Stats
Actions
Tags
From rad-chrome-extension
This skill should be used when working on Chrome extension permissions or Chrome Web Store compliance. Trigger when: declaring extension permissions, "manifest permissions", "activeTab vs tabs", "optional_permissions", "host_permissions", "Chrome Web Store rejection", "permission minimization", "over-permissioning", "CWS review", "Purple Potassium", "extension permission audit", "narrowest permission", "permission warnings", "chrome.permissions.request", "permission justification".
How this skill is triggered — by the user, by Claude, or both
Slash command
/rad-chrome-extension:chrome-ext-permissionsThe summary Claude sees in its skill listing — used to decide when to auto-load this skill
The principle of least privilege governs all permission decisions. Request only what the extension actively uses today — never future-proof permissions. Approximately 70% of submitted extensions over-request permissions. Over-permissioning triggers CWS rejections, alarming install warnings, and longer review cycles.
The principle of least privilege governs all permission decisions. Request only what the extension actively uses today — never future-proof permissions. Approximately 70% of submitted extensions over-request permissions. Over-permissioning triggers CWS rejections, alarming install warnings, and longer review cycles.
| Need | Use | Why |
|---|---|---|
| Temporary access after user click | activeTab | No install warning, minimal scope |
| Read URL/title of tabs without host access | tabs | Required for tab.url, tab.title, tab.favIconUrl |
| Persistent access to specific sites | host_permissions: ["https://example.com/*"] | Narrow host pattern |
| Access to all sites | host_permissions: ["<all_urls>"] | Last resort — triggers 3x rejection rate |
activeTab grants temporary access to the currently focused tab only after the user explicitly invokes the extension. It requires no install warning. Always prefer it over broad alternatives.
| Misconception | Reality |
|---|---|
"Need tabs to use chrome.tabs API" | Most chrome.tabs methods work without the permission |
"Need storage for localStorage" | storage is only for chrome.storage API, not web storage |
"Need cookies for document.cookie" | cookies permission is only for chrome.cookies API |
"Need <all_urls> to work on any site" | activeTab + user action covers most use cases |
Move non-core features to optional permissions. Request at runtime when the feature is activated:
// Request permission when user enables a feature
async function enableAdvancedFeature() {
const granted = await chrome.permissions.request({
permissions: ['bookmarks'],
origins: ['https://api.example.com/*'],
});
if (granted) {
// Permission granted — enable feature
} else {
// Permission denied — show explanation
}
}
Benefits:
Declare in host_permissions array (MV3), not in permissions:
{
"host_permissions": [
"https://api.example.com/*",
"https://cdn.example.com/*"
]
}
Rules:
https:// over *://<all_urls> unless absolutely requiredoptional_host_permissionsBefore every CWS submission:
chrome.* API call — verify each has a matching permission.crx build to verify exact install warning dialogs| Code | Name | Trigger |
|---|---|---|
| Purple Potassium | Excessive Permissions | Unused or overly broad permissions |
| Purple Lithium | User Data Privacy | Missing privacy policy, insecure data handling |
| Purple Copper | Data Transmission | Sensitive data via HTTP or in URL params |
Warning: Adding permissions that trigger install warnings will temporarily disable the extension for existing users until they accept the new terms.
references/permission-guide.md — Detailed permission-by-permission reference and narrowing strategiesreferences/cws-rejection-codes.md — Complete CWS rejection code taxonomy with prevention strategiesnpx claudepluginhub radorigin-llc/rad-claude-skills --plugin rad-chrome-extensionProvides CDSS development patterns for drug interaction checking, dose validation, clinical scoring (NEWS2, qSOFA), and alert classification integrated into EMR workflows.