ExtensionShield helps you check Chrome extensions in a simple and clear way.
It scans extensions from the Chrome Web Store or from CRX/ZIP uploads, shows risk scores, and helps you understand what an extension can access. The core scanner, CLI, and local analysis are MIT-licensed and work without any cloud dependency.
|
Install the ExtensionShield Chrome extension to manage your extensions from My Extensions, check their security audit score, and spot risky extensions before they become a problem.
|
|
ExtensionShield scans Chrome extensions, runs security and privacy analysis, and produces risk scores and summary reports.
Optional cloud features such as auth, history, team dashboards, and community queue are available via ExtensionShield Cloud.
| Feature | Description |
|---|---|
| Scan | Scan extensions from the Chrome Web Store or by uploading CRX/ZIP files |
| Analyze | Review permissions, SAST, entropy, and optional VirusTotal integration |
| Score | Generate security and privacy risk scores with reports |
| Summarize | Create written summaries of findings when enabled |
In OSS mode you get the scanner, CLI, local SQLite storage, and report UI with no cloud required.
In Cloud mode you also get auth, scan history, telemetry, and enterprise features.
| Document | Description |
|---|---|
| GET_STARTED.md | Setup, config, Docker, CLI, OSS vs Cloud, and Make commands |
| scripts/README.md | What each script does and when to run it |
| OPEN_CORE_BOUNDARIES.md | OSS vs Cloud, enforcement, and configuration |
| CONTRIBUTING.md | How to contribute |
| SECURITY.md | Reporting vulnerabilities and secrets policy |
| COMMERCIAL.md | Commercial use guidance |
| TRADEMARK.md | Brand usage guidelines |
| CODE_OF_CONDUCT.md | Community standards |
| NOTICE | Third-party attributions |
- Core (scanner, CLI, local analysis): MIT — see LICENSE; the core is derived in part from ThreatXtension — see NOTICE for attribution
- Cloud (auth, Supabase, telemetry admin, community queue, enterprise forms): proprietary, available via ExtensionShield Cloud
We build ExtensionShield in the open so security tools stay transparent and easy to inspect.
Feedback, issue reports, docs fixes, tests, and rule improvements are welcome. If ExtensionShield helps you, consider opening a PR, sharing your use case, or supporting the project.
Acknowledgments & attribution: ExtensionShield began as a fork of ThreatXtension (MIT, declared in its upstream README) and builds substantially on its open-source scanner core — including the permissions database, sensitive-domains config, entropy analysis, and Semgrep malware rules. On top of that core, ExtensionShield adds original work: the governance engine, the V2 scoring engine, ExtensionShield Cloud, and an expanded frontend. See NOTICE for the full scope of what is derived versus original.