Extension Auditor
Extension Auditor
Sign Up
Moasell - 상품수집기

Moasell - 상품수집기

ID: hokgidggmfnfjlanbijnbgfddbeihdff

Supported Languages

🇰🇷Korean

Extension Info & Metadata

Status
Active
Version
1.6.6
Size
0.21 MB
Rating
0.0/5
Reviews
0
Users
49
Type
Extension
Updated
Jun 28, 2026
Category
Workflow & planning
Price
Free
Featured
No
Visibility
Listed
Mature
No
By Google
No
Trusted
No
Download CRX
Chrome Web Store
Report Issue

Publisher Contextual Analysis

Author
didakfqView Profile
Privacy
Privacy Policy
MX records exist
Yes
Domain exists
Yes
Is disposable
No
Is role-based
No
Mailbox exists
Yes
Total Extensions
1
Active
1
Obsolete
0
Listed
1
Unlisted
0
Total Users
49
Screenshot 1
Screenshot 2

이커머스 상품 자동 수집

Item
Type
Severity
Description
scripting
Permission
Critical
This permission allows injection and execution of JavaScript on any webpage. Rated Critical because it can modify page content, steal sensitive data, and inject malicious code into any site the extension has access to.
downloads
Permission
High
This permission controls file downloads and accesses download history. Rated High because it can download malicious files, access sensitive downloaded documents, and track user download patterns.
Contextual Risk Factors
Risk Factor
High
The following context increases the overall risk: • 19% increase: Access to sensitive domains increases potential impact
activeTab
Permission
Medium
This permission grants temporary access to the current tab. Rated Medium because it can access current page content when invoked, though limited to user-initiated actions.
storage
Permission
Medium
This permission allows storing data locally in the browser. Rated Medium because it can persist sensitive user data, track user activities over time, and potentially store malicious payloads.
tabs
Permission
Medium
This permission enables tab management and monitoring. Rated Medium because it can track open tabs, access tab metadata, and monitor user browsing patterns.
https://*.naver.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://*.coupang.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://*.gmarket.co.kr/*
Host
Medium
Host permission — access limited to this URL pattern.
https://*.auction.co.kr/*
Host
Medium
Host permission — access limited to this URL pattern.
https://*.11st.co.kr/*
Host
Medium
Host permission — access limited to this URL pattern.
https://*.lotteon.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://*.ssg.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://*.kurly.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://*.esmplus.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://moasell.kr/*
Host
Medium
Host permission — access limited to this URL pattern.
https://www.moasell.kr/*
Host
Medium
Host permission — access limited to this URL pattern.
http://localhost:3000/*
Host
Medium
Host permission — access limited to this URL pattern.
http://localhost/*
Host
Medium
Host permission — access limited to this URL pattern.
https://api.commerce.naver.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://api-gateway.coupang.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://api.11st.co.kr/*
Host
Medium
Host permission — access limited to this URL pattern.
https://api.lotteon.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://openapi.lotteon.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://shopping-fep.toss.im/*
Host
Medium
Host permission — access limited to this URL pattern.
https://shopping-fep-alpha.toss.im/*
Host
Medium
Host permission — access limited to this URL pattern.
https://chatgpt.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://*.chatgpt.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://*.oaiusercontent.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://gemini.google.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://*.google.com/*
Host
Medium
Host permission — access limited to this URL pattern.
https://*.googleusercontent.com/*
Host
Medium
Host permission — access limited to this URL pattern.
Access to Sensitive Domains
Risk Factor
Medium
This extension requests access to sensitive domains: https://shopping-fep.toss.im/*, https://shopping-fep-alpha.toss.im/*, https://gemini.google.com/*, https://*.google.com/*, https://*.googleusercontent.com/*
notifications
Permission
Low
This permission displays system notifications. Rated Low because it can only show user-visible notifications without accessing system data.

The bundled manifest declares six host_permissions for ChatGPT and Google/Gemini services that are entirely absent from the published CWS listing manifest. Background.js lines 5706–6307 implement an 'AI image transformation' feature that opens chatgpt.com or gemini.google.com tabs, injects product images using the user's existing login session, types prompts, polls for AI-generated results, and sends the result base64 back to moasell.kr/api/ai-image/save-result. While the feature itself routes data to the publisher's own domain, the *.google.com/* wildcard grants the extension scripting access to Gmail, Google Drive, and every other Google property — far broader than needed for Gemini alone. This undisclosed permission set was not declared in the CWS listing, meaning users and the Web Store review process may not be aware of the access scope.

manifest.json (Line 30)
[  "https://chatgpt.com/*",  "https://*.chatgpt.com/*",  "https://*.oaiusercontent.com/*",  "https://gemini.google.com/*",  "https://*.google.com/*",  "https://*.googleusercontent.com/*"]

By severity

Critical0
High1
Medium0
Low0

Versions scanned

None of the 11 scanned versions have more than one unique code-review finding. Counts are unique findings that include each version.

Extension VersionCode Review Findings
No versions with multiple unique findings.

Files with findings

1 distinct path — top paths by unique finding count:

  • manifest.json1
S.No.
Category
Severity
File
Summary
Found in Version
1Other
high
manifest.json (line 30)The bundled manifest declares six host_permissions for ChatGPT and Google/Gemini services that are entirely absent from the published CWS listing manifest. Background.js lines 5706–6307 implement an 'AI image transfor…
1.6.6
URLs
0
IPv4
0
IPv6
0

URLs

View the external URLs this extension communicates with to understand its network activity and data interactions.

Gain full insight into all external connections.

Upgrade for full visibility.

Sign In
No URLs found

Gain full insight into all external connections.

Upgrade for full visibility.

Sign In
No IP addresses found
Version
Size
Is Malicious
Findings
Permhash
1.6.106
Latest
0.21 MB
853480c6429a72eb78e30d2be83fbad4399b160f47bb35f5de02bf7deecec3e2
1.6.100
0.20 MB
853480c6429a72eb78e30d2be83fbad4399b160f47bb35f5de02bf7deecec3e2
1.6.98
0.20 MB
853480c6429a72eb78e30d2be83fbad4399b160f47bb35f5de02bf7deecec3e2
1.6.97
0.20 MB
853480c6429a72eb78e30d2be83fbad4399b160f47bb35f5de02bf7deecec3e2
1.6.89
0.19 MB
Benign
853480c6429a72eb78e30d2be83fbad4399b160f47bb35f5de02bf7deecec3e2
1.6.73
0.18 MB
Benign
a91950fee3e8bd3a18fc8a19fa247a7d8defd6fff8fbbddccdc7f5dd31d311f3
1.6.40
0.16 MB
Benign
a91950fee3e8bd3a18fc8a19fa247a7d8defd6fff8fbbddccdc7f5dd31d311f3
1.6.22
0.14 MB
Benign
a91950fee3e8bd3a18fc8a19fa247a7d8defd6fff8fbbddccdc7f5dd31d311f3
1.6.6
0.11 MB
Malicious
1
a91950fee3e8bd3a18fc8a19fa247a7d8defd6fff8fbbddccdc7f5dd31d311f3
1.6.3
0.11 MB
Malicious
a91950fee3e8bd3a18fc8a19fa247a7d8defd6fff8fbbddccdc7f5dd31d311f3
Showing 1 to 10 of 20 rows
Rows per page:

Code Diff

Compare extension code between any two versions.

0 changed files (scanned top 25 shared text files)

No comparable text files found between these versions.

Browse and explore files within this extension package

Gain full insight into all external connections.

Upgrade for full visibility.

Sign In