- Reads claude.ai API responses to display token counts and usage bars
- Intercepts
fetchcalls made by claude.ai pages — only withinhttps://claude.ai - Stores caveman mode preferences in
sessionStorage(tab-local, cleared on close) - Reads the
lastActiveOrgcookie — only to query/api/organizations/{id}/usage
- Sends any data to external servers
- Phones home or tracks anything
- Reads files from your disk
- Accesses other websites or tabs
- Logs or stores conversation content
| Permission | Why |
|---|---|
activeTab |
Inject scripts into claude.ai only |
scripting |
Popup communicates caveman state with active tab |
No storage, no cookies, no history, no broad host permissions.
The extension declares web_accessible_resources restricted to https://claude.ai/*.
The injected bridge script posts messages only to window.location.origin (not '*').
Open an issue or email the maintainer privately. Please do not post security issues publicly until a fix is available.