Most browser extensions that call external APIs route your data through a developer-controlled server first. That's not a conspiracy — it's the path of least resistance. You stand up a backend, proxy requests through it, log errors, maybe cache responses. The problem is that everything you highlight and every question you ask passes through infrastructure you don't control and the extension author probably didn't design for privacy from the start.
rabbitholes does something different by construction: requests go directly from your browser to api.anthropic.com and api.search.brave.com. There is no intermediary server. There is nothing to log because there's nothing in the middle.
This wasn't a late decision. The extension renders explanations in a shadow-DOM tooltip next to your cursor — the shadow DOM means the tooltip doesn't pollute the host page's styles or scripts. The same isolation principle runs through the data flow. Your Anthropic API key lives in chrome.storage.sync, which Chrome encrypts and syncs to your account. It never leaves the browser.
The architecture made Manifest V3 compliance straightforward rather than painful. MV3 restricts remotely-hosted code and tightens background-service-worker lifetimes precisely because extensions were being used as attack surface. Building direct-to-API meant there was no server-side component to audit or trust.
What the extension actually does: highlight any text on any page, get an explanation inline. Click any word in the explanation to go deeper — drag across words to pick a phrase. Every answer surfaces two suggested rabbit-hole topics. Hit the globe icon to re-answer enriched with Brave Search results, with source chips. A counter tracks how many hops deep you've gone.
The privacy architecture isn't a feature I added. It's what you get when you start from "no server" and build outward.
Top comments (0)