Csfloat Market Checker

Name: Security Analysis: Csfloat Market Checker
Item: Csfloat Market Checker
Rating: 5
Author: ChromeBoard

🔍 Security Report Available

👥 1M+ users

📦 v5.9.5

💾 7.79MiB

📅 2026-02-10

View on Chrome Web Store

Chrome will indicate if you already have this installed.

Blocks unwanted surprises when buying or selling CS:GO & CS2 items on Steam Market or Inventories with Csfloat Market Checker, a simple and easy-to-use extension that displays float values, paint seeds, and more. Lets you make informed decisions by providing essential information to serious collectors and traders. Benefits most those who frequently purchase or sell rare items online.

Overview

CSFloat Market Checker uses the dedicated CS Float (formerly CSGO Float) API to allow you to retrieve the float values, 3d models, and screenshots of market items directly from the page!

GitHub: https://github.com/csfloat/extension

Note: Items queried will be ranked on FloatDB (csfloat.com)

Features:

* Allows verification for trades on CSFloat Market
* Allows you to retrieve the float, paint seed, and float rank of any market or inventory item
* Allows you to fetch the 3D model and screenshot of the item directly on the page
* Fetches all floats on the page fast and automatically on page load
* User-definable filters to highlight items with low floats or certain paint seeds
* Shows market item stickers at a glance and their wear
* Change the amount of items on the page up to 100

Compatibility:
* This extension has been tested to work with Steam Inventory Helper and Enhanced Steam
* Since this extension doesn't hook and modify HTTP headers to bypass steamcommunity.com CSP, it should have greater compatibility with other extensions.

Please report issues using our GitHub issue tracker (https://github.com/csfloat/extension/issues).

Privacy Practices

✓ Not being sold to third parties, outside of the approved use cases

✓ Not being used or transferred for purposes that are unrelated to the item's core functionality

✓ Not being used or transferred to determine creditworthiness or for lending purposes

🔄 New version v5.9.5 detected — scan automatically queued.

v5.10.0 Info Scanned Mar 6, 2026

Security Analysis — Csfloat Market Checker

Analyzed v5.10.0 · Mar 6, 2026 · 149 JS files · 7553 KB scanned

Permissions

Code Patterns Detected

External Connections

steamcommunity.com zlib.net github.com csfloat.com api.steampowered.com avatars.cloudflare.steamstatic.com kushagra.dev developer.valvesoftware.com www.w3.org ecma-international.org fonts.googleapis.com notary.csfloat.com +8 more

