Security Alert: Malware Risk Confirmed
AI Sidebar with Deepseek, ChatGPT, Claude and more.
ID: inhcgfpbfdjbjogdfjbclgolkmhnooop
Supported Languages
Extension Info & Metadata
Publisher Contextual Analysis
- Author
- DeepSeek AIView Profile
- Privacy
- Privacy Policy
- MX records exist
- Yes
- Domain exists
- Yes
- Is disposable
- No
- Is role-based
- Yes
- Mailbox exists
- Yes
Chat with Deepseek AI, ChatGPT, Claude, and more. Boost creativity and productivity using this powerful AI-powered browser tool.
Welcome to AI Sidebar – your personal AI assistant embedded directly in your Chrome browser. With support for the latest AI models like ChatGPT (GPT-4o), Claude 3.5, Gemini 1.5/2.0, DeepSeek R1, and Meta’s LLaMA 3, AI Sidebar helps you write, code, search, summarize, and brainstorm—without switching tabs or apps. ✅ Supercharge Your Browsing Experience AI Sidebar transforms your everyday browsing into a smart, interactive workspace. Whether you're studying, working, writing, or exploring ideas, your AI co-pilot is just one click away—available on any site, in any tab, at any time. 🔍 What You Can Do with AI Sidebar 🧠 Chat & Ask Questions Get instant answers, explanations, and summaries using the latest LLMs—right inside your browser. ✍️ Write Better, Faster Generate blog posts, rewrite emails, polish grammar, or brainstorm content in seconds. 📚 Summarize Anything Highlight text on websites, PDFs, or emails and let the AI give you quick, clear summaries. 💻 Code Smarter Use DeepSeek or GPT-4o to debug code, write scripts, or understand complex programming concepts. 🌐 Multilingual Support Translate text and chat in multiple languages with natural fluency. ⚙️ How It Works Install the AI Sidebar extension. Click the Sidebar icon in your browser. Type your question or highlight content. Get smart, instant answers—no need to open new tabs. 🧬 Powered by Top AI Models AI Sidebar seamlessly integrates with industry-leading large language models (LLMs), including: ChatGPT (GPT-4o, GPT-3.5) by OpenAI Claude 3.5 (Opus, Sonnet, Haiku) by Anthropic Gemini 1.5 Pro & Gemini 2.0 Flash by Google DeepSeek R1 – blazing-fast AI built for advanced research and reasoning LLaMA 3 by Meta – efficient and powerful open-source AI models These models are dynamically selected based on your task to give you the best possible performance, speed, and accuracy. 🧑💼 Who Is AI Sidebar For? Students – Summarize lessons, understand concepts, and improve your writing. Professionals – Automate repetitive tasks, write emails, and generate reports. Developers – Ask coding questions, analyze code, and build faster with AI. Researchers – Get deep insights and contextual answers without searching manually. Everyone – Enjoy a smarter, faster, and more productive browsing experience. 💡 Example Use Cases Draft a professional email in seconds. Summarize long articles or YouTube transcripts. Translate content from any language. Create blog posts, outlines, or social media captions. Debug Python, JavaScript, or any other code instantly. Ask follow-up questions and get conversational answers. 🖼️ Clean UI, No Clutter AI Sidebar is designed for a distraction-free, elegant experience. With a lightweight interface, fast loading time, and minimal resource usage, it blends smoothly into your workflow without getting in your way. 🛠️ For Developers and Power Users Built-in support for tools like deepseek-coder means you can: Ask how code works and get clean, documented responses Refactor or optimize functions Get step-by-step debugging suggestions Learn new libraries or frameworks on the fly Perfect for developers, AI tinkerers, and power users. 📌 Note AI Sidebar is an independent product and is not affiliated with, sponsored by, or endorsed by OpenAI, Anthropic, Google, or Meta. 🔗 Learn More Visit https://deepseek.ai to explore all features, models, FAQs, and usage tips. 🚀 Try AI Sidebar Today Install now and explore a new era of smarter browsing, learning, and productivity. Whether you’re a student, developer, writer, or just curious, AI Sidebar is your new AI-powered co-pilot always by your side.
