Pixels Dndbeyond Integrat
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
With this extension you can use dice from "Pixels - Light up your game" on a DnDBeyond character sheet. For this extension to properly work, your browser needs to support the Web Bluetooth API.
Support for Beyond20 is now better than ever, with partial API support!
When enabling the following chrome flag, then pixels will automatically reconnect when opening the page: chrome://flags/#enable-web-bluetooth-new-permissions-backend
This extension also works now with chrome based mobile browsers that support extensions. Check it out!
This extension is open source and released under the MIT license
Tags
Privacy Practices
Security Analysis — Pixels Dndbeyond Integrat
Code Patterns Detected
External Connections
Package Contents 13 files · 598KB
What This Extension Does
Pixels Dndbeyond Integrat is a lightweight browser extension designed for tabletop role-playing game enthusiasts to integrate pixel-based dice rolling directly into the DnDBeyond platform. It solves the problem of needing external tools or manual calculations by injecting custom scripts that render and animate dice rolls within specific character and combat tracker pages. With no high-risk permissions and minimal network activity, it serves as a utility tool for gamers looking to enhance their digital campaign management experience.
Permissions Explained
- activeTabexpected: This permission allows the extension to run code only on specific websites you visit (DnDBeyond), ensuring it cannot see your banking, email, or other personal sites.
Technical: The 'activeTab' host permission grants access to the DOM and execution context of the currently focused tab. It enables content scripts to read page structure via document.querySelector and inject event listeners. The attack surface is limited to the DnDBeyond domain; if compromised, an attacker could theoretically manipulate the dice roll display or exfiltrate data from that specific site's memory.
Your Data
The extension communicates with DnDBeyond servers to fetch character data and GitHub for updates. It does not appear to send user credentials or sensitive personal information to third-party trackers based on the provided network list.
Technical Details
Code Findings
The extension uses a common coding trick to hide its code, making it slightly harder for average users to read. This is usually harmless but can sometimes be used by bad actors to hide malicious behavior.
Technical: Code analysis detected the use of charCodeAt() in a pattern typical of string obfuscation (e.g., iterating over a string and checking character codes). This prevents static analysis tools from easily reading the logic. While often used for license protection or minification, it increases the cognitive load for security auditors trying to verify code integrity.
💡 Developers frequently use obfuscation to protect proprietary algorithms (like dice rolling logic) or to reduce file size by removing whitespace and comments before re-encoding.
The extension saves settings like dice preferences or roll history to your browser's local storage. This is necessary for the app to remember your choices between sessions.
Technical: The code utilizes chrome.storage.sync or chrome.storage.local APIs. Writes are scoped to the active tab's origin. If a malicious actor injected code into DnDBeyond, they could potentially read these values, but since the extension itself is trusted by the user, this is a standard state management pattern.
💡 Extensions require persistent storage to maintain user preferences, cache data, or store session tokens without constantly re-prompting the user.
The extension injects code into many different parts of DnDBeyond, including character sheets and combat trackers. While intended for functionality, injecting into every page type increases the potential surface area for bugs.
Technical: Manifest V3 content scripts are registered against wildcards like https://www.dndbeyond.com/characters/* and https://www.dndbeyond.com/combat-tracker/*. This means the script runs regardless of whether it is needed on that specific sub-page, potentially causing performance overhead or unintended side effects if the DOM structure changes.
💡 Developers often use broad match patterns to ensure features work across all variations of a page (e.g., mobile vs desktop, different character templates) without maintaining separate rules for each.
Pixels Dndbeyond Integrat presents a low-risk profile suitable for gamers who trust the developer. The extension operates strictly within the DnDBeyond ecosystem with no dangerous permissions, and its primary findings are standard development practices (obfuscation, storage usage) rather than security vulnerabilities. Users can safely install this to enhance their dice rolling experience, provided they only use it on the intended gaming website.
