): Maximum number of extensions to analyze in a single run. Useful for limiting large batch audits. ## `outputMode` (type: `string`): Output format. 'raw' returns individual extension audits. 'tracker' adds a summary with risk distribution, recommendations, and compliance report. ## `riskThreshold` (type: `string`): Filter results by risk level. 'all' returns every extension. 'high\_only' returns only CRITICAL and HIGH risk. 'medium\_and\_above' returns MEDIUM, HIGH, and CRITICAL. ## Actor input object example ```json { "extensionIds": [ "cjpalhdlnbpafiamejdnhcphjbkeiagm" ], "extensionUrls": [ "https://chromewebstore.google.com/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm" ], "maxResults": 50, "outputMode": "raw", "riskThreshold": "all" } ``` # API You can run this Actor programmatically using our API. Below are code examples in JavaScript, Python, and CLI, as well as the OpenAPI specification and MCP server setup. ## JavaScript example ```javascript import { ApifyClient } from 'apify-client'; // Initialize the ApifyClient with your Apify API token // Replace the '' with your token const client = new ApifyClient({ token: '', }); // Prepare Actor input const input = { "extensionIds": [ "cjpalhdlnbpafiamejdnhcphjbkeiagm" ], "extensionUrls": [ "https://chromewebstore.google.com/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm" ], "maxResults": 50, "outputMode": "raw", "riskThreshold": "all" }; // Run the Actor and wait for it to finish const run = await client.actor("nexgendata/chrome-extension-security-analyzer").call(input); // Fetch and print Actor results from the run's dataset (if any) console.log('Results from dataset'); console.log(`💾 Check your data here: https://console.apify.com/storage/datasets/${run.defaultDatasetId}`); const { items } = await client.dataset(run.defaultDatasetId).listItems(); items.forEach((item) => { console.dir(item); }); // 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/js/docs ``` ## Python example ```python from apify_client import ApifyClient # Initialize the ApifyClient with your Apify API token # Replace '' with your token. client = ApifyClient("") # Prepare the Actor input run_input = { "extensionIds": ["cjpalhdlnbpafiamejdnhcphjbkeiagm"], "extensionUrls": ["https://chromewebstore.google.com/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm"], "maxResults": 50, "outputMode": "raw", "riskThreshold": "all", } # Run the Actor and wait for it to finish run = client.actor("nexgendata/chrome-extension-security-analyzer").call(run_input=run_input) # Fetch and print Actor results from the run's dataset (if there are any) print("💾 Check your data here: https://console.apify.com/storage/datasets/" + run["defaultDatasetId"]) for item in client.dataset(run["defaultDatasetId"]).iterate_items(): print(item) # 📚 Want to learn more 📖? Go to → https://docs.apify.com/api/client/python/docs/quick-start ``` ## CLI example ```bash echo '{ "extensionIds": [ "cjpalhdlnbpafiamejdnhcphjbkeiagm" ], "extensionUrls": [ "https://chromewebstore.google.com/detail/ublock-origin/cjpalhdlnbpafiamejdnhcphjbkeiagm" ], "maxResults": 50, "outputMode": "raw", "riskThreshold": "all" }' | apify call nexgendata/chrome-extension-security-analyzer --silent --output-dataset ``` ## MCP server setup ```json { "mcpServers": { "apify": { "command": "npx", "args": [ "mcp-remote", "https://mcp.apify.com/?tools=nexgendata/chrome-extension-security-analyzer", "--header", "Authorization: Bearer " ] } } } ``` ## OpenAPI specification ```json { "openapi": "3.0.1", "info": { "title": "🛡️ Chrome Extension Security Analyzer - Permission Audit", "description": "Audit Chrome extensions for security risks. Downloads CRX files, analyzes permissions (CRITICAL/HIGH/MEDIUM/LOW), checks Manifest V2/V3, evaluates CSP & content scripts. Risk scores for SOC 2 & ISO 27001 compliance. CRXcavator is dead — same job for $0.20/extension.", "version": "0.0", "x-build-id": "iXXW0dOTVLOs76Upb" }, "servers": [ { "url": "https://api.apify.com/v2" } ], "paths": { "/acts/nexgendata~chrome-extension-security-analyzer/run-sync-get-dataset-items": { "post": { "operationId": "run-sync-get-dataset-items-nexgendata-chrome-extension-security-analyzer", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for its completion, and returns Actor's dataset items in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } }, "/acts/nexgendata~chrome-extension-security-analyzer/runs": { "post": { "operationId": "runs-sync-nexgendata-chrome-extension-security-analyzer", "x-openai-isConsequential": false, "summary": "Executes an Actor and returns information