On extension update, consent is silently and automatically granted for any user who has not yet accepted the consent gate, setting `accepted: true` and `autoGranted: true` without any user interaction. This bypasses the consent mechanism entirely for the extension's data-collection features and content-script injection across all URLs, enabling the extension to operate on all pages without the user ever being asked.
} else if (details.reason === "update") { // Existing users updating from a previous version — auto-grant consent // so they are not shown the consent gate again const hasConsent = await hasUserConsent(); if (!hasConsent) { const consentData = JSON.stringify({ accepted: true, version: "1.0", timestamp: new Date() .toISOString(), autoGranted: true, }); chrome.storage.local.set({ aiinhbfoop_user_consent: consentData }); }}The service worker listens for `action.onCaptureScreen` messages and silently captures the current viewport using `captureCurrentViewport()`. The screenshot is cropped, converted to a base64 data URL, and stored in `chrome.storage.local` under `ai_image_url`. Since the extension's content script runs on `<all_urls>`, any tab can trigger this capture; combined with the `externally_connectable` entry for `*.aitopia.ai`, external pages can also send this message to trigger a screenshot silently.
.runtime.onMessage.addListener(async r => { if (r.fn == "action.onCaptureScreen") { const { data: a } = r.data, { x: o, y: i, width: t, height: p, windowWidth: w } = a; if (!t || !p) return; e.captureCurrentViewport() .then(s => { fetch(s) .then(_ => _.blob()) .then(_ => { createImageBitmap(_) .then(u => { const l = u.width / w, x = o * l, B = i * l, c = t * l, d = p * l, g = new OffscreenCanvas(c, d); g.getContext("2d") .drawImage(u, x, B, c, d, 0, 0, c, d), g.convertToBlob() .then(k => { const f = new FileReader; f.readAsDataURL(k), f.onloadend = () => { const y = f.result; e.Browser() .storage.local.set({ ai_image_url: y }) .then() } }) }) }) }) .catch(s => console.error(s)) }})The manifest grants `externally_connectable` access to `*.aitopia.ai` and `*.chatgptextension.ai`, allowing those external web origins to send messages directly into the extension's background service worker via `chrome.runtime.sendMessage`. This creates a persistent privileged channel from those two external domains into the extension, enabling them to trigger any functionality exposed via `onMessage`, including the screen-capture handler.
{ "externally_connectable": { "matches": [ "*://*.aitopia.ai/*", "*://*.chatgptextension.ai/*" ] }}On install and on every update, the service worker fetches `partner.json` (bundled or potentially served via the extension package) and uses its `app_context` flag to remotely enable `context_reading` and `context_writing` in the stored settings. This means a future extension update or a modified `partner.json` could silently activate full page-content reading and writing across every site the user visits, controlled entirely by the extension publisher.
var m = r => { fetch("/partner.json") .then(a => a.json()) .then(a => { let o = { app_name: n.app_name, ... app_context: !1 }, i = []; Object.keys(a) .forEach(t => { a[t] !== null && (...o[`app_${t}`] = a[t]) })... }) .finally(() => { e.Browser() .storage.local.get("app_details") .then(a => { let o = a.app_details ?? { app_install: !1, app_uninstall: !1, app_context: !1 }; o.app_uninstall && e.Browser().runtime.setUninstallURL(n.site + "/uninstall?ex=" + n.extension_id), !h && (h = !0, e.settingsBuild(!0).then(i => { let t = i; typeof i.settings < "u" && (t = i.settings), typeof t.ai_key < "u" && (r.reason == "install" && (t = Object.assign(t, { context_reading: o.app_context, context_writing: o.app_context, context_writing_input: o.app_context })), e.Browser().storage.local.set({ settings: t })) })) }) })};The content script, which is injected on `<all_urls>` (every URL the user visits), dynamically imports and executes a further JavaScript module via `import()` at runtime. This pattern loads additional extension code lazily and could be used to deliver payloads that were not present at review time, making static analysis of full capabilities impossible.
