Back to Details

extension-analyze

Compare original and translation side by side

🇺🇸

Original

English
🇨🇳

Translation

Chinese

Extension Analyze (Security & Compliance Auditor)

扩展分析(安全与合规审计工具)

Audit an existing Chrome extension. Do NOT just explain — execute the workflow.
对现有Chrome扩展进行审计。请勿仅做解释——执行以下工作流程。

Workflow (Execute This)

工作流程(执行以下步骤)

Step 1: Locate extension root and detect framework

步骤1:定位扩展根目录并检测框架

Ask user for path if not provided. Detect framework:
bash
ls wxt.config.ts plasmo.config.ts vite.config.ts manifest.json 2>/dev/null
  • Plasmo: manifest auto-generated; check 
    package.json
    and 
    plasmo.config.ts
    instead
  • WXT: check 
    wxt.config.ts
    manifest section
  • Vanilla/CRXJS: check 
    manifest.json
    directly
如果未提供路径,请询问用户。检测框架:
bash
ls wxt.config.ts plasmo.config.ts vite.config.ts manifest.json 2>/dev/null
  • Plasmo:清单文件自动生成;请检查
    package.json
    plasmo.config.ts
  • WXT:检查
    wxt.config.ts
    中的清单配置部分
  • 原生/CRXJS:直接检查
    manifest.json

Step 2: Scan manifest.json (or equivalent config)

步骤2:扫描manifest.json(或等效配置文件)

bash
undefined
bash
undefined

Check MV version, permissions, host_permissions, CSP, web_accessible_resources

检查MV版本、权限、主机权限、CSP、可访问网页资源

cat <ext>/manifest.json | jq '{manifest_version, permissions, host_permissions, content_security_policy, web_accessible_resources}'
undefined
cat <ext>/manifest.json | jq '{manifest_version, permissions, host_permissions, content_security_policy, web_accessible_resources}'
undefined

Step 3: Quick grep scans

步骤3:快速grep扫描

bash
undefined
bash
undefined

XSS vectors

XSS向量

grep -rn "innerHTML|outerHTML|document.write|insertAdjacentHTML" <ext>/src --include=".ts" --include=".js"
grep -rn "innerHTML|outerHTML|document.write|insertAdjacentHTML" <ext>/src --include=".ts" --include=".js"

Unsafe patterns

不安全模式

grep -rn "eval(|new Function(|setTimeout.*string|setInterval.*string" <ext>/src
grep -rn "eval(|new Function(|setTimeout.*string|setInterval.*string" <ext>/src

Hardcoded secrets

硬编码密钥

grep -rn "api_key|apiKey|secret|password|token" <ext>/src --include=".ts" --include=".js" | grep -v ".test." | grep -v "node_modules"
grep -rn "api_key|apiKey|secret|password|token" <ext>/src --include=".ts" --include=".js" | grep -v ".test." | grep -v "node_modules"

HTTP (non-HTTPS) calls

HTTP(非HTTPS)调用

grep -rn "http://" <ext>/src --include=".ts" --include=".js"
grep -rn "http://" <ext>/src --include=".ts" --include=".js"

Message handler sender validation

消息处理器发送方验证

grep -rn "onMessage|addListener" <ext>/src | grep -v "node_modules"
grep -rn "onMessage|addListener" <ext>/src | grep -v "node_modules"

Remote code loading

远程代码加载

grep -rn "importScripts|fetch.*.js|eval|chrome.scripting.executeScript" <ext>/src
undefined
grep -rn "importScripts|fetch.*.js|eval|chrome.scripting.executeScript" <ext>/src
undefined

Step 4: Check CSP configuration

步骤4:检查CSP配置

  • MV3 default CSP: 
    script-src 'self'; object-src 'self'
  • Flag any 
    unsafe-inline
    , 
    unsafe-eval
    , or 
    http:
    sources
  • Verify no remote script sources
  • MV3默认CSP:
    script-src 'self'; object-src 'self'
  • 标记任何包含
    unsafe-inline
    unsafe-eval
    http:
    的来源
  • 验证无远程脚本来源

Step 5: Dependency audit

步骤5:依赖项审计

bash
cd <ext> && npm audit --json | jq '.vulnerabilities | to_entries[] | {pkg: .key, severity: .value.severity}'
bash
cd <ext> && npm audit --json | jq '.vulnerabilities | to_entries[] | {pkg: .key, severity: .value.severity}'

Step 6: Generate report

步骤6:生成报告

Output findings grouped by severity. See Output Format below.
按风险等级分组输出检测结果。请参考下方的输出格式

