Read Aloud: Text to Speech (TTS, Listen to Text)Security Analysis

Extension intercepts network traffic and sends data externally — potential man-in-the-middle behavior.

Extension has access to all sites and captures keyboard input — behavior consistent with a keylogger.

Dynamically creates script elements, potentially loading external malicious code.

Injects and executes scripts in web pages programmatically.

Listens for keyboard events, a common technique used by keyloggers.

Dynamically sets a script's src attribute to load external code at runtime.

JavaScript files are accessible to ALL websites. Any page can load and interact with these scripts, enabling web→extension attacks.

Uses XMLHttpRequest to make network calls.

Sends messages via Chrome runtime, could communicate with external services.

Dynamically creates iframe elements, which can be used to load external content or hide malicious UI.

Line exceeds 5000 characters (entropy: 5.6041595113831315)

This extension does not define a Content Security Policy. A CSP helps prevent XSS and code injection attacks.

Web-accessible resources use <all_urls> or wildcard patterns, exposing resources to every website.

Extension uses tab tracking APIs (onUpdated/query) and communicates with external servers — potential browsing surveillance.

Encodes data to base64, may be used for data exfiltration.

Creates a Web Worker, which runs code in a separate thread — can be used for background computation or crypto mining.

Sets innerHTML directly, which can lead to XSS if used with untrusted data.

Reads or writes to localStorage, which may contain sensitive site data.

String with entropy 6 bits — may be encoded/encrypted data

Extension accepts messages from 3 external pattern(s). Verify these are trusted origins.

JavaScript file could not be parsed. Likely minified or bundled code.

side-panel/assets/index-C2CExjV2.js

popup/assets/index-Db26p734.js