Alvand Website Toolkit

Alvand Website Toolkit

ID: efjakogamjhdfnkhefhpcboahbcjfpli

Extension Info & Metadata

Status
Active
Version
1.0.48
Size
0.24 MB
Rating
5.0/5
Reviews
1
Users
5
Type
Extension
Updated
Jun 29, 2026
Category
Tools
Price
Free
Featured
No
Visibility
Listed
Mature
No
By Google
No
Trusted
No

Publisher Contextual Analysis

Author
CubexicView Profile
MX records exist
Yes
Domain exists
Yes
Is disposable
No
Is role-based
No
Mailbox exists
Yes
Total Extensions
2
Active
2
Obsolete
0
Listed
2
Unlisted
0
Total Users
23
Screenshot 1
Screenshot 2
Screenshot 3

Server IP, country, security, performance and site analysis for visited websites

🚀 Discover the Truth Behind Every Website — Instantly! 🧠🌍🔒 Introducing your new favorite browser companion — a powerful, free extension that turns your browsing into an intelligent, secure, and insightful experience! 🔍 Know Where You’re Browsing See the flag, IP address, and exact server location of any website you visit — all visualized on an interactive map. Ever wondered where that site is really hosted? Now you’ll know. 🤖 AI-Powered Website Insights Our built-in AI goes beyond the surface — analyzing each website in real time and offering clear, trustworthy insights on its credibility, purpose, and reliability. Think of it as a second opinion from a digital detective. 🛡️ Your First Line of Defense With real-time security checks via Google Safe Browsing API, you’ll be instantly alerted if a domain is flagged as suspicious or malicious. Browse smarter, safer, and with total peace of mind. ✨ Works seamlessly with Google Chrome, Opera, Vivaldi, and Brave. And yes — it’s completely free. 🔗 Try it today and see your browser in a whole new light. Knowledge is power. Now it's just a click away.

Item
Type
Severity
Description
scripting
Permission
Critical
This permission allows injection and execution of JavaScript on any webpage. Rated Critical because it can modify page content, steal sensitive data, and inject malicious code into any site the extension has access to.
http://*/*
Host
Critical
Broad host access — the extension can read/modify content on every website.
https://*/*
Host
Critical
Broad host access — the extension can read/modify content on every website.
webNavigation
Permission
High
This permission enables monitoring of all browser navigation events and transitions. Rated High because it can track every page visit, navigation method, and browsing pattern, potentially exposing sensitive browsing behavior and user activities.
Contextual Risk Factors
Risk Factor
High
The following context increases the overall risk: • 19% increase: Access to sensitive domains increases potential impact
activeTab
Permission
Medium
This permission grants temporary access to the current tab. Rated Medium because it can access current page content when invoked, though limited to user-initiated actions.
tabs
Permission
Medium
This permission enables tab management and monitoring. Rated Medium because it can track open tabs, access tab metadata, and monitor user browsing patterns.
storage
Permission
Medium
This permission allows storing data locally in the browser. Rated Medium because it can persist sensitive user data, track user activities over time, and potentially store malicious payloads.
https://*.workers.dev/*
Host
Medium
Host permission — access limited to this URL pattern.
https://*.tile.openstreetmap.org/*
Host
Medium
Host permission — access limited to this URL pattern.
https://www.google.com/s2/*
Host
Medium
Host permission — access limited to this URL pattern.
Access to Sensitive Domains
Risk Factor
Medium
This extension requests access to sensitive domains: https://www.google.com/s2/*
contextMenus
Permission
Low
This permission adds items to browser context menus. Rated Medium because it only modifies right-click menus without access to page content.

The bundled manifest (installed on users' machines) differs significantly from the CWS-published manifest: the bundle omits `webRequest` and the specific API host entries (`ipgeolocation.io`, `dns.google`, `openai.com`, `safebrowsing.googleapis.com`, etc.) present in the published version, instead routing everything through a wildcard `*.workers.dev` entry; conversely, the bundle adds `contextMenus` not declared in the published listing. Users reviewing the store listing cannot accurately assess what the installed version actually requests, constituting a meaningful disclosure mismatch.

manifest.json (Line 19)
{  "host_permissions": [    "http://*/*",    "https://*/*",    "https://*.workers.dev/*",    "https://*.tile.openstreetmap.org/*",    "https://www.google.com/s2/*"  ],  "permissions": [    "activeTab",    "tabs",    "storage",    "webNavigation",    "scripting",    "contextMenus"  ]}

On every page navigation, the visited domain is sent to `alvand-extension-worker.cubex.workers.dev` paired with a stable per-installation UUID (`userId`), allowing the publisher to maintain a server-side log of each user's browsing-domain history. The CWS data-collection disclosure lists only 'Location', not browsing history; the domain-lookup is the extension's core stated function but the server-side retention of userId+domain tuples is an undisclosed collection of browsing history.

background.js (Line 113)
async function callWorker(action, params = {}) {  const userId = await getUserId();  const licenseKey = await getLicenseKey();  const response = await fetch(WORKER_URL, {    method: 'POST',    headers: {      'Content-Type': 'application/json'    },    body: JSON.stringify({      userId,      action,      licenseKey,      ...params    })  });  ...}// Called on every page navigation completion:const ipInfo = await detectRealIP(domain, tabId, url);// detectRealIP calls: callWorker('getLocation', { domain })

By severity

Critical0
High1
Medium1
Low0

Versions scanned

Showing 1 of 4 scanned versions with more than one unique finding. Counts are unique findings that include each version.

Extension VersionCode Review Findings
1.0.482

Files with findings

2 distinct paths — top paths by unique finding count:

  • background.js1
  • manifest.json1
S.No.
Category
Severity
File
Summary
Found in Version
1Other
high
manifest.json (line 19)The bundled manifest (installed on users' machines) differs significantly from the CWS-published manifest: the bundle omits `webRequest` and the specific API host entries (`ipgeolocation.io`, `dns.google`, `openai.com…
2Unauthorized Data Collection
medium
background.js (line 113)On every page navigation, the visited domain is sent to `alvand-extension-worker.cubex.workers.dev` paired with a stable per-installation UUID (`userId`), allowing the publisher to maintain a server-side log of each u…
URLs
0
IPv4
0
IPv6
0

URLs

View the external URLs this extension communicates with to understand its network activity and data interactions.

Gain full insight into all external connections.

Upgrade for full visibility.

No URLs found

Gain full insight into all external connections.

Upgrade for full visibility.

No IP addresses found
Showing 1 to 4 of 10 rows
Rows per page:

Code Diff

Compare extension code between any two versions.

0 changed files (scanned top 25 shared text files)

No comparable text files found between these versions.

Browse and explore files within this extension package

Gain full insight into all external connections.

Upgrade for full visibility.