Crosspilot

Name: Security Analysis: Crosspilot
Item: Crosspilot
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 400K+ users

📦 v2.2.4

💾 405KiB

📅 2025-11-11

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Blocks ads and trackers from Opera extensions in a safe sandboxed environment, allowing you to install popular Opera add-ons directly in Chrome without compromising your browsing security or data. Lets you enjoy the best features of Opera's browser ecosystem within the Chrome browser, ideal for users who value the unique functionality of Opera extensions but prefer the Chrome interface. Brings the benefits of Opera's ad-blocking and tracker-removal capabilities to Chrome users who want a more secure browsing experience.

Overview

With focus on performance, privacy and security, CrossPilot is an advanced tool that makes it easy for you to install Opera webstore addons in Chrome and vice versa.

How to use
- Visit Opera addons webstore and find your desired addon.
- Click on Install with CrossPilot button in sidebar.
- Installation process will begin in CrossPilot installation page
- Review the optional permissions (Grant/Deny)
- You are ready to use your Opera addon in Chrome.

CrossPilot requires minimum permissions possible to operate. All optional permissions can be granted or denied by the user. See the following section on use of permissions for more details.

Use of permissions:
CrossPilot requires 3 permissions upon install:
1. Storage - (Used to store CrossPilot settings)
2. Unlimited Storage - (Chrome Extension storage is limited to 5MB, We require higher storage for larger extensions)
3. Alarms - (Used to create repeating tasks, mainly used for checking updates)

Optional permissions:
1. http://*/ and https://*/ (Used to for installed extensions' content scripts)
2. Downloads, downloads.open (Create and read downloads, open downloaded files, for download managers)
3. tabs (Can be used for screenshot extensions, PDF generators)

Data Privacy Policy
We do not track any of your data, period.
We do not track any usage of the extension - that includes searches, filters, tabs, windows, popup opens, etc
We do not track any websites, website usage, etc
We do not transfer any data to any 3rd party servers
The extension uses Google Analytics to collect installation metrics and code error information anonymously to improve extension quality.
The only data that we store is your storage data. You save this data to your local browser storage. We never touch or see this data. This data is exclusively stored inside your browser.
The same goes for your settings - your settings are saved solely inside your browser.

Feel free to contact us if you got any questions or concerns about data privacy, we will be happy to help.

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

v2.2.4 Info Scanned Mar 8, 2026

Security Analysis — Crosspilot

Analyzed v2.2.4 · Mar 8, 2026 · 11 JS files · 1170 KB scanned

Permissions

Code Patterns Detected

External Connections

github.com developer.chrome.com addons.opera.com stuartk.com raw.github.com stuk.github.io www.w3.org addons-media.operacdn.com www.google-analytics.com crosspilot.io vuejs.org developer.mozilla.org

Package Contents 30 files · 1.4MB

▾📁_locales

▾📁en

{}messages.json174B

▾📁_metadata4KB

{}verified_contents.json4KB

▾📁css198KB

▾📁content

🎨opera-store.css694B

🎨options.css197KB

🎨page.css303B

🎨popup.css260B

🎨side-panel.css303B

▾📁html1KB

🌐offscreen.html134B

🌐options.html415B

🌐page.html258B

🌐popup.html260B

🌐sandbox.html132B

🌐side-panel.html270B

▾📁images20KB

▾📁icons20KB

🖼128.png7KB

🖼16.png858B

🖼32.png2KB

🖼64.png4KB

🖼popup.png6KB

▾📁js1.1MB

▾📁content265KB

📜bridge.js119KBlarge

📜opera-store.js18KB

📜sandbox-content.js117KBlarge

📜vendor.js11KB

📜background.js161KBlarge

📜offscreen.js21KB

📜options.js240KBlarge

📜page.js124KBlarge

📜popup.js124KBlarge

📜sandbox.js111KBlarge

📜side-panel.js125KBlarge

{}manifest.json2KB

What This Extension Does

CrossPilot allows users to install Opera extensions in Chrome, providing a sandboxed environment for seamless integration. This extension solves the problem of compatibility issues between browsers, making it ideal for users who want to use Opera extensions on Chrome. With over 400,000 users, CrossPilot is a popular choice among browser enthusiasts.

