Custom Cursor for Chrome™Security Analysis

Injects and executes scripts in web pages programmatically.

Creates functions from strings, similar to eval(), often used to hide malicious code.

Dynamically sets a script's src attribute to load external code at runtime.

Creates a function from a string (new Function()), similar to eval().

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

Makes HTTP requests to external servers, may be used for data exfiltration.

Sends messages via Chrome runtime, could communicate with external services.

Line exceeds 5000 characters (entropy: 5.075534276910157)

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

Content script matches <all_urls>, executing on every website the user visits.

Sets innerHTML directly, which can lead to XSS if used with untrusted data.

Reads or writes to localStorage, which may contain sensitive site data.

Extension accepts messages from 1 external pattern(s). Verify these are trusted origins.