ListenQuir: Read Page Content Aloud | TTS Text-to-SpeechSecurity Analysis

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

Listens for keyboard events, a common technique used by keyloggers.

Dynamically sets a script's src attribute to load external code at runtime.

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

Decodes base64 data, commonly used to hide malicious payloads.

Sends messages via Chrome runtime, could communicate with external services.

JavaScript file could not be parsed and has high entropy. May contain obfuscated code.

Line exceeds 5000 characters (entropy: 5.886862794947943)

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

Content script matches <all_urls>, executing on every website the user visits.

Extension uses tab tracking APIs (onUpdated/query) and communicates with external servers — potential browsing surveillance.

Sets innerHTML directly, which can lead to XSS if used with untrusted data.

Encodes data to base64, may be used for data exfiltration.

Reads or writes to localStorage, which may contain sensitive site data.