Crxjs
Security checks across malware telemetry and agentic risk
Overview
The skill mostly provides normal CRXJS setup guidance, but it grants broad GitHub CLI authority that is not explained by the stated Chrome-extension development purpose.
Use this skill cautiously. Its CRXJS guidance appears purpose-aligned, but you should restrict or remove GitHub CLI access unless needed, review every npm command before running it, and narrow any copied Chrome extension permissions before building or publishing.
VirusTotal
VirusTotal findings are pending for this skill version.
Risk analysis
Artifact-based informational review of SKILL.md, metadata, install specs, static scan signals, and capability signals. ClawScan does not execute the skill or run runtime probes.
If enabled, an agent could potentially act through the user's GitHub account while using this skill, even though GitHub account operations are not clearly part of the stated purpose.
The skill requests unrestricted GitHub CLI command authority. `gh` commonly uses the user's authenticated GitHub session and can modify repositories, issues, PRs, releases, and other account resources, but the skill description is about local CRXJS/Vite extension setup and does not bound or justify GitHub account access.
allowed-tools: Read Edit Write Glob Grep Bash(git:*) Bash(gh:*) Bash(npm:*)
Avoid granting `gh:*` for this skill unless you specifically need GitHub operations, and require explicit user approval before any GitHub CLI command.
The code generated or executed by npm may differ between runs and depends on the current npm package state.
The skill recommends pulling the latest scaffolding package from npm. This is normal for a JavaScript development skill, but it is unpinned external code and can change over time.
Scaffolding: `npm create crxjs@latest` (always use `@latest`)
Run npm scaffolding in a project directory you trust, review generated files before committing or executing them further, and consider pinning versions for reproducible builds.
An extension built from this example could run content scripts on many websites and request powerful browser permissions.
The example Chrome extension manifest uses broad browser permissions and a content-script match pattern covering all HTTPS sites. This is relevant to CRXJS examples, but users should not copy it blindly.
permissions: ["storage", "activeTab", "scripting"], ... content_scripts: [{ matches: ["https://*/*"], js: ["src/content/index.ts"] }]Narrow Chrome extension permissions and `matches` patterns to the specific sites and capabilities the extension actually needs.