Google Keep Chrome Extens

Name: Security Analysis: Google Keep Chrome Extens
Item: Google Keep Chrome Extens
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 7M+ users

📦 v4.26071.600.1

💾 6.52MiB

📅 2026-02-19

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Overview

Found a webpage, image, or quote that you want to save for later? With the Google Keep Chrome Extension, easily save the things you care about to Keep and have them synced across all of the platforms that you use — including web, Android, iOS, and Wear. Take notes for additional detail and add labels to quickly categorize your note for later retrieval.

Features:
• Save URLs, text, and images
• Take notes on saved content
• Add labels to your notes
• Automatically saves to Google Keep

Try Google Keep on the web at https://keep.google.com, on your Android device at https://g.co/keep, and on your iOS device at https://itunes.apple.com/us/app/google-keep-your-thoughts/id1029207872.

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

🔄 New version v4.26071.600.1 detected — scan automatically queued.

v4.26091.600.1 Info Scanned Mar 5, 2026

Security Analysis — Google Keep Chrome Extens

Analyzed v4.26091.600.1 · Mar 5, 2026 · 98 JS files · 2737 KB scanned

Permissions

Code Patterns Detected

External Connections

www.gstatic.com github.com bugzil.la fonts.gstatic.com www.khronos.org keep.google.com play.google.com www.w3.org goo.gl kripken.github.io en.wikipedia.org www.ietf.org +8 more