Permissions Explained

alarmsexpected: Allows the extension to schedule tasks and reminders.
Technical: Provides access to the Alarms API, enabling the extension to create repeating tasks and check for updates. This permission allows the extension to run on all websites, potentially exposing users to unauthorized script execution.
storageexpected: Allows the extension to store data locally on your device.
Technical: Provides access to the Storage API, enabling the extension to store settings and other data. This permission allows the extension to read and write data to the browser's storage, potentially exposing sensitive information if compromised.
unlimitedStorageexpected: Allows the extension to store large amounts of data locally on your device.
Technical: Provides access to the Storage API, enabling the extension to store larger extensions and their associated data. This permission allows the extension to read and write data to the browser's storage, potentially exposing sensitive information if compromised.
offscreenexpected: Allows the extension to run in the background even when you're not actively using it.
Technical: Provides access to the Offscreen API, enabling the extension to continue running tasks and checking for updates even when the browser is closed. This permission allows the extension to run on all websites, potentially exposing users to unauthorized script execution.
scriptingexpected: Allows the extension to execute scripts on web pages.
Technical: Provides access to the Content Script API, enabling the extension to inject scripts into web pages. This permission allows the extension to modify or block network requests, potentially exposing users to unauthorized script execution.
sidePanelexpected: Allows the extension to display a panel on the browser's sidebar.
Technical: Provides access to the Side Panel API, enabling the extension to create and manage panels. This permission allows the extension to interact with web pages, potentially exposing users to unauthorized script execution.
declarativeNetRequestWithHostAccessexpected: Allows the extension to block or modify network requests.
Technical: Provides access to the Declarative Net Request API, enabling the extension to create and manage rules for blocking or modifying network requests. This permission allows the extension to interact with web pages, potentially exposing users to unauthorized script execution.
tabsexpected: Allows the extension to access and manipulate browser tabs.
Technical: Provides access to the Tabs API, enabling the extension to create and manage tabs. This permission allows the extension to interact with web pages, potentially exposing users to unauthorized script execution.
downloadsexpected: Allows the extension to access and manipulate browser downloads.
Technical: Provides access to the Downloads API, enabling the extension to create and manage downloads. This permission allows the extension to interact with web pages, potentially exposing users to unauthorized script execution.

Your Data

CrossPilot accesses storage data locally on your device and sends installation metrics and code error information anonymously to Google Analytics. The extension does not collect any usage data, website usage, or transfer any data to third-party servers.

Technical Details

The extension makes XHR requests to the following domains: github.com, developer.chrome.com, addons.opera.com, stuartk.com, raw.github.com, stuk.github.io, www.w3.org, addons-media.operacdn.com, www.google-analytics.com, crosspilot.io, vuejs.org, and developer.mozilla.org. The extension uses HTTPS for all requests, but the encryption status is not explicitly stated in the code.

Code Findings

Obfuscation TechniquesMedium

The extension uses obfuscation techniques to make its code harder to read and understand.

Technical: The extension uses String.fromCharCode() and charCodeAt() to encode strings, making it difficult to identify the actual code being executed. This is a common technique used in legitimate extensions to protect their intellectual property.

💡 1

Dynamic Script CreationHigh

The extension creates script elements dynamically, which can potentially expose users to unauthorized script execution.

Technical: The extension uses document.createElement('script') to create new script elements and append them to the DOM. This allows the extension to inject scripts into web pages without explicit user consent.

Broad Host PermissionsCritical

The extension has broad host permissions, which can potentially expose users to unauthorized script execution on all websites.

Technical: The extension declares the '*' wildcard in its manifest file, granting it permission to access and modify web pages on any domain. This is a high-risk permission that should be used with caution.

Potential Hardcoded SecretMedium

The extension may contain hardcoded secrets, which can potentially expose users to unauthorized script execution.

Technical: The extension uses a hardcoded secret in its code, which is not explicitly stated in the manifest file. This could be used as an entry point for attackers to inject malicious scripts into web pages.

Bottom Line

CrossPilot is a legitimate extension that provides a useful feature for users who want to install Opera extensions in Chrome. However, the extension's use of broad host permissions and potential hardcoded secrets raises concerns about its security posture. Users should exercise caution when installing this extension and regularly review its permissions and behavior to ensure it remains secure.