What permissions does Chat Memo | Auto-save AI Chats from ChatGPT, Gemini, Claude + request?

Chat Memo | Auto-save AI Chats from ChatGPT, Gemini, Claude + requests the following permissions: storage, tabs, downloads. It also requests host access to: , https://chat.deepseek.com/*, https://chatgpt.com/*, https://chat.openai.com/*, https://gemini.google.com/*, https://yuanbao.tencent.com/*, https://www.doubao.com/*, https://claude.ai/*, https://kimi.moonshot.cn/*, https://*.kimi.com/*.

ExtSafe

Chat Memo | Auto-save AI Chats from ChatGPT, Gemini, Claude +Security Analysis

Chromev1.2.0MV3March 15, 2026 at 10:50 PM

Potentially unsafe

This extension shows concerning patterns that may indicate risky behavior. Proceed with caution.

5.9MEDIUM

5.9 MEDIUMRaw: 7.4

This extension shows some risk signals that are common in legitimate extensions but worth reviewing. Check the details below.

Based on 13 permissions including high-risk ones, 89 code findings, 1 dangerous combination.

Trust Signals(4.0/10)

Users

10K

Rating

5.0(48 reviews)

Status

Featured

Dangerous Combinations(1)

CRITICALAll-sites access + keyboard capture

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

<all_urls>+keylogger_pattern

Permissions

7.0/10

Code

7.0/10

Combinations

10.0/10

Manifest/CSP

5.8/10

Permissions(13 analyzed)

Code Findings(14 patterns, 89 total)

Content Security Policy

No CSP Defined(1 issue)

MEDIUM

N/ANo CSP defined

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Manifest Analysis(3 findings)

Resolved from __MSG_* i18n placeholders:

Name: Chat Memo | Auto-save AI Chats from ChatGPT, Gemini, Claude +

Description: Automatically save AI chat history from ChatGPT, Gemini, Claude, and more AI chat platforms

HIGH

web_accessible_resourcesJS files exposed to web pages

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

MEDIUM

web_accessible_resources.matchesOverly broad match patterns

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

MEDIUM

content_scriptsContent script injected on all URLs

Content script matches <all_urls>, executing on every website the user visits.

External Domains(17)

chat.deepseek.comchat.openai.comchatgpt.comchatmemo.aichromewebstore.google.comclaude.aigemini.google.comgithub.comkimi.comkimi.moonshot.cnraw.github.comstuartk.comstuk.github.iowww.doubao.comwww.kimi.comyuanbao.tencent.comzkv549gmz8.feishu.cn