If you've ever been responsible for browser security at a company, you probably used CRXcavator. Duo Security built it, Cisco acquired Duo, and then quietly killed CRXcavator in 2023. No replacement. No migration path. Just gone.
That left a gap. Your options today are Spin.AI (starting at $5,000/year with enterprise minimums) or doing it manually — downloading each extension, unzipping the CRX file, reading the manifest.json, and trying to figure out what <all_urls> actually means for your attack surface.
Neither option works well if you're a security engineer at a mid-size company, a consultant doing vendor assessments, or an IT admin who just needs to know which of the 47 extensions installed across your org can read every website your employees visit.
What Made CRXcavator Useful
CRXcavator did one thing really well: it took a Chrome extension ID, pulled apart the CRX package, and told you exactly what permissions the extension had and how risky they were. It classified permissions into risk tiers, flagged dangerous combinations, and gave you a score you could put in a compliance report.
The output was structured data you could feed into a SIEM, attach to an audit, or use to build an allowlist policy. That's what made it valuable — not the analysis itself (which is deterministic), but the fact that it was automated and produced machine-readable output.
The Technical Problem
Chrome extensions are distributed as CRX files — essentially ZIP archives with a header. Inside every CRX is a manifest.json that declares every permission the extension requests. These permissions range from benign (storage, alarms) to extremely broad (<all_urls>, webRequestBlocking, debugger).
The analysis itself isn't AI or heuristics. It's a lookup table: <all_urls> means the extension can read and modify every web page. webRequestBlocking means it can intercept, modify, or block every HTTP request. tabs means it can see every URL in every tab. These are facts, not predictions.
What's tedious is the extraction pipeline: downloading the CRX from Google's update servers, finding the ZIP boundary in the binary (CRX3 format prepends a protobuf header before the ZIP data), parsing the manifest, resolving host permissions, checking content script scope, evaluating the CSP, and producing a normalized risk assessment.
Building a Replacement
I built a tool that replicates what CRXcavator did, runs on Apify's cloud infrastructure, and costs $0.20 per extension analyzed. No subscriptions, no minimums, no contracts.
Here's what it does for each extension:
Permission Risk Classification — Every Chrome permission gets a risk score: CRITICAL (10 points), HIGH (7), MEDIUM (4), or LOW (1). Each score comes with a plain-English explanation of what the permission actually allows. No jargon, no acronyms.
Manifest Version Check — Extensions still on Manifest V2 get flagged. Google is phasing out V2 because its permission model is more permissive than V3. An extension on V2 should be on your review list.
Content Script Analysis — If an extension injects JavaScript into web pages, the tool tells you which pages, whether it targets all URLs or specific domains, and whether it runs at document_start (which means it executes before the page even loads).
CSP Evaluation — The Content Security Policy in the manifest controls what the extension's own code can do. unsafe-eval and unsafe-inline directives weaken the extension's own security boundary.
Overall Risk Score — A 0-100 composite score using weighted factors: permissions (heaviest weight), content script scope, manifest version, and CSP quality. The scoring uses exponential normalization so a single CRITICAL permission (like <all_urls>) dominates the score, which matches how security risk actually works.
Example: Auditing uBlock Origin
uBlock Origin is one of the most popular extensions with 10M+ users. Here's what the analysis produces:
- Risk Score: 95/100 (CRITICAL)
-
<all_urls>— CRITICAL: Can access ALL websites -
webRequest— HIGH: Can observe all HTTP requests -
webRequestBlocking— HIGH: Can intercept and modify all HTTP traffic -
tabs— HIGH: Can see every URL in every open tab - Manifest V2 (flagged)
- Content scripts targeting
http://*/*andhttps://*/*atdocument_start
This is correct. uBlock Origin legitimately needs these permissions to function as an ad blocker. A high risk score does not mean an extension is malicious — it means it has significant access that should be reviewed and approved by someone who understands why.
Batch Auditing for Organizations
The real value shows up at scale. If you manage browser policy for a 500-person company, you might have 40-80 unique extensions across your fleet. Running them all through a single API call produces a dataset you can sort by risk score, filter by CRITICAL permissions, and use to build Chrome's ExtensionInstallBlocklist and ExtensionInstallAllowlist policies.
The tracker mode generates a compliance-ready summary: risk distribution percentages, most common dangerous permissions across your fleet, Manifest V2 count, content script scope analysis, and prioritized recommendations. Attach it to your SOC 2 evidence folder or your ISO 27001 Statement of Applicability.
Cost Comparison
| Solution | Cost | Notes |
|---|---|---|
| CRXcavator | Discontinued | Was free while it lasted |
| Spin.AI | $5,000/year minimum | Enterprise SaaS |
| Manual analysis | Free (your time) | ~15-30 min per extension |
| Chrome Extension Security Analyzer | $0.20/extension | Pay-per-use API |
Audit 50 extensions: $10.25. Audit 500 extensions: $100.25. No subscription.
How to Use It
The tool runs on Apify, a cloud scraping platform. You can run it through the web UI, the REST API, or the Python SDK.
Quick start (Python):
from apify_client import ApifyClient
client = ApifyClient("YOUR_API_TOKEN")
run = client.actor("nexgendata/chrome-extension-security-analyzer").call(
run_input={
"extensionIds": [
"cjpalhdlnbpafiamejdnhcphjbkeiagm", # uBlock Origin
"gighmmpiobklfepjocnamgkkbiglidom", # AdBlock
],
"outputMode": "tracker",
}
)
for item in client.dataset(run["defaultDatasetId"]).list_items().items:
if "overallRiskScore" in item:
print(f"{item['name']}: {item['riskLevel']} ({item['overallRiskScore']}/100)")
Quick start (cURL):
curl "https://api.apify.com/v2/acts/nexgendata~chrome-extension-security-analyzer/runs" \
-X POST \
-H "Content-Type: application/json" \
-H "Authorization: Bearer YOUR_API_TOKEN" \
-d '{"extensionIds": ["cjpalhdlnbpafiamejdnhcphjbkeiagm"]}'
Results come back as structured JSON — ready for your SIEM, compliance dashboard, or a simple spreadsheet.
When to Use This
- Quarterly security reviews — Audit all extensions in your fleet against your permission policy
- Vendor assessment — Before approving a vendor's extension for company-wide install
- Incident response — Quickly identify which installed extensions had the access to cause an observed breach
- Policy building — Generate data for Chrome Enterprise browser policies
- Compliance evidence — Attach structured audit output to SOC 2 or ISO 27001 documentation
The tool is at apify.com/nexgendata/chrome-extension-security-analyzer. If you're migrating from CRXcavator or looking for a Spin.AI alternative that doesn't require an enterprise contract, give it a run.
Built by NexGenData. We build data extraction and analysis tools on Apify.
Sign up for Apify to get $5 in free monthly credits.
Top comments (0)