Privacy and local scanning

Privacy notes for the local Chrome extension ZIP scanner

Understand what the local scanner reads, what it does not upload, and which analytics data should never be collected.

Run local ZIP scan

Guide

What to check

Your ZIP stays in the browser

The scanner reads the selected ZIP with browser APIs and produces a local static report. It does not need an account, server upload, or Chrome Web Store login.

What the report uses

The report uses manifest.json, file references, extension pages, JavaScript text, CSP declarations, permissions, icon metadata, and package structure found inside the selected ZIP.

What analytics must not collect

Analytics should not send source code, manifest content, snippets, file names, file paths, package names, extension IDs, or ZIP contents. Only aggregate event counts and severity totals should be tracked.

Checklist

Action checklist

  • Do not upload source code.
  • Do not collect file paths or snippets in analytics.
  • Do not store ZIP contents.
  • Do not claim Chrome Web Store approval is guaranteed.
  • Use the scanner as a local preflight check, not a legal or official validation result.

Examples

Common cases this page helps with

Safe analytics event

scan_success with high_count, medium_count, low_count, and rules_version is acceptable because it is aggregate diagnostic data.

Unsafe analytics event

Sending manifest.json, source snippets, file names, or detected URLs would expose extension implementation details and should be avoided.

User-facing trust copy

Your ZIP is read locally in this browser. The scanner does not upload your extension package.

FAQ

Frequently asked questions

Does the scanner upload my extension ZIP?

No. The intended product behavior is browser-only scanning. Your ZIP should be read locally to generate a static report.

Does the scanner store source code?

No. Do not add persistence or analytics that stores source files, snippets, manifest contents, or package paths.

Is the scan an official approval result?

No. It is a local static preflight scan and cannot guarantee Chrome Web Store approval.

Related guides

Continue review

How the scanner works Run the local ZIP scanner Manifest V3 checklist Run local ZIP scan