browser-extension-developer
Enables development of Chrome extensions using Manifest v3 for enhanced security and functionality with webhook integration.
Install this skill
Security score
The browser-extension-developer skill was audited on Feb 9, 2026 and we found 41 security issues across 3 threat categories. Review the findings below before installing.
Categories Tested
Security Issues
Template literal with variable interpolation in command context
| 157 | screenResolution: `${screen.width}x${screen.height}`, |
Template literal with variable interpolation in command context
| 184 | ? `\n\nBranch Scores:\n• Heuristics: ${response.branch_a_score}\n• Semantic: ${response.branch_b_score}\n• LLM Guard: ${response.branch_c_score}` |
Template literal with variable interpolation in command context
| 187 | alert(`⚠️ Vigil Guard: Potential prompt injection detected!\n\nThreat Score: ${response.threat_score}\nCategories: ${(response.detected_categories || []).join(', ')}${branchInfo}`); |
Template literal with variable interpolation in command context
| 219 | sessionId: `ext_${Date.now()}` |
Template literal with variable interpolation in command context
| 324 | showStatus(`✅ Connected (v2.0.0) - Arbiter: ${result.arbiter_decision}`, 'success'); |
Template literal with variable interpolation in command context
| 329 | showStatus(`❌ Error: ${response.status}`, 'error'); |
Template literal with variable interpolation in command context
| 332 | showStatus(`❌ Connection failed: ${error.message}`, 'error'); |
Template literal with variable interpolation in command context
| 343 | const response = await fetch(`${baseUrl}/api/health/branches`); |
Template literal with variable interpolation in command context
| 359 | status.className = `status ${type}`; |
Template literal with variable interpolation in command context
| 364 | container.innerHTML = ` |
Template literal with variable interpolation in command context
| 398 | screenResolution: `${screen.width}x${screen.height}`, |
Template literal with variable interpolation in command context
| 502 | ? `Scores: A=${response.branch_a_score}, B=${response.branch_b_score}, C=${response.branch_c_score || 'N/A'}` |
Curl to non-GitHub URL
| 519 | curl http://localhost:5678/webhook/default \ |
Webhook reference - potential data exfiltration
| 3 | description: Chrome Manifest v3 extension development for Vigil Guard v2.0.0. Use for plugin development, content scripts, service workers, webhook integration with 3-branch detection, browser fingerp |
Webhook reference - potential data exfiltration
| 12 | Chrome Manifest v3 browser extension for Vigil Guard providing client-side prompt injection protection through webhook proxy integration with 3-branch parallel detection architecture and browser finge |
Webhook reference - potential data exfiltration
| 19 | - Managing webhook integration with 3-branch detection |
Webhook reference - potential data exfiltration
| 36 | ├── background.js # Service Worker (webhook proxy) |
Webhook reference - potential data exfiltration
| 50 | ### Webhook Response Format (3-Branch Detection) |
Webhook reference - potential data exfiltration
| 208 | chrome.storage.sync.get(['webhookUrl'], async (items) => { |
Webhook reference - potential data exfiltration
| 209 | const webhookUrl = items.webhookUrl || 'http://localhost:5678/webhook/default'; |
Webhook reference - potential data exfiltration
| 212 | const response = await fetch(webhookUrl, { |
Webhook reference - potential data exfiltration
| 283 | <label>Webhook URL:</label> |
Webhook reference - potential data exfiltration
| 284 | <input type="text" id="webhookUrl" placeholder="http://localhost:5678/webhook/xxx"> |
Webhook reference - potential data exfiltration
| 301 | const webhookUrl = document.getElementById('webhookUrl').value; |
Webhook reference - potential data exfiltration
| 302 | chrome.storage.sync.set({ webhookUrl }, () => { |
Webhook reference - potential data exfiltration
| 308 | const webhookUrl = document.getElementById('webhookUrl').value; |
Webhook reference - potential data exfiltration
| 311 | const response = await fetch(webhookUrl, { |
Webhook reference - potential data exfiltration
| 338 | const webhookUrl = document.getElementById('webhookUrl').value; |
Webhook reference - potential data exfiltration
| 339 | const baseUrl = new URL(webhookUrl).origin; |
Webhook reference - potential data exfiltration
| 379 | chrome.storage.sync.get(['webhookUrl'], (items) => { |
Webhook reference - potential data exfiltration
| 380 | if (items.webhookUrl) { |
Webhook reference - potential data exfiltration
| 381 | document.getElementById('webhookUrl').value = items.webhookUrl; |
Webhook reference - potential data exfiltration
| 473 | # 4. Verify webhook (check for arbiter_decision) |
Webhook reference - potential data exfiltration
| 519 | curl http://localhost:5678/webhook/default \ |
External URL reference
| 96 | "https://chat.openai.com/*", |
External URL reference
| 97 | "http://localhost:5678/*" |
External URL reference
| 106 | "matches": ["https://chat.openai.com/*"], |
External URL reference
| 209 | const webhookUrl = items.webhookUrl || 'http://localhost:5678/webhook/default'; |
External URL reference
| 284 | <input type="text" id="webhookUrl" placeholder="http://localhost:5678/webhook/xxx"> |
External URL reference
| 468 | open https://chat.openai.com/ |
External URL reference
| 519 | curl http://localhost:5678/webhook/default \ |