Connect Clawsmith to your coding agent. Ship products like crazy.Unlimited usage during betaGet API Key โ†’
โ† Back to dashboard
clawsmith.com/signal/affordable-extension-security-scanner-crxcavator-dead
โš  IssueUnderservedbrowser_extensionLive

Individual users and small teams have no affordable automated tool to audit their installed Chrome extensions for security risk

CRXcavator, the free automated Chrome extension security scanner built by Cisco/Duo, was quietly killed in 2023 with no replacement and no migration path. The only remaining option is Spin.AI at $5,000+/yr with enterprise minimums. Individual users and SMBs installing 20-40 extensions each have no affordable automated way to check for ownership transfers, permission scope creep, code hash mismatches, or known-bad network domains. The gap is acute: in 2025-2026, supply-chain attacks against extensions hit 2.3 million users (RedDirection), 4.3 million users (ShadyPanda), and 900,000 users (AI chat theft via Google-Featured extensions). Users have no tool to scan their own extension inventory against these patterns. Manual review takes 15-30 minutes per extension.

Score Breakdown

HN
300

Social Proof 1 sources

HN
More malicious extensions in Chrome Web Store
campuscodi ยท 6/1/2023
300

Gap Assessment

UnderservedExisting solutions leave gaps

CRXcavator dead since 2023. Spin.AI is enterprise at $5K+/yr. No consumer or SMB-priced automated scanner exists. At least 3 independent campaigns in 2025-2026 hit millions of users with no early warning.

Virality Score
300
across 0 platforms
Details
Signalissue
Ecosystembrowser_extension
Sources1
Platforms0
Updatedunknown
Trendโ†’ stable
Top ideas
All ideas โ†’
0A static linter that audits MCP server code for 2026-07-28 stateless spec compliance and flags every breaking change before it ships0A CLI tool that automates full migration from Gemini CLI to Antigravity CLI0A web app that attributes and hard-caps AI coding assistant spend across seats, credit pools, and agent runs for engineering orgs
Related signals
All signals โ†’
4.1KLinkedIn secretly scans every visitor's browser for 6000+ installed extensions without disclosure3.9KUsers have no way to see what Chrome extensions are actually sending over the network1.5KCommercial browser extensions freely copy GPL-licensed open-source extension code with no meaningful recourse for developers