| scripting | Permission | | This permission allows injection and execution of JavaScript on any webpage. Rated Critical because it can modify page content, steal sensitive data, and inject malicious code into any site the extension has access to. |
| cookies | Permission | | This permission provides full access to read and modify browser cookies. Rated High because it can steal session tokens, modify authentication cookies, and compromise accounts across websites. |
| offscreen | Permission | | This permission creates hidden browser documents with full DOM access. Rated High because it can run background operations invisibly, potentially executing malicious code without user awareness. |
| downloads | Permission | | This permission controls file downloads and accesses download history. Rated High because it can download malicious files, access sensitive downloaded documents, and track user download patterns. |
| Contextual Risk Factors | Risk Factor | | The following context increases the overall risk:β’ 20% increase: Access to sensitive domains increases potential impactβ’ 10% increase: Early script execution enables pre-emptive content manipulation |
| storage | Permission | | This permission allows storing data locally in the browser. Rated Medium because it can persist sensitive user data, track user activities over time, and potentially store malicious payloads. |
| unlimitedStorage | Permission | | This permission removes storage quota restrictions. Rated Medium because it can store large amounts of user data without limits, potentially impacting browser performance and storing extensive tracking data. |
| https://www.instagram.com/* | Host | | Host permission β access limited to this URL pattern. |
| https://*.instagram.com/* | Host | | Host permission β access limited to this URL pattern. |
| https://www.threads.com/* | Host | | Host permission β access limited to this URL pattern. |
| https://*.threads.com/* | Host | | Host permission β access limited to this URL pattern. |
| https://api.hypeduck.ai/* | Host | | Host permission β access limited to this URL pattern. |
| https://hypeduck.ai/* | Host | | Host permission β access limited to this URL pattern. |
| https://*.hypeduck.ai/* | Host | | Host permission β access limited to this URL pattern. |
| https://graph.baidu.com/* | Host | | Host permission β access limited to this URL pattern. |
| https://www.youtube.com/* | Host | | Host permission β access limited to this URL pattern. |
| https://www.rednote.com/* | Host | | Host permission β access limited to this URL pattern. |
| https://*.rednote.com/* | Host | | Host permission β access limited to this URL pattern. |
| https://www.xiaohongshu.com/* | Host | | Host permission β access limited to this URL pattern. |
| https://*.xiaohongshu.com/* | Host | | Host permission β access limited to this URL pattern. |
| https://www.tiktok.com/* | Host | | Host permission β access limited to this URL pattern. |
| https://*.tiktok.com/* | Host | | Host permission β access limited to this URL pattern. |
| https://www.douyin.com/* | Host | | Host permission β access limited to this URL pattern. |
| https://*.douyin.com/* | Host | | Host permission β access limited to this URL pattern. |
| Access to Sensitive Domains | Risk Factor | | This extension requests access to sensitive domains: https://www.instagram.com/*, https://*.instagram.com/* |
| Early Content Script Execution | Risk Factor | | This extension runs content scripts at document_start. |
| alarms | Permission | | This permission schedules periodic tasks. Rated Low because it can only trigger events at specified times without access to sensitive data. |