Built a TypeScript library + API that scans any Chrome extension's manifest.json and generates a privacy score (0-100) with letter grades.
Use cases:
Check extensions before installing
CI/CD integration (GitHub Action coming)
Badge for your extension's README
Ran it against Urban VPN (the one that sold AI chats)
-> The Urban VPN scandal (8M users, AI chats sold to data brokers) showed that Google's review process isn't protecting anyone. <-
https://zovo.one/scanner/report/eppiocemhmnlbhjplcgkofciiegomcon
scored 29/100. The permissions were a red flag parade even before anyone looked at the code.
Stack: TypeScript core, Hono on CF Workers, Supabase, Lovable frontend.
BeLikeNative discusses a TypeScript library and API that scans Chrome extensions' manifest.json files to generate a privacy score. The tool aims to help users and developers assess extensions before installation and offers CI/CD integration. Feedback includes inquiries about scoring algorithms and suggestions for tracking permission changes over time.
this is really solid work. the urban vpn case is a perfect example of why user-side tooling matters more than platform gatekeeping at this point.
one thing i'd be curious about - how are you weighting different permission types in your scoring algorithm? like, is webRequest weighted heavier than storage, or are you doing some kind of combination score based on common abuse patterns? the letter grade is nice for quick scanning but wondering if you expose the breakdown anywhere.
also, have you thought about tracking permission changes over time? extensions that gradually expand their permissions post-install are usually the sketchiest ones. could be a useful feature for the ci/cd integration - like flag any new permissions added since last version.
well, Urban VPN getting away with that shows Google reviews are not cutting it. This scanner looks super useful for devs and users. If you need automated flagging and moderation at scale, ActiveFence is worth a look too.
The privacy-first angle is exactly right. I built an open-source Twitter unfollow manager with the same philosophy - all processing happens locally in the browser, zero external calls. The Web Store review process does not catch permission abuse, which is why minimal permissions plus a transparent README matters more than any badge. Good luck with the CI/CD integration.