Rhippo
✨ AI-Powered 🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Transform your favorite LLM chatbot into an intelligent team member that actively contributes to your team's projects in less than 10 minutes!
Create a Rhippo "brain" that automatically inject relevant context into your prompts, maintains an asynchronously updating knowledge database containing only the most important information to your project, and is sharable with up to 50 other team members!
Features include:
- Dynamically updating knowledge databases.
- Slack and Google Drive integration.
- State-of-the-art embedding models that grab exactly the relevant information.
- Complete data transparency via Google Drive.
- Instant improvement in response quality.
Tags
Privacy Practices
Security Analysis — Rhippo
Permissions
Code Patterns Detected
External Connections
Package Contents 36 files · 2.8MB
What This Extension Does
Rhippo is a productivity extension designed to enhance Large Language Model (LLM) interactions by injecting project context, maintaining a knowledge database, and integrating with tools like Slack and Google Drive. It aims to turn LLMs into collaborative team members by dynamically updating information across supported chat interfaces. The extension requires broad access to specific AI platforms and utilizes dynamic code execution patterns that warrant careful scrutiny.
Permissions Explained
- identityexpected: This permission allows the extension to sign you in to websites like Google or GitHub automatically, which is necessary for it to save your project data to your Google Drive and access your Slack workspace.
Technical: Accesses chrome.identity.getAuthToken({sourceWindow: window}) and chrome.identity.launchWebAuthFlow. This grants the ability to impersonate the user's session on OAuth providers. If compromised, an attacker could potentially harvest tokens or force authentication flows. - storageexpected: Allows the extension to save your project notes, knowledge base entries, and settings locally in your browser's secure storage area.
Technical: Accesses chrome.storage.local and chrome.storage.sync. This is standard for extensions but means local data can be read by other malicious extensions if they have access to the same origin or via storage API abuse. - <all_urls>expected: Grants the extension permission to run code on any website you visit. This is required for it to inject its functionality into various LLM chat interfaces.
Technical: Accesses <all_urls> manifest key. Combined with content script injection, this allows execution in specific domains (chatgpt.com, claude.ai, etc.). While necessary for the feature set, it expands the attack surface if the extension is compromised or contains vulnerabilities.
Your Data
The extension sends data to its own servers (rhipposerver.rhizom.co) and Google's OAuth infrastructure. It accesses page content from specific LLM sites to inject context, storing this information locally before syncing it with your Google Drive.
Technical Details
Code Findings
The extension uses a technique to create functions on the fly. While often used for legitimate optimization, this method can sometimes hide malicious code or make it harder to inspect what the extension is actually doing.
Technical: Code pattern: new Function('...'). This creates a constructor function that executes immediately. Risk vector includes obfuscation of logic and potential bypassing of static analysis tools. If the string passed to this constructor contains user input, it could lead to Remote Code Execution (RCE) in the context of the extension.
💡 Commonly used for dynamic feature loading or creating specific function signatures without cluttering global scope with unused variables.
The extension modifies web pages by inserting HTML content directly. If it pulls data from an untrusted source or if its own code is compromised, this could allow attackers to inject malicious scripts into your chat windows.
Technical: Code pattern: element.innerHTML = '...'. This bypasses the browser's automatic sanitization for text nodes. Risk vector is Cross-Site Scripting (XSS) within the context of the injected content script. An attacker with control over the extension could inject a payload that executes when the user interacts with the chat interface.
💡 Standard DOM manipulation technique used to render dynamic UI components, notifications, or injected prompts into the page.
The extension does not enforce strict security rules on which scripts can run. This makes it slightly easier for vulnerabilities to be exploited compared to extensions that use a tight Content Security Policy.
Technical: Manifest analysis shows 'Content Security Policy': not set. Without a CSP, the browser allows default script execution policies. This increases the risk of unintended script loading if the extension fetches resources from compromised third-party CDNs.
💡 Many simple extensions omit CSP to avoid breaking functionality on complex sites or due to lack of awareness regarding CSP configuration in Manifest V3.
The analysis suggests the extension might contain hardcoded secrets (like API keys or tokens). If these are real, they could be stolen by anyone who inspects the code, potentially allowing unauthorized access to your Google Drive or Slack.
Technical: Static analysis flags potential hardcoded strings resembling secrets. Risk vector is credential theft via source code inspection or decompilation of the extension bundle. Attackers can extract these values and use them to impersonate the user on external services.
💡 Sometimes developers accidentally commit debug keys or use placeholder secrets that are never replaced in production builds.
Rhippo appears to be a functional productivity tool that aligns with its stated purpose of enhancing LLM interactions. However, the combination of dynamic code execution, obfuscation techniques, and potential hardcoded secrets raises moderate security concerns. Users should exercise caution, particularly regarding the 'hardcoded secret' finding which could compromise account integrity if verified. It is recommended to review the source code if possible or use it only with non-sensitive projects until a more transparent build is available.
