AI-Powered Chrome Extension Security Analysis
Features • Quick Start • Installation • Configuration • License
ThreatXtension is a comprehensive security analysis tool for Chrome browser extensions. It combines static analysis (SAST), threat intelligence (VirusTotal), and AI-powered assessment to help security researchers, malware analysts, and browser security teams identify malicious behavior in browser extensions.
- Permissions Analysis: Risk assessment of manifest permissions and host access
- SAST Scanning: Custom Semgrep rules targeting banking fraud, credential theft, data exfiltration
- VirusTotal Integration: File hash reputation checks against 70+ antivirus engines
- Entropy Analysis: Detect obfuscated/packed code using Shannon entropy and pattern matching
- WebStore Reputation: User ratings, developer info, and trust signals
- Executive Summaries: Natural language risk assessment with actionable recommendations
- Multi-LLM Support: OpenAI, WatsonX, Ollama, RITS
- Context-Aware Analysis: Each finding analyzed with full extension context
- Web UI: React frontend with real-time analysis dashboard
- CLI: Fast command-line analysis with rich console output
- REST API: FastAPI backend with OpenAPI documentation
- MCP Server: Claude Desktop integration via Model Context Protocol
The fastest way to run ThreatXtension is with Docker.
# 1. Clone the repository
git clone https://github.com/barvhaim/ThreatXtension.git
cd ThreatXtension
# 2. Configure environment
cp .env.example .env
# Edit .env and add your OPENAI_API_KEY (required)
# Optionally add VIRUSTOTAL_API_KEY for threat intelligence
# 3. Build and run
docker compose up --build
# 4. Access the application
# Web UI: http://localhost:8007
# API Docs: http://localhost:8007/docsmake docker-build # Build container
make docker-up # Start container (foreground)
make docker-down # Stop container
make docker-logs # View logsVia Web UI: Navigate to http://localhost:8007 and either:
- Paste a Chrome Web Store URL
- Enter an extension ID (32-character string, e.g.,
gbbilodpoldeopifonmibfboicpafpjo) - Upload a local
.crxor.zipfile
Via API:
# Option 1: Scan from Chrome Web Store URL
curl -X POST http://localhost:8007/api/scan/trigger \
-H "Content-Type: application/json" \
-d '{"url": "https://chromewebstore.google.com/detail/extension-name/extension-id"}'
# Option 2: Scan using extension ID (downloads from chrome-stats.com)
curl -X POST http://localhost:8007/api/scan/trigger \
-H "Content-Type: application/json" \
-d '{"url": "gbbilodpoldeopifonmibfboicpafpjo"}'
# Option 3: Upload and scan a local file
curl -X POST http://localhost:8007/api/scan/upload \
-F "file=@/path/to/extension.crx"
# Get results
curl http://localhost:8007/api/scan/results/{extension_id}- Python 3.11+
- Node.js 20+ (for frontend)
- uv package manager (Installation)
# Clone the repository
git clone https://github.com/barvhaim/ThreatXtension.git
cd ThreatXtension
# Install Python dependencies
uv sync
# Install frontend dependencies
cd frontend && npm install && cd ..