(async () => { try { const { onExecute } = await import( /* @vite-ignore */ chrome.runtime.getURL( "aitopia/assets/a06923325df9fc23634226f1be1668ff.js", ) ); onExecute?.({ perf: { injectTime, loadTime: performance.now() - injectTime }, }); } catch (error) { console.error( "[DeepSeek AI Extension] Error loading main sidebar app:", error, ); }})();On every install or update the service worker generates and persists a unique identifier under `uuid_hopekey` in extension storage. This UUID survives across browser sessions and provides a stable fingerprint for user tracking that cannot be cleared by normal browser history/cookie deletion.
e.Browser() .storage.local.set({ migrate_test: 1 }), e.Browser() .storage.local.get("uuid_hopekey") .then(r => { if (r.uuid_hopekey == null) return e.uuid(1) })When the user clicks Accept on the consent banner, the extension immediately queries all open browser tabs (`chrome.tabs.query({})`) and broadcasts a message to every tab simultaneously. This enumerate-all-tabs pattern is aggressive for a consent notification and exposes the full list of currently open tabs to this code path; it also immediately activates the sidebar on every page rather than waiting for navigation.
document .getElementById("acceptBtn") .addEventListener("click", async function() { saveConsent(true); ... try { const tabs = await chrome.tabs.query({}); const promises = tabs.map((tab) => { return chrome.tabs .sendMessage(tab.id, { type: "CONSENT_ACCEPTED", action: "update_consent", }) .catch(() => { return null; }); }); await Promise.race([ Promise.all(promises), new Promise((resolve) => setTimeout(resolve, 500)), ]); } catch (e) { console.error("Error notifying tabs:", e); }The Bluebird promise library (bundled) uses multiple `new Function()` calls to construct and immediately execute dynamically built code strings. While this is a known Bluebird optimization, its presence inside a Chrome extension violates best-practice CSP hygiene and provides a code-execution primitive that could be repurposed by any code that controls the string arguments passed to these constructors.
for (var i = function(k) { return new Function("value", "holder", ` 'use strict'; holder.pIndex = value; holder.checkFulfillment(this); `.replace(/Index/g, k)) }, f = function(k) { return new Function("promise", "holder", ` 'use strict'; holder.pIndex = promise; `.replace(/Index/g, k)) }, ... return M = M.replace(/\[TheName\]/g, B) .replace(/\[TheTotal\]/g, k) .replace(/\[ThePassedArguments\]/g, W) .replace(/\[TheProperties\]/g, q) .replace(/\[CancellationCode\]/g, Q), new Function("tryCatch", "errorObj", "Promise", "async", M)(t, s, e, g)By severity
Versions scanned
Showing 1 of 14 scanned versions with more than one unique finding. Counts are unique findings that include each version.
| Extension Version | Code Review Findings |
|---|---|
| 1.6.8 | 8 |
Files with findings
6 distinct paths — top paths by unique finding count:
- aitopia/assets/64f450e08e23ddcb6bf43777d4239116.js3
- aitopia/assets/95c5528581b0856eaa0cfd2aa93cc17d.js1
- aitopia/assets/content-script-loader.js1
- blueBackground.js1
- consent-gate.js1
- manifest.json1
URLs
View the external URLs this extension communicates with to understand its network activity and data interactions.
Gain full insight into all external connections.
Upgrade for full visibility.
Gain full insight into all external connections.
Upgrade for full visibility.
Code Diff
Compare extension code between any two versions.
No comparable text files found between these versions.
Browse and explore files within this extension package
Gain full insight into all external connections.
Upgrade for full visibility.