Prettify Hku Chatgpt
✨ AI-Powered 🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Make HKU ChatGPT usable again!
Tags
Privacy Practices
Security Analysis — Prettify Hku Chatgpt
Permissions
Code Patterns Detected
Package Contents 9 files · 27KB
What This Extension Does
Prettify HKU ChatGPT is a productivity tool designed to improve the visual layout and usability of the official HKU ChatGPT interface. It operates by injecting content scripts into specific pages to modify HTML elements, aiming to fix rendering issues or enhance readability for users. With minimal network activity and standard permissions, it presents a low-risk profile typical of utility extensions.
Permissions Explained
- https://chatgpt.hku.hk/*expected: This permission allows the extension to run code only on the specific HKU ChatGPT website. It ensures the tool cannot see or modify data on other websites you visit, keeping your browsing activity elsewhere private.
Technical: Manifest V3 'host_permissions' scope restricting content script injection and API access to a single origin. Limits attack surface by preventing cross-site context manipulation. No broad network sniffing capability granted.
Your Data
The extension does not send any data to external servers. It operates entirely locally within your browser session on the HKU ChatGPT domain, meaning no personal information leaves your device.
Technical Details
Code Findings
The extension modifies the webpage by directly inserting user-generated or fetched text into HTML elements. If the extension ever pulls content from an untrusted source and inserts it without cleaning, a hacker could theoretically inject malicious code that runs in your browser.
Technical: Code pattern: element.innerHTML = ... detected in the single JavaScript file (9 KB). This DOM manipulation method is susceptible to Cross-Site Scripting (XSS) if the string being assigned contains script tags or event handlers. Risk is elevated only if the extension fetches external data; currently, it appears to target static page elements.
💡 Content scripts frequently use innerHTML to replace broken layouts, add buttons, or fix CSS rendering issues on third-party sites where standard CSS injection fails.
The extension does not enforce strict security rules to prevent scripts from running. While this is common for small tools, it means the browser relies solely on its default protections rather than an additional layer of defense against code injection.
Technical: Audit shows Content-Security-Policy header or meta tag is not set within the extension's context. Without a custom CSP, the extension cannot restrict which scripts are allowed to execute in its own context, potentially allowing unintended script execution if combined with other vulnerabilities.
💡 Many lightweight extensions omit CSP headers to avoid breaking functionality on complex sites that rely on specific script loading behaviors.
Prettify HKU ChatGPT is a safe utility for fixing display issues on the HKU platform, provided users do not enable any 'fetch' or external data features. The primary technical risk is a standard DOM manipulation vulnerability (innerHTML) that exists in many layout-fixing tools but is currently low-risk given the extension's limited scope and lack of network access. Users should keep the extension updated to ensure this code pattern remains secure.
