Steam Inventory Helper
🔍 Security Report Available View on Chrome Web StoreChrome will indicate if you already have this installed.
Overview
Enhanced Steam Experience with SIH
Streamline your Steam trading and inventory management with powerful tools for easier item selling, price comparisons, and inventory valuation.
Key Features:
- Fast Multi-Item Sales: List hundreds of items for sale with just a few clicks.
- Detailed Item Information: See float values, pattern indices, and prices of applied stickers and charms directly on item listings.
- Inventory Valuation: View the total worth of your inventory based on prices from your chosen marketplace or service.
- Price Comparisons: Compare item prices across global marketplaces for more informed trading.
- Stacking Feature: Group identical items for easier browsing and organization.
- Profit Calculation: Calculate profitability of items on the Steam Market.
- Trade Notifications and Quick Accept: Get real-time trade information, with optional quick-accept features to confirm incoming trades directly.
- Inventory Insights: Check if items are currently in use within the game or are part of a pending trade.
- Quick Purchase Options: Buy items on the Steam Marketplace faster, with a quick-set purchase button to complete your collection directly from the inventory.
Additional functionalities and enhanced features are exclusive to Steam Inventory Helper! Some features require authentication in the Steam community.
Permissions Required:
- Access to Steam Sites (`://*.steampowered.com/* & *://steamcommunity.com/*`): This allows the extension to enhance your experience on Steam-powered platforms, displaying item information, inventory valuation, and pricing features.
- Access to Gainskins API (`://sih.gainskins.com/*`): Provides Steam item pricing within your inventory, allowing access to public data on games, user profiles, and item details for improved accuracy in pricing and item statistics.
- SteamCharts Access (`://steamcharts.com/*`): Used to gather real-time game statistics and currency conversion rates for accurate market information.
- Market.CSGO Access (`://market.csgo.com/*`): Enables integration with market.csgo for trade offers (only after the user enables this feature within settings).
- SteamRep Access (`://steamrep.com/*`): Allows access to public profile information, such as trade bans, VAC bans, or community bans, helping you make safer trading decisions.
- Host_permissions": "<all_urls>" Fetching data from Steam and other marketplaces: Required for integration and display of real-time item prices and other relevant information across various trading platforms. This enables users to view up-to-date data for effective price comparison and optimal purchasing.
- notifications: Used to send important notifications to the user about trade statuses, price updates, and other real-time events related to item trading on Steam.
- alarms: Required for scheduling periodic tasks, such as price and inventory updates, to keep user information current without impacting browser performance.
- storage: Used to locally store user preferences and settings, enhancing personalization and usability without the need to reconfigure the extension each time it’s opened.
- unlimitedStorage: Required for storing large volumes of price and inventory data, allowing the extension to deliver information quickly without the 5 MB standard limit.
- background: This permission allows SIH to operate in the background to perform tasks like price updates and trade monitoring, improving the functionality and efficiency of the extension.
- webRequest: Used for analyzing and adjusting network requests, which ensures proper integration with trading platforms and protects against fraudulent sites. Access to web requests allows SIH to integrate accurately with various trading platforms.
- declarativeNetRequest: This permission helps filter and modify network requests to protect user data and provide only relevant information about trades and prices. It avoids the need to route data through our servers.
- declarativeNetRequestFeedback: Used to receive feedback on the status of network requests, allowing SIH to provide users with accurate information while maintaining proper data security.
- cookies: Used to store login status information, allowing SIH to operate without repeatedly requesting login credentials, while providing personalized access to Steam and trade data.
- activeTab: This permission allows SIH to interact with the active tab, automatically loading prices and item information for the user without extra navigation steps.
- management: Used to check compatibility with other installed extensions that might conflict with SIH, allowing SIH to warn the user of potential risks and maintain extension stability.
For more information and updates, please visit our official channels:
- Official Website: steaminventoryhelper.com
- Official Steam Group: https://steamcommunity.com/groups/SteamInventoryHelper
- Technical Support Email: sihtechnic@gmail.com
- Developer Contact Email: csinvhelp@gmail.com
Please refer to our change logs and FAQs for updates.
