中文 EN

扫描报告

扫描新文件

低风险 — 风险评分 15/100
上次扫描:2 天前 重新扫描
15 /100
chrome-use
Control local Chrome browser via chrome.debugger API using a Chrome extension for web scraping and automation
Chrome browser automation skill that uses legitimate Chrome debugger API with local WebSocket communication and no external data exfiltration.
技能名称chrome-use
分析耗时38.6s
引擎pi
可以安装
Safe to use. The skill performs expected browser automation with declared capabilities. No malicious behavior detected.

安全发现 1 项

严重性 安全发现 位置
低危
Chrome extension has broad host permissions
The extension manifest requests <all_urls> permissions via host_permissions. This is standard practice for browser automation extensions and allows accessing any website the user navigates to.
"host_permissions": ["http://*/*", "https://*/*"]
→ This is expected behavior for browser automation. No action needed.
 extension/manifest.json:9
资源类型声明权限推断权限状态证据
文件系统 WRITE WRITE ✓ 一致 src/chrome-bridge.js:43 - spawns Chrome with --user-data-dir and --load-extensio…
命令执行 WRITE WRITE ✓ 一致 src/chrome-bridge.js:64 - spawn(chromePath, args), line 129 execSync(pgrep/taskl…
网络访问 READ READ ✓ 一致 WebSocket client in extension/background.js connects to localhost:9224
浏览器 WRITE WRITE ✓ 一致 chrome.debugger API used for navigation, click, fill, evaluate
1 项发现
🔗
中危 外部 URL 外部 URL
https://www.google.com
extension/README.md:53

目录结构

11 文件 · 50.3 KB · 2035 行
JavaScript 5f · 1426L Markdown 3f · 396L HTML 1f · 169L JSON 2f · 44L
├─ 📁 extension
│ ├─ 📜 background.js JavaScript 576L · 13.1 KB
│ ├─ 📋 manifest.json JSON 24L · 452 B
│ ├─ 📄 popup.html HTML 169L · 3.2 KB
│ ├─ 📜 popup.js JavaScript 66L · 1.8 KB
│ └─ 📝 README.md Markdown 103L · 3.2 KB
├─ 📁 references
│ └─ 📝 cdp-commands.md Markdown 105L · 3.2 KB
├─ 📁 src
│ ├─ 📜 chrome-bridge.js JavaScript 368L · 9.2 KB
│ └─ 📜 websocket-server.js JavaScript 258L · 5.7 KB
├─ 📜 index.js JavaScript 158L · 3.9 KB
├─ 📋 package.json JSON 20L · 390 B
└─ 📝 SKILL.md Markdown 188L · 6.2 KB

依赖分析 1 项

包名版本来源已知漏洞备注
ws ^8.16.0 npm Standard WebSocket library, version reasonably pinned

安全亮点

✓ Uses official Chrome debugger API (chrome.debugger) - a legitimate, documented API
✓ All WebSocket communication is local (localhost:9224) - no external data transmission
✓ Only dependency is 'ws' (WebSocket library) version 8.16.0 - no malicious dependencies
✓ No credential harvesting, no environment variable scanning for secrets
✓ No base64-encoded or obfuscated code
✓ No external IP connections or C2 communication
✓ All functionality is clearly documented in SKILL.md
✓ Extension uses service worker (Manifest V3) with proper security model
✓ Code is well-structured and readable with no suspicious patterns