Severity Levels

风险等级

LevelCriteria
CriticalRCE, data exfiltration, remote code loading, eval with untrusted input
HighXSS, missing sender validation, API keys in source, HTTP API calls
MediumOverly broad permissions, unsafe-inline CSP, sync storage secrets
LowMissing error handling, no TypeScript, console.log in production
等级判定标准
Critical(严重)远程代码执行(RCE)、数据泄露、远程代码加载、使用不可信输入的eval函数
High(高)XSS攻击、缺失发送方验证、源代码中包含API密钥、HTTP API调用
Medium(中)权限范围过宽、CSP中包含unsafe-inline、同步存储中存储敏感数据
Low(低)缺失错误处理、未使用TypeScript、生产环境中存在console.log

Top 10 Issues Found in Most Extensions

多数扩展中存在的十大常见问题

  1. innerHTML
    with page-sourced data (XSS) — High
  2. onMessage
    without sender origin check — High
  3. <all_urls>
    host permission when not needed — Medium
  4. unsafe-inline
    or 
    unsafe-eval
    in CSP — Medium/Critical
  5. API keys hardcoded in source — Critical
  6. eval()
    or 
    new Function()
    usage — Critical
  7. chrome.storage.sync
    storing sensitive data — Medium
  8. HTTP endpoints instead of HTTPS — High
  9. Remote script loading (MV3 violation) — Critical
  10. Missing 
    web_accessible_resources
    restrictions — Medium
  1. 使用页面来源数据的
    innerHTML
    (XSS)——高风险
  2. 未检查发送方来源的
    onMessage
    ——高风险
  3. 非必要情况下使用
    <all_urls>
    主机权限——中风险
  4. CSP中包含
    unsafe-inline
    unsafe-eval
    ——中/严重风险
  5. 源代码中硬编码API密钥——严重风险
  6. 使用
    eval()
    new Function()
    ——严重风险
  7. chrome.storage.sync
    存储敏感数据——中风险
  8. 使用HTTP端点而非HTTPS——高风险
  9. 远程脚本加载(违反MV3规则)——严重风险
  10. 缺失
    web_accessible_resources
    限制——中风险

Output Format

输出格式

undefined
undefined

Extension Audit Report: <name> v<version>

扩展审计报告:<名称> v<版本>

Date: <date> | MV: <2|3>
日期:<日期> | MV版本:<2|3>

Summary

摘要

Critical: X | High: X | Medium: X | Low: X
严重风险:X | 高风险:X | 中风险:X | 低风险:X

Findings

检测结果

[CRITICAL] API Key Exposed in Source

[严重风险] 源代码中暴露API密钥

File: src/background.ts:42 Pattern: 
const API_KEY = "sk-..."
Fix: Move to environment variable or user-provided settings Reference: references/common-vulnerabilities.md#4
...
文件:src/background.ts:42 模式:
const API_KEY = "sk-..."
修复方案:迁移至环境变量或用户提供的设置 参考文档:references/common-vulnerabilities.md#4
...

Passed Checks

通过的检查项

  • CSP: No unsafe-inline/eval ✓
  • HTTPS: All API calls use HTTPS ✓

---
  • CSP:无unsafe-inline/eval ✓
  • HTTPS:所有API调用均使用HTTPS ✓

---

References

参考资料

  • references/security-checklist.md
    — Full security audit checklist
  • references/best-practices-checklist.md
    — Performance, UX, accessibility, CWS
  • references/common-vulnerabilities.md
    — Vulnerability patterns with grep/fix
  • references/cws-compliance-checklist.md
    — Chrome Web Store policy compliance
  • Chrome Permissions List
  • Chrome Extensions Docs
  • references/security-checklist.md
    — 完整安全审计清单
  • references/best-practices-checklist.md
    — 性能、用户体验、可访问性、CWS合规性
  • references/common-vulnerabilities.md
    — 包含grep检测及修复方案的漏洞模式
  • references/cws-compliance-checklist.md
    — Chrome Web Store政策合规性清单
  • Chrome Permissions List — Chrome扩展权限列表
  • Chrome Extensions Docs — Chrome扩展开发文档

Related Skills

相关技能

  • extension-manifest
    — Generate/validate manifest.json
  • extension-create
    — Scaffold new extension
  • extension-publish
    — Store submission checklist
  • extension-manifest
    — 生成/验证manifest.json
  • extension-create
    — 快速搭建新扩展
  • extension-publish
    — 商店提交清单