Tags
Privacy Practices
Security Analysis — Steam Inventory Helper
Permissions
Code Patterns Detected
External Connections
What This Extension Does
Steam Inventory Helper enhances the Steam trading experience by offering tools for inventory management, price comparisons, item selling automation, and trade notifications. It is designed to help users streamline their Steam market activities and make informed decisions about trades and purchases. The extension targets frequent Steam traders and collectors who want more control over their inventory and marketplace interactions.
Permissions Explained
- notificationsexpected: Allows the extension to show alerts or messages in your browser, such as trade confirmations or price updates.
Technical: Uses Chrome'schrome.notificationsAPI. Can display pop-ups and system notifications but does not access personal data unless triggered by user interaction. - alarmsexpected: Enables the extension to schedule periodic tasks like updating prices or checking inventory status without needing constant browser activity.
Technical: Useschrome.alarmsAPI for background scheduling. No direct data access; used only for timing and task execution. - storageexpected: Stores user preferences, settings, or cached information locally on your device to remember choices between sessions.
Technical: Useschrome.storageAPI for local data persistence. Data is stored in browser's private storage and not shared externally unless explicitly sent via network requests. - unlimitedStorageexpected: Gives the extension permission to store large amounts of data locally, which may be needed for caching or storing extensive metadata.
Technical: Allows unlimited use ofchrome.storage.local. While not inherently malicious, it can allow excessive local storage usage if misused. Not directly tied to user privacy risks unless abused. - backgroundexpected: Enables the extension to run in the background even when not actively using it, allowing continuous monitoring or updates.
Technical: Uses service worker for persistent execution. Can monitor network activity and respond to events without user interaction. - webRequestcheck this: Allows the extension to intercept, modify, or block web requests made by your browser when visiting Steam sites.
Technical: Useschrome.webRequestAPI. Can inspect and alter HTTP traffic; poses a risk if misused for data exfiltration or man-in-the-middle attacks. ⚠ 1 - declarativeNetRequestexpected: Enables the extension to block or modify network requests based on predefined rules, such as filtering ads or redirecting traffic.
Technical: Used for dynamic request blocking/modification. Can affect how data flows through the browser but is limited by rule definitions set at install time. - declarativeNetRequestFeedbackexpected: Provides feedback on declarative network request rules, helping with debugging or performance optimization of filters.
Technical: Used for internal logging and diagnostics. Does not expose user data directly but may reveal usage patterns to developers. - cookiescheck this: Grants access to cookies stored by websites, which can be used to maintain login sessions or track browsing behavior.
Technical: Useschrome.cookiesAPI. Can read/write session tokens and authentication data from sites like Steam; poses a high risk if misused for impersonation. ⚠ 1 - activeTabexpected: Gives the extension access to the currently active tab, allowing it to interact with or read content from that page.
Technical: Used for injecting scripts into current tabs. Limited scope but can be leveraged to extract sensitive data if combined with other techniques like XSS. - managementcheck this: Allows the extension to manage or uninstall other extensions, potentially affecting your browser environment.
Technical: Useschrome.managementAPI. Could be used for malicious purposes like disabling security tools or removing competing extensions; however, this is not observed in code. ⚠ 1 - <all_urls>check this: Grants broad access to all websites and domains, allowing the extension to operate across any site.
Technical: Extremely permissive. Allows full control over network traffic and content injection on every website visited. Risk is elevated due to potential misuse for tracking or data theft. ⚠ 1
Your Data
The extension accesses your Steam account information, inventory details, and trade offers through direct integration with Steam's servers. It also communicates with third-party services like Gainskins API, SteamCharts, and others to fetch pricing data or profile information. Data is sent over HTTPS where possible but may include sensitive session tokens.
Technical Details
- domainsteamcommunity.comprotocolHTTPSencryption_statusEncrypteddata_types
- cookies
- session tokens
- inventory data
- domainsih.gainskins.comprotocolHTTPSencryption_statusEncrypteddata_types
- item prices
- marketplace data
- domainsteamcharts.comprotocolHTTPSencryption_statusEncrypteddata_types
- game statistics
- currency conversion rates
- domainmarket.csgo.comprotocolHTTPSencryption_statusEncrypteddata_types
- trade offer data
- item listings
- domainsteamrep.comprotocolHTTPSencryption_statusEncrypteddata_types
- profile ban status
- community reputation info
- domainsih.appprotocolHTTPSencryption_statusEncrypteddata_types
- user preferences
- analytics data
Code Findings
The extension uses methods that allow it to run arbitrary JavaScript code at runtime, which can be dangerous if the input is not properly sanitized.
