PrivacyScope

Extension Privacy Scanner — How it works

🔒

PrivacyScope never contacts any server we operate. All analysis runs locally using Chrome's built-in extension management API — the same data source as chrome://extensions. Your extension list never leaves your device.

The only external requests PrivacyScope ever makes are to clients2.google.com — Google's own CRX download server — when you visit a Chrome Web Store detail page. This is the same server Chrome uses to install extensions.

How it works

1
Read declared permissions

Every extension ships with a public manifest.json listing every permission it requests. PrivacyScope reads this via Chrome's management API — no special access needed. You can see the same data at chrome://extensions → Details → Permissions.

2
Score by harm potential

Each permission is assigned a risk score based on what it enables. An extension that can read every website plus access your cookies scores far higher than one that only uses storage. Dangerous combinations — like <all_urls> with webRequest — add a bonus penalty.

3
Translate into plain English

Technical permission names are converted to plain descriptions of what they actually enable — no jargon. The flags you see in the popup map directly to specific permissions in the manifest.

Score breakdown

Each flag in the popup corresponds to a specific manifest permission. You can verify any flag yourself: open the Chrome Web Store listing and check the Permissions tab — it lists exactly what the extension declared.

High-risk permissions

<all_urls>
Can read and modify every website you visit — including banking, email, and medical sites
+20–35
cookies
Can read your login sessions. Combined with broad site access, enables impersonation on any site you're logged into
+25
debugger
Developer-level browser control — can intercept all requests and read any page in full
+30
nativeMessaging
Can communicate with programs installed on your computer, outside the browser sandbox
+30
proxy
Can reroute all your internet traffic through an arbitrary server
+30
history
Can see every URL you have ever visited
+20
webRequest + broad host
Can intercept every network request — including form submissions and login credentials
+35
clipboardRead
Can silently read anything you copy — including passwords and credit card numbers
+15

Medium-risk permissions

tabs
Can see the titles and full URLs of all your open tabs
+10
browsingData
Can delete your browsing history, cookies, and saved passwords
+10
downloads
Can see and manage your downloaded files
+10
sessions
Can see and restore your open tabs and browsing sessions
+10

Risk levels

Action needed Score ≥ 60 — Security-flagged, or a dangerous permission combination (e.g. <all_urls> + cookies + webRequest)
Review recommended Score 35–59 — High capability. Meaningful access to your data. Research before trusting.
Worth knowing Score 15–34 — Some sensitive access. No immediate action needed.
Looks safe Score < 15 — Minimal permissions. Low privacy risk.

How to investigate a flagged extension

When PrivacyScope flags an extension, here is exactly what to look for — in order of effort:

  1. Check the Permissions tab on the Chrome Web Store listing.

    Every CWS page has a "Permissions" section. It should match what PrivacyScope shows. If an extension claims to be a simple tool but requests <all_urls>, that's a red flag.

  2. Check the Privacy practices tab.

    Extensions that collect or transmit data are required to disclose it here. No privacy policy on an extension with broad permissions is a serious warning sign.

  3. Search for "[extension name] privacy" or "[extension name] data collection".

    Security researchers frequently document extension misbehavior. A 30-second search often reveals prior incidents or community reports.

  4. Check the developer's identity.

    An extension from Google, Mozilla, or a known company with a real website is meaningfully different from an anonymous publisher with no web presence.

  5. Look for the source code.

    Many legitimate extensions are open source. A linked GitHub repository means researchers can and do audit what the code actually does.

  6. Check CWS review count and recency.

    A large number of genuine reviews (not a sudden spike of 5-star ratings) suggests an extension with real accountability to its users.

Limitations

Permissions ≠ behavior. PrivacyScope shows what an extension could do — not what it is doing. uBlock Origin requests <all_urls> and scores "Review recommended." That's technically correct and practically fine. A high score means investigate, not uninstall immediately.
The security-flagged list is small by design. We only include extensions where harmful behavior has been reported in independent, published security research. Suspicion is not enough.
AI detection has false positives. Extensions with "translate," "grammar," or "chat" in their name receive deeper AI-path scoring even if they predate modern AI tools. The analysis is still valid — they're simply scored more carefully.
CWS pre-install scanning depends on package availability. The badge shown when browsing the Chrome Web Store downloads the extension package to read its manifest. If the package cannot be fetched (network error, regional restriction, or unusual packaging), the badge shows ? — meaning "could not scan," not "safe."

About the developer

Risa Studio ↗
Independent developer building tools that fix information asymmetry — giving users the data that was always there but never surfaced clearly.
Part of the Scope series
PrivacyScope Extension privacy scanner RentScope Fair rent on Zillow & Apartments.com CarScope Used car pricing & recall check StayScope Neighborhood search for Airbnb & Booking JobScope H-1B salary data on LinkedIn & job boards

Support this project

PrivacyScope is free and will stay free. If it's helped you avoid a risky extension, a coffee keeps the project going. ☕

Ko-fi QR code
Ko-fi
ko-fi.com/risa_studio

One-time or monthly — no account needed.