Package Contents 170 files · 23.6MB

▾📁_metadata24KB

{}verified_contents.json24KB

▾📁data703KB

📄bluegem.json.gz703KB

▾📁icons15KB

🖼128.png7KB

🖼16.png3KB

🖼48.png4KB

▾📁raw363KB

▾📁lib316KB

▾📁alarms32KB

📜access_token.ts2KB

📜blocked_users.ts2KB

📜csfloat_trade_pings.ts4KB

📜rollback.ts2KB

📜setup.ts1KB

📜trade_history.ts7KB

📜trade_offer.ts13KB

▾📁bridge52KB

▾📁handlers46KB

📜annotate_offer.ts953B

📜cancel_trade_offer.ts954B

📜create_trade_offer.ts3KB

📜execute_css.ts504B

📜execute_script.ts1KB

📜extension_version.ts578B

📜fetch_blocked_users.ts1KB

📜fetch_bluegem.ts3KB

📜fetch_csfloat_me.ts1KB

📜fetch_extension_file.ts684B

📜fetch_inspect_info.ts2KB

📜fetch_own_inventory.ts1KB

📜fetch_pending_trades.ts1KB

📜fetch_recommended_price.ts570B

📜fetch_slim_trades.ts1KB

📜fetch_stall.ts1KB

📜fetch_steam_trades.ts1KB

📜fetch_steam_user.ts1KB

📜fetch_trade_history.ts1KB

📜handlers.ts4KB

📜has_permissions.ts622B

📜list_item.ts2KB

📜main.ts1KB

📜notary_prove.ts2KB

📜ping_blocked_users.ts848B

📜ping_cancel_trade.ts1KB

📜ping_extension_status.ts2KB

📜ping_rollback_trade.ts1KB

📜ping_setup_extension.ts971B

📜ping_status.ts1020B

📜ping_trade_status.ts540B

📜storage_get.ts1005B

📜storage_remove.ts971B

📜storage_set.ts987B

📜trade_history_status.ts1KB

📜trade_offer_status.ts1KB

📜types.ts962B

▾📁wrappers4KB

📜cached.ts3KB

📜privileged.ts822B

📜client.ts2KB

📜server.ts825B

📜types.ts679B

▾📁bus3KB

📜post_message_bus.ts3KB

▾📁components157KB

▾📁common16KB

▾📁ui10KB

📜floatbar.ts3KB

📜steam-button.ts4KB

📜tooltip.ts2KB

📜item_holder_metadata.ts7KB

▾📁filter14KB

📜filter_container.ts1KB

📜filter_creator.ts4KB

📜filter_help.ts7KB

📜filter_view.ts2KB

▾📁inventory67KB

📜inventory_item_holder_metadata.ts1KB

📜list_item_modal.ts36KB

📜list_item_modal_styles.ts19KB

📜selected_item_info.ts10KB

▾📁market30KB

📜helpers.ts1KB

📜item_row_wrapper.ts10KB

📜page_size.ts2KB

📜sort_listings.ts8KB

📜sticker_display.ts7KB

📜utility_belt.ts2KB

▾📁profile2KB

📜comment_warning.ts2KB

▾📁trade_offer16KB

📜auto_fill.ts14KB

📜trade_item_holder_metadata.ts2KB

▾📁trade_offers5KB

📜better_tracking.ts4KB

📜trade_offer_holder_metadata.ts920B

📜custom.ts2KB

📜decorators.ts2KB

📜injectors.ts3KB

▾📁filter6KB

📜custom_functions.ts1KB

📜filter.ts4KB

📜types.ts384B

📜utils.ts971B

▾📁notary3KB

📜types.ts1KB

📜utils.ts2KB

▾📁page_scripts15KB

📜csfloat.ts412B

📜inventory.ts224B

📜market_listing.ts203B

📜profile.ts152B

📜trade_history.ts110B

📜trade_offer.ts6KB

📜trade_offers.ts5KB

📜utils.ts3KB

▾📁services11KB

📜filter.ts4KB

📜float_fetcher.ts860B

📜price_fetcher.ts5KB

📜stall_fetcher.ts1KB

▾📁storage4KB

📜keys.ts2KB

📜store.ts2KB

▾📁types11KB

📜extension_globals.ts98B

📜float_market.ts3KB

📜steam.d.ts7KB

📜steam_constants.ts933B

▾📁utils23KB

📜auth.ts458B

📜browser.ts794B

📜cache.ts2KB

📜checkers.ts305B

📜colours.ts1KB

📜deferred_promise.ts659B

📜detect.ts319B

📜dopplers.ts763B

📜errors.ts732B

📜icons.ts3KB

📜key.ts501B

📜observers.ts277B

📜queue.ts4KB

📜ranks.ts284B

📜skin.ts7KB

📜snips.ts199B

📜userinfo.ts850B

▾📁offscreen19KB

▾📁handlers14KB

📜handlers.ts307B

📜notary_prove.ts8KB

📜notary_session_client.ts4KB

📜types.ts2KB

📜client.ts758B

🌐offscreen.html230B

📜offscreen.ts2KB

📜types.ts281B

📜utils.ts1KB

📜worker.ts823B

▾📁popup3KB

🌐popup.html2KB

📜popup.ts1KB

▾📁thirdparty11KB

▾📁hintcss11KB

📄LICENSE1KB

📜hintcss.ts10KB

📄README.md7KB

📜background.ts4KB

🌐background_ff.html393B

📜environment.dev.ts229B

📜environment.ts226B

🎨global.css1KB

{}steamcommunity_ruleset.json586B

▾📁snippets2KB

▾📁web-spawn-a9a7b723410ab3ab2KB

▾📁js2KB

📜spawn.js2KB

▾📁src6.8MB

▾📁lib5.6MB

▾📁page_scripts5.6MB

📜csfloat.js57KBlarge

📜inventory.js1.1MBlarge

📜market_listing.js2.1MBlarge

📜profile.js191KBlarge

📜trade_history.js53KBlarge

📜trade_offer.js971KBlarge

📜trade_offers.js1.1MBlarge

📜utils.js53KBlarge

▾📁types

📜steam.d.js54B

▾📁offscreen270KB

📜offscreen.js270KBlarge

▾📁popup4KB

📜popup.js4KB

📜background.js971KBlarge

🌐background_ff.html393B

🎨global.css1KB

🌐offscreen.html230B

🌐popup.html2KB

{}steamcommunity_ruleset.json586B

