About CRXplorer
CRXplorer is a browser extension security analysis platform: it scans Chrome extensions and reports how risky they are to use. The Serval CRXplorer integration connects your team’s CRXplorer account so workflows can scan any Chrome extension, by extension ID or Chrome Web Store link, and act on the structured analysis that comes back: overall and per-category risk scores, a clear should-use recommendation, safety guidance, and store listing details. Authentication: A CRXplorer API token, pasted once by an admin. Serval stores it encrypted and attaches it to every CRXplorer request automatically. The token is only ever sent to one host for this integration: api.crxplorer.com. Data sync: On-demand only. There is no background sync, no webhooks, and no imported data. Serval contacts CRXplorer only when a workflow runs a scan or when the connection health checks run.What the CRXplorer integration enables
| Capability | Description |
|---|---|
| Scan an extension by ID or store link | Submit a raw Chrome extension ID or a full Chrome Web Store link and get back a structured security analysis. Scans can optionally include details such as extension version, browser type, hostname, and username. |
| Risk scoring and analysis | Every scan returns an overall score, an overall risk level, and per-category scores for permissions, content scripts, web accessible resources, content security policy, and externally connectable behavior, each with a written justification. |
| Usage recommendation and safety guidance | Each result includes a should-use recommendation with reasoning, a browser impact analysis (what data the extension can collect and how it can interact with the browser), and safety guidelines split into security, privacy, and usage lists. |
| Store listing details | Results carry the Chrome Web Store listing: extension name, total users, ratings, reviews, developer email, offered-by, latest version, last updated, size, and privacy policy text. |
| Cached or fresh scans with shareable results | Reuse CRXplorer’s cached results for speed, or force a fresh scan attributed to a specific hostname and username. Every result includes a shareable link and a downloadable report link. |
| Workflow access | Workflow builders run all of the above through the “CRXplorer API request” action. |
Get your credentials
You need an API token from your CRXplorer account. Tokens are created in the CRXplorer web app and are shown only once, so have a safe place ready to paste it.Log in to CRXplorer
Go to your CRXplorer account page and sign in.
Connect in Serval
Open the CRXplorer connect form
In Serval, open the connect form for CRXplorer. The dialog is titled “Configure CRXplorer”.
Paste your API token
Paste the token into the API Token field. The field is required (marked with an asterisk) and shows the helper text “Your CRXplorer API token for accessing the browser extension scanning API” underneath.
Serval does not test the token against CRXplorer when you connect. A mistyped or revoked token will still save successfully, so always run the health checks below right after connecting.
Verifying the connection
The integration ships four health checks. The first three reuse CRXplorer’s cached results where available; the last one runs a real scan each time.- Test CRXplorer API connectivity - scans the Google Translate extension using a cached result to confirm your token works. Success: “Successfully connected to CRXplorer API”. Failure: “Failed to connect to CRXplorer API: [error details]”.
- Scan Chrome extension by ID - scans the Adobe Acrobat extension by its ID and reads back the extension name and risk level. Success: “Successfully scanned extension by ID”. Failure: “Failed to scan extension: [error details]”.
- Scan extension by Chrome Web Store URL - scans Google Translate using its full Chrome Web Store link and reads back the extension name and overall score. Success: “Successfully scanned extension by URL”. Failure: “Failed to scan extension by URL: [error details]”.
- Force new scan of extension - triggers a fresh scan of the LastPass extension and reads back the shareable link, the report link, and the should-use recommendation. Success: “Successfully forced new scan”. Failure: “Failed to force new scan: [error details]”.
Gotchas and troubleshooting
The connection saved, but scans fail
The connection saved, but scans fail
Serval accepts whatever token you paste without verifying it against CRXplorer, so a wrong or revoked token only surfaces later, when health checks or workflow scans fail. Run “Test CRXplorer API connectivity” right after connecting, and reconnect with a freshly created token if it fails.
Unexpected LastPass scans in your CRXplorer logs
Unexpected LastPass scans in your CRXplorer logs
The “Force new scan of extension” health check triggers a fresh scan of the LastPass extension on every run, which may count against your CRXplorer account’s scan usage. These scans are attributed to hostname “test-workstation” and username “healthcheck-user”, so entries like that in your CRXplorer scan logs are expected.
There is no scan history to look up later
There is no scan history to look up later
CRXplorer’s API offers exactly one operation: run a scan. There is no way to list past scans or fetch an old result. If you will need a result later, have your workflow capture the shareable link and the report link from the response at scan time.
The saved token shows only its last 4 characters
The saved token shows only its last 4 characters
When you reopen the settings, the stored token appears as bullet characters plus its last 4 characters - the full value is never re-displayed. Use those trailing characters to confirm which token is on file. Saving the form without clicking Replace keeps the existing token, and even saving with the replacement field left blank keeps it - only a new non-empty value replaces the stored token.
Need help? Contact support@serval.com for assistance with your CRXplorer integration.