Package Contents 208 files · 22.4MB

▾📁_locales133KB

▾📁am2KB

{}messages.json2KB

▾📁ar2KB

{}messages.json2KB

▾📁bg3KB

{}messages.json3KB

▾📁bn3KB

{}messages.json3KB

▾📁ca2KB

{}messages.json2KB

▾📁cs2KB

{}messages.json2KB

▾📁cy2KB

{}messages.json2KB

▾📁da2KB

{}messages.json2KB

▾📁de2KB

{}messages.json2KB

▾📁el3KB

{}messages.json3KB

▾📁en7KB

{}messages.json7KB

▾📁en_GB2KB

{}messages.json2KB

▾📁es2KB

{}messages.json2KB

▾📁es_4192KB

{}messages.json2KB

▾📁et2KB

{}messages.json2KB

▾📁eu2KB

{}messages.json2KB

▾📁fa2KB

{}messages.json2KB

▾📁fi2KB

{}messages.json2KB

▾📁fil2KB

{}messages.json2KB

▾📁fr2KB

{}messages.json2KB

▾📁gl2KB

{}messages.json2KB

▾📁gu3KB

{}messages.json3KB

▾📁he2KB

{}messages.json2KB

▾📁hi3KB

{}messages.json3KB

▾📁hr2KB

{}messages.json2KB

▾📁hu2KB

{}messages.json2KB

▾📁id2KB

{}messages.json2KB

▾📁is2KB

{}messages.json2KB

▾📁it2KB

{}messages.json2KB

▾📁ja2KB

{}messages.json2KB

▾📁kn3KB

{}messages.json3KB

▾📁ko2KB

{}messages.json2KB

▾📁lt2KB

{}messages.json2KB

▾📁lv2KB

{}messages.json2KB

▾📁ml3KB

{}messages.json3KB

▾📁ms2KB

{}messages.json2KB

▾📁my3KB

{}messages.json3KB

▾📁nl2KB

{}messages.json2KB

▾📁no2KB

{}messages.json2KB

▾📁pl2KB

{}messages.json2KB

▾📁pt_BR2KB

{}messages.json2KB

▾📁pt_PT2KB

{}messages.json2KB

▾📁ro2KB

{}messages.json2KB

▾📁ru2KB

{}messages.json2KB

▾📁sk2KB

{}messages.json2KB

▾📁sl2KB

{}messages.json2KB

▾📁sr2KB

{}messages.json2KB

▾📁sv2KB

{}messages.json2KB

▾📁sw2KB

{}messages.json2KB

▾📁ta3KB

{}messages.json3KB

▾📁te3KB

{}messages.json3KB

▾📁th3KB

{}messages.json3KB

▾📁tr2KB

{}messages.json2KB

▾📁uk2KB

{}messages.json2KB

▾📁ur2KB

{}messages.json2KB

▾📁vi2KB

{}messages.json2KB

▾📁zh_CN2KB

{}messages.json2KB

▾📁zh_TW2KB

{}messages.json2KB

▾📁zu2KB

{}messages.json2KB

▾📁i18n614KB

📜symbols_af.js6KB

📜symbols_am.js8KB

📜symbols_ar.js10KB

📜symbols_as.js10KB

📜symbols_az.js7KB

📜symbols_be.js9KB

📜symbols_bg.js9KB

📜symbols_bn.js10KB

📜symbols_ca.js7KB

📜symbols_cs.js7KB

📜symbols_cy.js6KB

📜symbols_da.js6KB

📜symbols_de.js6KB

📜symbols_el.js10KB

📜symbols_en.js4KB

📜symbols_en_ca.js6KB

📜symbols_en_gb.js6KB

📜symbols_es.js6KB

📜symbols_es_419.js6KB

📜symbols_et.js6KB

📜symbols_eu.js6KB

📜symbols_fa.js10KB

📜symbols_fi.js7KB

📜symbols_fil.js6KB

📜symbols_fr.js6KB

📜symbols_fr_ca.js6KB

📜symbols_gl.js6KB

📜symbols_gu.js9KB

📜symbols_hi.js9KB

📜symbols_hr.js6KB

📜symbols_hu.js7KB

📜symbols_hy.js10KB

📜symbols_id.js6KB

📜symbols_is.js7KB

📜symbols_it.js6KB

📜symbols_iw.js9KB

📜symbols_ja.js7KB

📜symbols_ka.js10KB

📜symbols_kk.js9KB

📜symbols_km.js10KB

📜symbols_kn.js10KB

📜symbols_ko.js7KB

📜symbols_lo.js9KB

📜symbols_lt.js7KB

📜symbols_lv.js7KB

📜symbols_mk.js10KB

📜symbols_ml.js10KB

📜symbols_mn.js11KB

📜symbols_mr.js9KB

📜symbols_ms.js6KB

📜symbols_my.js10KB

📜symbols_ne.js10KB

📜symbols_nl.js6KB

📜symbols_no.js6KB

📜symbols_or.js10KB

📜symbols_pa.js9KB

📜symbols_pl.js6KB

📜symbols_pt_br.js7KB

📜symbols_pt_pt.js7KB

📜symbols_ro.js6KB

📜symbols_ru.js10KB

📜symbols_si.js9KB

📜symbols_sk.js6KB

📜symbols_sl.js6KB

📜symbols_sq.js7KB

📜symbols_sr.js9KB

📜symbols_sv.js6KB

📜symbols_sw.js6KB

📜symbols_ta.js10KB

📜symbols_te.js10KB

📜symbols_th.js10KB

📜symbols_tr.js6KB

📜symbols_uk.js9KB

📜symbols_ur.js9KB

📜symbols_uz.js6KB

📜symbols_vi.js7KB

📜symbols_zh_cn.js7KB

📜symbols_zh_hk.js7KB

📜symbols_zh_tw.js7KB

📜symbols_zu.js6KB

▾📁ink18.5MB

▾📁nothreads9.2MB

📜ink-loader-bundle.js260KBlarge

📄ink-loader.MF59B

📜ink-loader.js115KBlarge

📜ink.aw.js0B

📜ink.d.ts0B

📄ink.data0B

🌐ink.html0B

📜ink.js260KBlarge

📄ink.js.symbols1.1MB

📄ink.symbols0B

⚙ink.wasm4.3MB

⚙ink.wasm.debug.wasm0B

📄ink.wasm.js.symbols0B

📄ink.wasm.map3.1MB

📄ink.wasm.orig0B

📜ink.ww.js0B

▾📁threads9.3MB

📜ink-loader-threads-bundle.js298KBlarge

📄ink-loader-threads.MF67B

📜ink-loader-threads.js124KBlarge

📜ink.aw.js0B

📜ink.d.ts0B

📄ink.data0B

🌐ink.html0B

📜ink.js297KBlarge

📄ink.js.symbols1.1MB

📄ink.symbols0B

⚙ink.wasm4.3MB

⚙ink.wasm.debug.wasm0B

📄ink.wasm.js.symbols0B

📄ink.wasm.map3.2MB

📄ink.wasm.orig0B

📜ink.ww.js0B

🔤GoogleSans-Medium.ttf154KB

🔤GoogleSans-Regular.ttf154KB

🔤Roboto-Bold.ttf167KB

🔤Roboto-Italic.ttf170KB

🔤Roboto-Light.ttf166KB

🔤Roboto-Medium.ttf168KB

🔤Roboto-Regular.ttf168KB

🔤RobotoCondensed-Bold.ttf143KB

🔤RobotoCondensed-Light.ttf142KB

🔤RobotoCondensed-Regular.ttf142KB

🔤RobotoSlab-Bold.ttf167KB

🔤RobotoSlab-Light.ttf175KB

🔤RobotoSlab-Regular.ttf165KB

🔤RobotoSlab-Thin.ttf177KB

📜background.js154KBlarge

📜flags.js1KB

🎨google_sans.css319B

🖼icon_128.png1KB

🖼icon_16.png307B

🖼icon_19.png404B

🖼icon_38.png603B

🖼icon_48.png422B

🖼icon_disabled_19.png388B

🖼icon_disabled_38.png583B

🖼icon_gray_19.png372B

🖼icon_gray_38.png596B

🌐index.html340B

📜injector.js41KB

📜keep_ba-prod_app_script_ltr.js284KBlarge

📜keep_ba-prod_app_script_rtl.js286KBlarge

🎨keep_ba-prod_app_styles_ltr_default.css87KB

🎨keep_ba-prod_app_styles_rtl_default.css87KB

📜keep_ba-prodbootstrap.js4KB

{}manifest.json1KB

🎨roboto.css747B

🎨roboto_condensed.css517B

🎨roboto_slab.css627B

What This Extension Does

The Google Keep Chrome Extension allows users to save web content, notes, and images directly to their Google Keep account. It's designed for productivity and workflow purposes, suitable for anyone who wants to quickly capture and organize information from the web.