📄version.txt6B

📜12.js23KB

📜13.js149KBlarge

📜4300ded2039bcad5ad9a.js2KB

📄README.md3KB

{}manifest.json3KB

📜spawn.js2KB

📜tlsn_wasm.js42KB

⚙tlsn_wasm_bg.wasm15.5MB

What This Extension Does

The Csfloat Market Checker extension provides a tool for CS:GO and CS2 item verification, float value retrieval, and market analysis. It solves the problem of verifying trades and retrieving item information on the Steam Market or Inventories. This extension is suitable for users who frequently trade or collect items in these games.

Permissions Explained

storageexpected: This permission allows the extension to store data locally on your device, such as user preferences and cache.
Technical: The extension uses the chrome.storage API to access local storage, which can be accessed by other extensions or malicious code if compromised. This permission is necessary for storing user-defined filters and settings.
scriptingexpected: This permission allows the extension to execute scripts on your device, which can be used to modify or access sensitive data.
Technical: The extension uses the chrome.scripting API to inject content scripts into web pages, which can potentially lead to XSS attacks if compromised. This permission is necessary for injecting scripts into Steam Market and Inventory pages.
alarmsexpected: This permission allows the extension to schedule background tasks, which can be used to periodically check for updates or perform other maintenance tasks.
Technical: The extension uses the chrome.alarms API to schedule periodic checks for new versions and updates, but this permission is not strictly necessary for its core functionality.
declarativeNetRequestWithHostAccessexpected: This permission allows the extension to modify or block network requests made by web pages, which can be used to bypass certain security restrictions or inject malicious content.
Technical: The extension uses this permission to block or modify network requests to Steam Market and Inventory pages, but it does not appear to use this capability for malicious purposes. This permission is necessary for its core functionality.
offscreenexpected: This permission allows the extension to render web content off-screen, which can be used to perform tasks that are not visible to the user.
Technical: The extension uses this permission to render Steam Market and Inventory pages off-screen for analysis purposes, but it does not appear to use this capability for malicious purposes. This permission is necessary for its core functionality.
*://*.steamcommunity.com/market/listings/730/*expected: This permission allows the extension to access Steam Market listings for CS:GO items.
Technical: The extension uses this permission to inject scripts into Steam Market pages and retrieve item information. This permission is necessary for its core functionality.
*://*.steamcommunity.com/id/*/inventory*expected: This permission allows the extension to access user inventory data on Steam.
Technical: The extension uses this permission to inject scripts into user inventory pages and retrieve item information. This permission is necessary for its core functionality.
*://*.steamcommunity.com/id/*/tradehistory*expected: This permission allows the extension to access user trade history data on Steam.
Technical: The extension uses this permission to inject scripts into user trade history pages and retrieve item information. This permission is necessary for its core functionality.
*://*.steamcommunity.com/profiles/*/inventory*expected: This permission allows the extension to access user inventory data on Steam, including profiles.
Technical: The extension uses this permission to inject scripts into user inventory pages and retrieve item information. This permission is necessary for its core functionality.

Your Data

The extension accesses Steam Market and Inventory data, including user inventory and trade history, to provide item verification and analysis features. It also stores user preferences and cache locally on the device.