# Configure environment
cp .env.example .env
# Edit .env with your API keys# Option 1: CLI - Analyze from Chrome Web Store URL
make analyze URL=https://chromewebstore.google.com/detail/example/abcdef
# Option 1b: CLI - Analyze using extension ID (requires CHROMESTATS_API_KEY)
uv run threatxtension analyze --id gbbilodpoldeopifonmibfboicpafpjo
# Option 1c: CLI - Analyze local file
make analyze-file FILE=/path/to/extension.crx
uv run threatxtension analyze --file /path/to/extension.crx
uv run threatxtension analyze --file /path/to/extension.zip
# Option 2: Web UI (run both in separate terminals)
make api # Start FastAPI backend (port 8007)
make frontend # Start React frontend (port 5173)Create a .env file from the template:
cp .env.example .envRequired:
LLM_PROVIDER=openai
LLM_MODEL=gpt-4o
OPENAI_API_KEY=sk-...Optional:
VIRUSTOTAL_API_KEY=... # For threat intelligence
CHROMESTATS_API_KEY=... # For extension ID downloads via chrome-stats.com
LANGSMITH_API_KEY=... # For LLM tracing/debugging| Provider | LLM_PROVIDER | Recommended Models |
|---|---|---|
| OpenAI | openai |
gpt-4o, gpt-4-turbo |
| WatsonX (IBM) | watsonx |
meta-llama/llama-3-3-70b-instruct |
| Ollama (Local) | ollama |
llama3, mistral |
| RITS (IBM Research) | rits |
meta-llama/llama-3-3-70b-instruct |
Located in src/threatxtension/config/custom_semgrep_rules.yaml:
| Rule ID | Category | Description |
|---|---|---|
banking.form_hijack.submit_intercept |
Form hijacking | Form submit interception |
banking.cred_sniff.password_input_hooks |
Credential theft | Password field listeners |
banking.ext.webrequest.redirect |
Network hijacking | WebRequest redirect abuse |
banking.exfil.generic_channels |
Data exfiltration | sendBeacon/Image.src abuse |
banking.obfuscation.eval_newfunc |
Code injection | eval()/Function() execution |
All rules include MITRE ATT&CK mappings and CWE references.
| Endpoint | Method | Description |
|---|---|---|
/api/scan/trigger |
POST | Trigger extension scan |
/api/scan/status/{id} |
GET | Check scan status |
/api/scan/results/{id} |
GET | Get complete results |
/api/scan/files/{id} |
GET | List extracted files |
/api/scan/file/{id}/{path} |
GET | Get file content |
/api/scan/report/{id} |
GET | Generate PDF report |
/api/statistics |
GET | Aggregated statistics |
/api/history |
GET | Scan history |
/health |
GET | Health check |
Full API documentation available at http://localhost:8007/docs
ThreatXtension integrates with Claude Desktop via MCP (Model Context Protocol).
Setup:
- Edit Claude Desktop config (
~/Library/Application Support/Claude/claude_desktop_config.json):
{
"mcpServers": {
"ThreatXtension": {
"command": "uv",
"args": [
"--directory",
"/absolute/path/to/ThreatXtension",
"run",
"python",
"-m",
"threatxtension.mcp_server.main"
]
}
}
}-
Restart Claude Desktop
-
Ask Claude: "Analyze this Chrome extension: https://chromewebstore.google.com/detail/..."
┌─────────────────────────────────────────────────────────────┐
│ ThreatXtension │
├─────────────────────────────────────────────────────────────┤
│ Interfaces │
│ ┌─────────┐ ┌─────────┐ ┌─────────┐ ┌─────────┐ │
│ │ CLI │ │ Web UI │ │ API │ │ MCP │ │
│ └────┬────┘ └────┬────┘ └────┬────┘ └────┬────┘ │
│ └────────────┴────────────┴────────────┘ │
│ │ │
│ ┌──────────────────────▼──────────────────────┐ │
│ │ LangGraph Workflow │ │
│ │ Download → Parse → Analyze → Summarize │ │
│ └──────────────────────┬──────────────────────┘ │
│ │ │
│ ┌──────────────────────▼──────────────────────┐ │
│ │ Analyzers │ │
│ │ ┌────────────┐ ┌────────────┐ ┌──────────┐ │ │
│ │ │Permissions │ │ SAST │ │ WebStore │ │ │
│ │ └────────────┘ └────────────┘ └──────────┘ │ │
│ │ ┌────────────┐ ┌────────────┐ │ │
│ │ │VirusTotal │ │ Entropy │ │ │
│ │ └────────────┘ └────────────┘ │ │
│ └─────────────────────────────────────────────┘ │
│ │ │
│ ┌──────────────────────▼──────────────────────┐ │
│ │ LLM Summary Generation │ │
│ │ (OpenAI / WatsonX / Ollama) │ │
│ └─────────────────────────────────────────────┘ │
└─────────────────────────────────────────────────────────────┘
This project is licensed under the MIT License - see the LICENSE file for details.
- Semgrep - Static analysis engine
- LangGraph - Workflow orchestration
- VirusTotal - Threat intelligence
- React + Vite - Frontend framework
Built for browser security research and extension threat intelligence
This tool is intended for legitimate security research, malware analysis, and educational purposes only.




