> ## Documentation Index
> Fetch the complete documentation index at: https://docs.serval.com/llms.txt
> Use this file to discover all available pages before exploring further.

# CRXplorer

> Scan Chrome extensions for security risks from Serval workflows using your team's CRXplorer account.

## About CRXplorer

CRXplorer is a browser extension security analysis platform: it scans Chrome extensions and reports how risky they are to use. The Serval CRXplorer integration connects your team's CRXplorer account so workflows can scan any Chrome extension, by extension ID or Chrome Web Store link, and act on the structured analysis that comes back: overall and per-category risk scores, a clear should-use recommendation, safety guidance, and store listing details.

**Authentication:** A CRXplorer API token, pasted once by an admin. Serval stores it encrypted and attaches it to every CRXplorer request automatically. The token is only ever sent to one host for this integration: api.crxplorer.com.

**Data sync:** On-demand only. There is no background sync, no webhooks, and no imported data. Serval contacts CRXplorer only when a workflow runs a scan or when the connection health checks run.

## What the CRXplorer integration enables

| Capability                                   | Description                                                                                                                                                                                                                                      |
| -------------------------------------------- | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------ |
| Scan an extension by ID or store link        | Submit a raw Chrome extension ID or a full Chrome Web Store link and get back a structured security analysis. Scans can optionally include details such as extension version, browser type, hostname, and username.                              |
| Risk scoring and analysis                    | Every scan returns an overall score, an overall risk level, and per-category scores for permissions, content scripts, web accessible resources, content security policy, and externally connectable behavior, each with a written justification. |
| Usage recommendation and safety guidance     | Each result includes a should-use recommendation with reasoning, a browser impact analysis (what data the extension can collect and how it can interact with the browser), and safety guidelines split into security, privacy, and usage lists.  |
| Store listing details                        | Results carry the Chrome Web Store listing: extension name, total users, ratings, reviews, developer email, offered-by, latest version, last updated, size, and privacy policy text.                                                             |
| Cached or fresh scans with shareable results | Reuse CRXplorer's cached results for speed, or force a fresh scan attributed to a specific hostname and username. Every result includes a shareable link and a downloadable report link.                                                         |
| Workflow access                              | Workflow builders run all of the above through the "CRXplorer API request" action.                                                                                                                                                               |

Anything defined in the CRXplorer API can be accessed through Serval.

## Get your credentials

You need an API token from your CRXplorer account. Tokens are created in the CRXplorer web app and are shown only once, so have a safe place ready to paste it.

<Steps>
  <Step title="Log in to CRXplorer">
    Go to your [CRXplorer account page](https://crxplorer.com/account) and sign in.
  </Step>

  <Step title="Create a token">
    Click **Create New Token**.
  </Step>

  <Step title="Copy the token immediately">
    Copy the generated API token right away and keep it somewhere safe until you have pasted it into Serval.
  </Step>
</Steps>

<Warning>
  The token is viewable only once, when it is created. If you close the dialog without copying it, create a new token.
</Warning>

## Connect in Serval

<Steps>
  <Step title="Open the CRXplorer connect form">
    In Serval, open the connect form for CRXplorer. The dialog is titled "Configure CRXplorer".
  </Step>

  <Step title="Paste your API token">
    Paste the token into the **API Token** field. The field is required (marked with an asterisk) and shows the helper text "Your CRXplorer API token for accessing the browser extension scanning API" underneath.
  </Step>

  <Step title="Save the connection">
    Click **Submit**. If saving fails, you will see "Failed to install integration" or "Failed to save configuration. Please try again." - check the token and retry.
  </Step>
</Steps>

<Note>
  Serval does not test the token against CRXplorer when you connect. A mistyped or revoked token will still save successfully, so always run the health checks below right after connecting.
</Note>

When you later reopen the connection settings, the saved token is displayed masked: bullet characters followed by its last 4 characters, with a **Replace** button beside it. You do not need to re-enter the token to save other changes - leaving the masked value alone keeps the saved token. To rotate the token, click **Replace**, paste the complete new token, and save. Success shows "CRXplorer updated"; if it fails, you will see "Failed to update integration".

## Verifying the connection

The integration ships four health checks. The first three reuse CRXplorer's cached results where available; the last one runs a real scan each time.

* **Test CRXplorer API connectivity** - scans the Google Translate extension using a cached result to confirm your token works. Success: "Successfully connected to CRXplorer API". Failure: "Failed to connect to CRXplorer API: \[error details]".
* **Scan Chrome extension by ID** - scans the Adobe Acrobat extension by its ID and reads back the extension name and risk level. Success: "Successfully scanned extension by ID". Failure: "Failed to scan extension: \[error details]".
* **Scan extension by Chrome Web Store URL** - scans Google Translate using its full Chrome Web Store link and reads back the extension name and overall score. Success: "Successfully scanned extension by URL". Failure: "Failed to scan extension by URL: \[error details]".
* **Force new scan of extension** - triggers a fresh scan of the LastPass extension and reads back the shareable link, the report link, and the should-use recommendation. Success: "Successfully forced new scan". Failure: "Failed to force new scan: \[error details]".

<Tip>
  If the first three checks pass but "Force new scan of extension" fails, look at your CRXplorer account first. It is the only check that consumes a real scan, so account-side limits can fail it while the cached-result checks stay green.
</Tip>

## Gotchas and troubleshooting

<AccordionGroup>
  <Accordion title="The connection saved, but scans fail">
    Serval accepts whatever token you paste without verifying it against CRXplorer, so a wrong or revoked token only surfaces later, when health checks or workflow scans fail. Run "Test CRXplorer API connectivity" right after connecting, and reconnect with a freshly created token if it fails.
  </Accordion>

  <Accordion title="Unexpected LastPass scans in your CRXplorer logs">
    The "Force new scan of extension" health check triggers a fresh scan of the LastPass extension on every run, which may count against your CRXplorer account's scan usage. These scans are attributed to hostname "test-workstation" and username "healthcheck-user", so entries like that in your CRXplorer scan logs are expected.
  </Accordion>

  <Accordion title="There is no scan history to look up later">
    CRXplorer's API offers exactly one operation: run a scan. There is no way to list past scans or fetch an old result. If you will need a result later, have your workflow capture the shareable link and the report link from the response at scan time.
  </Accordion>

  <Accordion title="The saved token shows only its last 4 characters">
    When you reopen the settings, the stored token appears as bullet characters plus its last 4 characters - the full value is never re-displayed. Use those trailing characters to confirm which token is on file. Saving the form without clicking **Replace** keeps the existing token, and even saving with the replacement field left blank keeps it - only a new non-empty value replaces the stored token.
  </Accordion>
</AccordionGroup>

***

Need help? Contact **[support@serval.com](mailto:support@serval.com)** for assistance with your CRXplorer integration.