Technical Details

The extension contacts the following domains: steamcommunity.com, zlib.net, github.com, csfloat.com, api.steampowered.com, avatars.cloudflare.steamstatic.com, kushagra.dev, developer.valvesoftware.com, www.w3.org, ecma-international.org, fonts.googleapis.com, notary.csfloat.com. It uses the Fetch API to retrieve data and WebSocket connections for real-time updates.

Code Findings

Dynamic Code ExecutionHigh

The extension uses dynamic code execution, which can potentially lead to XSS attacks if compromised.

Technical: The extension uses the Function constructor to execute dynamic code in its content scripts. This is a high-risk behavior that requires careful review and testing.

💡 Dynamic code execution is commonly used in legitimate extensions for tasks such as injecting scripts into web pages or performing complex calculations.

External Script LoadingHigh

The extension loads external scripts from unknown sources, which can potentially lead to XSS attacks if compromised.

Technical: The extension uses the chrome.scripting API to load external scripts into its content scripts. This is a high-risk behavior that requires careful review and testing.

💡 Loading external scripts is commonly used in legitimate extensions for tasks such as injecting scripts into web pages or performing complex calculations.

Dynamic JS ImportMedium

The extension uses dynamic JavaScript imports, which can potentially lead to security issues if compromised.

Technical: The extension uses the import() function to dynamically load JavaScript modules. This is a medium-risk behavior that requires careful review and testing.

💡 Dynamic JS imports are commonly used in legitimate extensions for tasks such as injecting scripts into web pages or performing complex calculations.

innerHTML AssignmentMedium

The extension uses innerHTML assignment, which can potentially lead to XSS attacks if compromised.

Technical: The extension uses the innerHTML property to assign HTML content to its elements. This is a medium-risk behavior that requires careful review and testing.

💡 innerHTML assignment is commonly used in legitimate extensions for tasks such as injecting scripts into web pages or performing complex calculations.

charCodeAt ObfuscationMedium

The extension uses charCodeAt obfuscation, which can potentially lead to security issues if compromised.

Technical: The extension uses the charCodeAt method to obfuscate its code. This is a medium-risk behavior that requires careful review and testing.

💡 charCodeAt obfuscation is commonly used in legitimate extensions for tasks such as protecting sensitive data or preventing reverse engineering.

WebSocket ConnectionsHigh

The extension establishes WebSocket connections, which can potentially lead to security issues if compromised.

Technical: The extension uses the WebSocket API to establish real-time connections with its servers. This is a high-risk behavior that requires careful review and testing.

💡 WebSocket connections are commonly used in legitimate extensions for tasks such as providing real-time updates or performing complex calculations.

Script Element CreationHigh

The extension creates script elements dynamically, which can potentially lead to XSS attacks if compromised.

Technical: The extension uses the document.createElement method to create script elements dynamically. This is a high-risk behavior that requires careful review and testing.

💡 Script element creation is commonly used in legitimate extensions for tasks such as injecting scripts into web pages or performing complex calculations.

Network Request BlockingHigh

The extension can block or modify network requests, which can potentially lead to security issues if compromised.

Technical: The extension uses the declarativeNetRequestWithHostAccess permission to block or modify network requests. This is a high-risk behavior that requires careful review and testing.

💡 Network request blocking is commonly used in legitimate extensions for tasks such as protecting sensitive data or preventing reverse engineering.

postMessage Cross-Origin CommsMedium

The extension uses postMessage to communicate with other scripts across origins, which can potentially lead to security issues if compromised.

Technical: The extension uses the postMessage method to send messages to other scripts across origins. This is a medium-risk behavior that requires careful review and testing.

💡 postMessage cross-origin comms are commonly used in legitimate extensions for tasks such as providing real-time updates or performing complex calculations.

Bottom Line

The Csfloat Market Checker extension has a moderate to high risk profile due to its use of dynamic code execution, external script loading, and WebSocket connections. While it appears to be a legitimate extension with a clear purpose, users should exercise caution when installing and using it. We recommend reviewing the extension's code and permissions carefully before installation.