Permissions Explained

activeTabexpected: This permission allows the extension to access the currently active tab in your browser.
Technical: The activeTab permission grants access to the current tab's URL, title, and content via the Chrome.tabs API. This could potentially allow unauthorized data exfiltration or manipulation if compromised.
identityexpected: This permission allows the extension to access your Google account identity, enabling it to save content directly to your Keep account.
Technical: The identity permission grants access to your Google account credentials via the Chrome.identity API. This could potentially allow unauthorized access to your Google account if compromised.
contextMenusexpected: This permission allows the extension to add custom context menu items in your browser.
Technical: The contextMenus permission grants access to the Chrome.contextMenus API, enabling the creation of custom context menu items. This could potentially allow unauthorized code execution if compromised.
tabsexpected: This permission allows the extension to manage and access your browser tabs.
Technical: The tabs permission grants access to the Chrome.tabs API, enabling management of tab creation, deletion, and content. This could potentially allow unauthorized data exfiltration or manipulation if compromised.
unlimitedStorageexpected: This permission allows the extension to store an unlimited amount of data in your browser's storage.
Technical: The unlimitedStorage permission grants access to the Chrome.storage API, enabling storage of arbitrary amounts of data. This could potentially allow unauthorized data exfiltration or manipulation if compromised.
scriptingexpected: This permission allows the extension to execute scripts in your browser.
Technical: The scripting permission grants access to the Chrome.scripting API, enabling execution of arbitrary scripts. This could potentially allow unauthorized code execution if compromised.
file://*/*check this: This permission allows the extension to access local files on your device.
Technical: The file://*/* permission grants access to arbitrary local file paths, enabling potential unauthorized data exfiltration or manipulation if compromised. ⚠ 1
http://*/check this: This permission allows the extension to make HTTP requests to any domain.
Technical: The http://*/ permission grants access to arbitrary HTTP domains, enabling potential unauthorized data exfiltration or manipulation if compromised. ⚠ 1
https://*/check this: This permission allows the extension to make HTTPS requests to any domain.
Technical: The https://*/ permission grants access to arbitrary HTTPS domains, enabling potential unauthorized data exfiltration or manipulation if compromised. ⚠ 1

Your Data

The extension accesses your Google account identity and stores content in your Keep account. It also makes requests to various domains, including Google's own services.

Technical Details

The extension contacts the following domains: www.gstatic.com, github.com, bugzil.la, fonts.gstatic.com, www.khronos.org, keep.google.com, play.google.com, www.w3.org, goo.gl, kripken.github.io, en.wikipedia.org, and www.ietf.org. It uses both HTTP and HTTPS protocols for these requests.

Code Findings

innerHTML assignment — potential XSS vectorMedium

The extension assigns innerHTML to an element, which could potentially allow cross-site scripting (XSS) attacks if compromised.

Technical: The code pattern element.innerHTML = ... is used in the file contentScript.js. This could potentially allow arbitrary script execution if an attacker injects malicious content.

💡 This pattern is commonly used for dynamic content injection in legitimate extensions.

String.fromCharCode (obfuscation)Medium

The extension uses String.fromCharCode to obfuscate code, which could potentially make it harder to analyze or debug.

Technical: The code pattern String.fromCharCode(...) is used in the file background.js. This could potentially allow unauthorized code execution if compromised.

💡 This pattern is commonly used for code obfuscation in legitimate extensions.

Makes XHR requestsInfo

The extension makes XMLHttpRequests to various domains, which could potentially allow data exfiltration or manipulation if compromised.

Technical: The code pattern XMLHttpRequest is used in the file background.js. This allows the extension to make requests to arbitrary domains.

💡 This pattern is commonly used for legitimate data exchange between extensions and servers.

Creates script elements dynamicallyHigh

The extension creates script elements dynamically, which could potentially allow unauthorized code execution if compromised.

Technical: The code pattern document.createElement('script') is used in the file contentScript.js. This allows the extension to inject arbitrary scripts into web pages.

💡 This pattern is commonly used for legitimate script injection in extensions.

Bottom Line

The Google Keep Chrome Extension has some concerning permissions and code patterns, but overall it appears to be a legitimate extension that aligns with its stated purpose. However, users should exercise caution when installing any extension, especially those with broad permissions or obfuscated code.