Technical: Code contains calls to eval() and Function constructor. These are often used for obfuscation or dynamic behavior but pose a risk of executing unintended scripts if inputs come from untrusted sources.
💡 Common in extensions that dynamically generate UI components or handle complex data transformations, especially when dealing with external APIs.
The extension uses setTimeout with a string parameter, which can lead to unsafe evaluation of dynamic JavaScript strings.
Technical: Found in background scripts where setTimeout('someFunction()', delay) is used. This pattern bypasses some security checks and allows execution of arbitrary code if the string contains malicious input.
💡 Used occasionally for delayed script execution, but should be avoided when possible due to potential risks.
The extension loads external JavaScript files directly inside its background process, which could allow attackers to inject malicious code if those sources are compromised.
Technical: Service workers load remote scripts from domains like GitHub or other CDNs. If these resources are hijacked, they can be used for code injection attacks targeting the browser environment.
💡 Used in some legitimate extensions that rely on external libraries or CDN-hosted assets to reduce local bundle size.
The extension assigns HTML content directly into elements using innerHTML, which can lead to cross-site scripting vulnerabilities if the input is not sanitized.
Technical: Code uses element.innerHTML = ... where user-provided or fetched data may be inserted. Without proper sanitization, this could allow attackers to inject scripts that run in the context of the page.
💡 Common for rendering dynamic UI elements; however, requires careful handling when dealing with untrusted content.
The extension uses character manipulation functions to hide code or data, which is often a sign of obfuscation techniques that make analysis harder.
Technical: Found in multiple files using String.fromCharCode() and .charCodeAt(). These are commonly used for encoding strings to avoid detection by static analyzers but can also mask malicious behavior.
💡 Used in legitimate extensions to protect intellectual property or reduce file size, though it increases difficulty of auditing code.
The extension dynamically creates new script tags and injects them into pages, which can be used to run arbitrary JavaScript in the context of Steam or other sites.
Technical: Code includes document.createElement('script') followed by assignment of .src or .text. This allows for remote code execution if source URLs are manipulated or compromised.
💡 Used for injecting libraries like jQuery or analytics scripts; however, it must be done carefully to prevent injection attacks.
The extension opens real-time communication channels with servers, which can be used for live updates or data synchronization.
Technical: Uses new WebSocket() to connect to external services. While useful for real-time features like trade notifications, it could also serve as a channel for exfiltrating sensitive information if not secured properly.
💡 Common in extensions that require live updates from backend systems or push notifications.
The extension has permission to read and write data to your clipboard, which could be misused for phishing or stealing sensitive information.
Technical: Code uses navigator.clipboard.writeText() or similar APIs. If combined with malicious intent, it can steal passwords or other secrets copied by the user.
💡 Used in extensions that help users copy trade links or item IDs quickly; however, requires careful implementation to avoid abuse.
There may be a hard-coded API key or token in the extension's code that could expose sensitive backend access if discovered by attackers.
Technical: Code analysis reveals references to potential secrets, possibly related to internal APIs or third-party integrations. Hardcoded credentials increase risk of unauthorized access if exposed.
💡 Sometimes used during development and testing phases; however, should be removed before release in production builds.
The extension communicates with other domains using postMessage, which allows secure cross-frame messaging but can still pose risks if not handled carefully.
Technical: Uses window.postMessage() to send messages between frames or windows. If message targets are not strictly validated, it could allow unauthorized access to sensitive data.
💡 Standard practice for inter-extension communication and embedding content from trusted domains; however, requires strict validation of origins and payloads.
Steam Inventory Helper is a feature-rich extension that enhances Steam trading workflows but raises several security concerns due to its broad permissions and use of potentially risky code patterns. While many features align with the stated purpose, some practices like dynamic script loading, eval usage, and excessive access to cookies or all URLs increase attack surface. Users should exercise caution when installing this extension unless they fully trust the developer's intentions and have reviewed the source code themselves.
