Skip to main content

About CRXplorer

CRXplorer is a browser extension security analysis platform: it scans Chrome extensions and reports how risky they are to use. The Serval CRXplorer integration connects your team’s CRXplorer account so workflows can scan any Chrome extension, by extension ID or Chrome Web Store link, and act on the structured analysis that comes back: overall and per-category risk scores, a clear should-use recommendation, safety guidance, and store listing details. Authentication: A CRXplorer API token, pasted once by an admin. Serval stores it encrypted and attaches it to every CRXplorer request automatically. The token is only ever sent to one host for this integration: api.crxplorer.com. Data sync: On-demand only. There is no background sync, no webhooks, and no imported data. Serval contacts CRXplorer only when a workflow runs a scan or when the connection health checks run.

What the CRXplorer integration enables

CapabilityDescription
Scan an extension by ID or store linkSubmit a raw Chrome extension ID or a full Chrome Web Store link and get back a structured security analysis. Scans can optionally include details such as extension version, browser type, hostname, and username.
Risk scoring and analysisEvery scan returns an overall score, an overall risk level, and per-category scores for permissions, content scripts, web accessible resources, content security policy, and externally connectable behavior, each with a written justification.
Usage recommendation and safety guidanceEach result includes a should-use recommendation with reasoning, a browser impact analysis (what data the extension can collect and how it can interact with the browser), and safety guidelines split into security, privacy, and usage lists.
Store listing detailsResults carry the Chrome Web Store listing: extension name, total users, ratings, reviews, developer email, offered-by, latest version, last updated, size, and privacy policy text.
Cached or fresh scans with shareable resultsReuse CRXplorer’s cached results for speed, or force a fresh scan attributed to a specific hostname and username. Every result includes a shareable link and a downloadable report link.
Workflow accessWorkflow builders run all of the above through the “CRXplorer API request” action.
Anything defined in the CRXplorer API can be accessed through Serval.

Get your credentials

You need an API token from your CRXplorer account. Tokens are created in the CRXplorer web app and are shown only once, so have a safe place ready to paste it.
1

Log in to CRXplorer

Go to your CRXplorer account page and sign in.
2

Create a token

Click Create New Token.
3

Copy the token immediately

Copy the generated API token right away and keep it somewhere safe until you have pasted it into Serval.
The token is viewable only once, when it is created. If you close the dialog without copying it, create a new token.

Connect in Serval

1

Open the CRXplorer connect form

In Serval, open the connect form for CRXplorer. The dialog is titled “Configure CRXplorer”.
2

Paste your API token

Paste the token into the API Token field. The field is required (marked with an asterisk) and shows the helper text “Your CRXplorer API token for accessing the browser extension scanning API” underneath.
3

Save the connection

Click Submit. If saving fails, you will see “Failed to install integration” or “Failed to save configuration. Please try again.” - check the token and retry.
Serval does not test the token against CRXplorer when you connect. A mistyped or revoked token will still save successfully, so always run the health checks below right after connecting.
When you later reopen the connection settings, the saved token is displayed masked: bullet characters followed by its last 4 characters, with a Replace button beside it. You do not need to re-enter the token to save other changes - leaving the masked value alone keeps the saved token. To rotate the token, click Replace, paste the complete new token, and save. Success shows “CRXplorer updated”; if it fails, you will see “Failed to update integration”.

Verifying the connection

The integration ships four health checks. The first three reuse CRXplorer’s cached results where available; the last one runs a real scan each time.
  • Test CRXplorer API connectivity - scans the Google Translate extension using a cached result to confirm your token works. Success: “Successfully connected to CRXplorer API”. Failure: “Failed to connect to CRXplorer API: [error details]”.
  • Scan Chrome extension by ID - scans the Adobe Acrobat extension by its ID and reads back the extension name and risk level. Success: “Successfully scanned extension by ID”. Failure: “Failed to scan extension: [error details]”.
  • Scan extension by Chrome Web Store URL - scans Google Translate using its full Chrome Web Store link and reads back the extension name and overall score. Success: “Successfully scanned extension by URL”. Failure: “Failed to scan extension by URL: [error details]”.
  • Force new scan of extension - triggers a fresh scan of the LastPass extension and reads back the shareable link, the report link, and the should-use recommendation. Success: “Successfully forced new scan”. Failure: “Failed to force new scan: [error details]”.
If the first three checks pass but “Force new scan of extension” fails, look at your CRXplorer account first. It is the only check that consumes a real scan, so account-side limits can fail it while the cached-result checks stay green.

Gotchas and troubleshooting

Serval accepts whatever token you paste without verifying it against CRXplorer, so a wrong or revoked token only surfaces later, when health checks or workflow scans fail. Run “Test CRXplorer API connectivity” right after connecting, and reconnect with a freshly created token if it fails.
The “Force new scan of extension” health check triggers a fresh scan of the LastPass extension on every run, which may count against your CRXplorer account’s scan usage. These scans are attributed to hostname “test-workstation” and username “healthcheck-user”, so entries like that in your CRXplorer scan logs are expected.
CRXplorer’s API offers exactly one operation: run a scan. There is no way to list past scans or fetch an old result. If you will need a result later, have your workflow capture the shareable link and the report link from the response at scan time.
When you reopen the settings, the stored token appears as bullet characters plus its last 4 characters - the full value is never re-displayed. Use those trailing characters to confirm which token is on file. Saving the form without clicking Replace keeps the existing token, and even saving with the replacement field left blank keeps it - only a new non-empty value replaces the stored token.

Need help? Contact support@serval.com for assistance with your CRXplorer integration.