Most Chrome extensions that hit external APIs route your requests through the developer's backend. That's not a conspiracy theory — it's just the default architecture. You need a server to hide your API keys, log errors, maybe rate-limit abuse. The tradeoff is that every query you make goes through someone else's infrastructure. For a reading tool that sees every word you highlight on every page you visit, that felt like the wrong tradeoff.
rabbitholes sends requests directly from your browser to api.anthropic.com and api.search.brave.com. No intermediary server. No request log I could read even if I wanted to. Your Anthropic API key lives in chrome.storage.sync — encrypted by Chrome, never transmitted anywhere except straight to Anthropic.
Making this work without a backend required solving one real problem: you can't safely embed an API key in extension source code, because anyone who installs the extension can extract it. The answer is to not embed a key at all. The user supplies their own key, it goes into chrome.storage.sync, and every request the extension makes uses that key directly. The extension is essentially a browser-native API client with a UI.
The UI part is a shadow DOM tooltip that renders next to your cursor when you highlight text. Shadow DOM matters here — it means the explanation panel inherits none of the host page's CSS and injects none of its own styles into the page. A site with aggressive global selectors won't blow up the tooltip layout, and the tooltip won't corrupt the page's layout either.
From inside the tooltip you can click any word to explore it, drag across a phrase to query that instead, hit the pencil icon for a follow-up that inherits the current context, or hit the globe icon to re-run the query enriched with Brave Search results. A counter tracks how many hops deep you've gone — if you spiral from 'mitochondria' to 'ATP synthase' to 'chemiosmosis' to 'Peter Mitchell,' the trail is there.
Zero analytics. Zero telemetry. Nothing phoning home.
Top comments (0)