中文 EN

Scan Report

Scan New Files

Low Risk — Risk Score 15/100
Last scan:2 days ago Rescan
15 /100
chrome-use
Control local Chrome browser via chrome.debugger API using a Chrome extension for web scraping and automation
Chrome browser automation skill that uses legitimate Chrome debugger API with local WebSocket communication and no external data exfiltration.
Skill Namechrome-use
Duration38.6s
Enginepi
Safe to install
Safe to use. The skill performs expected browser automation with declared capabilities. No malicious behavior detected.

Findings 1 items

Severity Finding Location
Low
Chrome extension has broad host permissions
The extension manifest requests <all_urls> permissions via host_permissions. This is standard practice for browser automation extensions and allows accessing any website the user navigates to.
"host_permissions": ["http://*/*", "https://*/*"]
→ This is expected behavior for browser automation. No action needed.
 extension/manifest.json:9
ResourceDeclaredInferredStatusEvidence
Filesystem WRITE WRITE ✓ Aligned src/chrome-bridge.js:43 - spawns Chrome with --user-data-dir and --load-extensio…
Shell WRITE WRITE ✓ Aligned src/chrome-bridge.js:64 - spawn(chromePath, args), line 129 execSync(pgrep/taskl…
Network READ READ ✓ Aligned WebSocket client in extension/background.js connects to localhost:9224
Browser WRITE WRITE ✓ Aligned chrome.debugger API used for navigation, click, fill, evaluate
1 findings
🔗
Medium External URL 外部 URL
https://www.google.com
extension/README.md:53

File Tree

11 files · 50.3 KB · 2035 lines
JavaScript 5f · 1426L Markdown 3f · 396L HTML 1f · 169L JSON 2f · 44L
├─ 📁 extension
│ ├─ 📜 background.js JavaScript 576L · 13.1 KB
│ ├─ 📋 manifest.json JSON 24L · 452 B
│ ├─ 📄 popup.html HTML 169L · 3.2 KB
│ ├─ 📜 popup.js JavaScript 66L · 1.8 KB
│ └─ 📝 README.md Markdown 103L · 3.2 KB
├─ 📁 references
│ └─ 📝 cdp-commands.md Markdown 105L · 3.2 KB
├─ 📁 src
│ ├─ 📜 chrome-bridge.js JavaScript 368L · 9.2 KB
│ └─ 📜 websocket-server.js JavaScript 258L · 5.7 KB
├─ 📜 index.js JavaScript 158L · 3.9 KB
├─ 📋 package.json JSON 20L · 390 B
└─ 📝 SKILL.md Markdown 188L · 6.2 KB

Dependencies 1 items

PackageVersionSourceKnown VulnsNotes
ws ^8.16.0 npm No Standard WebSocket library, version reasonably pinned

Security Positives

✓ Uses official Chrome debugger API (chrome.debugger) - a legitimate, documented API
✓ All WebSocket communication is local (localhost:9224) - no external data transmission
✓ Only dependency is 'ws' (WebSocket library) version 8.16.0 - no malicious dependencies
✓ No credential harvesting, no environment variable scanning for secrets
✓ No base64-encoded or obfuscated code
✓ No external IP connections or C2 communication
✓ All functionality is clearly documented in SKILL.md
✓ Extension uses service worker (Manifest V3) with proper security model
✓ Code is well-structured and readable with no suspicious patterns