about the initiated run in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK", "content": { "application/json": { "schema": { "$ref": "#/components/schemas/runsResponseSchema" } } } } } } }, "/acts/nexgendata~chrome-extension-security-analyzer/run-sync": { "post": { "operationId": "run-sync-nexgendata-chrome-extension-security-analyzer", "x-openai-isConsequential": false, "summary": "Executes an Actor, waits for completion, and returns the OUTPUT from Key-value store in response.", "tags": [ "Run Actor" ], "requestBody": { "required": true, "content": { "application/json": { "schema": { "$ref": "#/components/schemas/inputSchema" } } } }, "parameters": [ { "name": "token", "in": "query", "required": true, "schema": { "type": "string" }, "description": "Enter your Apify token here" } ], "responses": { "200": { "description": "OK" } } } } }, "components": { "schemas": { "inputSchema": { "type": "object", "properties": { "extensionIds": { "title": "Extension IDs", "type": "array", "description": "Array of Chrome Web Store extension IDs (32-character lowercase strings). Example: cjpalhdlnbpafiamejdnhcphjbkeiagm for uBlock Origin.", "items": { "type": "string" } }, "extensionUrls": { "title": "Extension URLs", "type": "array", "description": "Array of Chrome Web Store URLs. The extension ID will be extracted automatically from each URL.", "items": { "type": "string" } }, "maxResults": { "title": "Max Results", "minimum": 1, "maximum": 500, "type": "integer", "description": "Maximum number of extensions to analyze in a single run. Useful for limiting large batch audits.", "default": 50 }, "outputMode": { "title": "Output Mode", "enum": [ "raw", "tracker" ], "type": "string", "description": "Output format. 'raw' returns individual extension audits. 'tracker' adds a summary with risk distribution, recommendations, and compliance report.", "default": "raw" }, "riskThreshold": { "title": "Risk Threshold", "enum": [ "all", "high_only", "medium_and_above" ], "type": "string", "description": "Filter results by risk level. 'all' returns every extension. 'high_only' returns only CRITICAL and HIGH risk. 'medium_and_above' returns MEDIUM, HIGH, and CRITICAL.", "default": "all" } } }, "runsResponseSchema": { "type": "object", "properties": { "data": { "type": "object", "properties": { "id": { "type": "string" }, "actId": { "type": "string" }, "userId": { "type": "string" }, "startedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "finishedAt": { "type": "string", "format": "date-time", "example": "2025-01-08T00:00:00.000Z" }, "status": { "type": "string", "example": "READY" }, "meta": { "type": "object", "properties": { "origin": { "type": "string", "example": "API" }, "userAgent": { "type": "string" } } }, "stats": { "type": "object", "properties": { "inputBodyLen": { "type": "integer", "example": 2000 }, "rebootCount": { "type": "integer", "example": 0 }, "restartCount": { "type": "integer", "example": 0 }, "resurrectCount": { "type": "integer", "example": 0 }, "computeUnits": { "type": "integer", "example": 0 } } }, "options": { "type": "object", "properties": { "build": { "type": "string", "example": "latest" }, "timeoutSecs": { "type": "integer", "example": 300 }, "memoryMbytes": { "type": "integer", "example": 1024 }, "diskMbytes": { "type": "integer", "example": 2048 } } }, "buildId": { "type": "string" }, "defaultKeyValueStoreId": { "type": "string" }, "defaultDatasetId": { "type": "string" }, "defaultRequestQueueId": { "type": "string" }, "buildNumber": { "type": "string", "example": "1.0.0" }, "containerUrl": { "type": "string" }, "usage": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "integer", "example": 1 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } }, "usageTotalUsd": { "type": "number", "example": 0.00005 }, "usageUsd": { "type": "object", "properties": { "ACTOR_COMPUTE_UNITS": { "type": "integer", "example": 0 }, "DATASET_READS": { "type": "integer", "example": 0 }, "DATASET_WRITES": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_READS": { "type": "integer", "example": 0 }, "KEY_VALUE_STORE_WRITES": { "type": "number", "example": 0.00005 }, "KEY_VALUE_STORE_LISTS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_READS": { "type": "integer", "example": 0 }, "REQUEST_QUEUE_WRITES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_INTERNAL_GBYTES": { "type": "integer", "example": 0 }, "DATA_TRANSFER_EXTERNAL_GBYTES": { "type": "integer", "example": 0 }, "PROXY_RESIDENTIAL_TRANSFER_GBYTES": { "type": "integer", "example": 0 }, "PROXY_SERPS": { "type": "integer", "example": 0 } } } } } } } } } } ```